2b6e0e19053485b5ee0b0f7e5cd2deb383d71d8dd38ff91464d906ccf28eb74e

Resubmissions

28-11-2024 14:20

241128-rnfgwszndw 8

28-11-2024 14:18

241128-rmdxnswjgp 3

Analysis

max time kernel
227s
max time network
229s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-11-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe
Size

111KB
MD5

4ed926df707a900c5a186a98b8d57661
SHA1

88886952440bbd9aae13c9c0c7ac2918fd204503
SHA256

26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac
SHA512

b6deb3a26148b23fcbe2f7fbff10c4b24889633d60a3e5f0e869199e2a90d6215e6e5e99a4e43b849386ad2e99634bf240aceb9d809492f4f3137a1d3274f242
SSDEEP

1536:1+ReV/YEphjIdA5/huIMaAfaFVk69IJ88hvAqL/a4tCTXFL9G+K/aa3sZLP:ZRnR0adCvAqL/a4tiLw7Z3

Score

8^/10

microsoft defense_evasion discovery persistence phishing

Malware Config

Signatures

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 3 IoCs

pid	Process
1964	Msvbvm50.exe
4756	REGTLIB.EXE
3472	VisualBasic6-KB896559-v1-ENU.exe

Loads dropped DLL 6 IoCs

pid	Process
1964	Msvbvm50.exe
1964	Msvbvm50.exe
1964	Msvbvm50.exe
2800	26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe
3472	VisualBasic6-KB896559-v1-ENU.exe
3932	26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Msvbvm50.exe

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SETB7C0.tmp	Msvbvm50.exe
File created	C:\Windows\SysWOW64\SETB7C0.tmp	Msvbvm50.exe
File created	C:\Windows\SysWOW64\SETA8F3.tmp	VisualBasic6-KB896559-v1-ENU.exe
File created	C:\Windows\SysWOW64\SETB79E.tmp	Msvbvm50.exe
File created	C:\Windows\SysWOW64\SETB7AF.tmp	Msvbvm50.exe
File created	C:\Windows\SysWOW64\SETB7B0.tmp	Msvbvm50.exe
File opened for modification	C:\Windows\SysWOW64\SETB7D1.tmp	Msvbvm50.exe
File opened for modification	C:\Windows\SysWOW64\SETA8F3.tmp	VisualBasic6-KB896559-v1-ENU.exe
File opened for modification	C:\Windows\SysWOW64\SETB7B0.tmp	Msvbvm50.exe
File created	C:\Windows\SysWOW64\SETB7D1.tmp	Msvbvm50.exe
File opened for modification	C:\Windows\SysWOW64\SETB7E1.tmp	Msvbvm50.exe
File created	C:\Windows\SysWOW64\SETB7E1.tmp	Msvbvm50.exe
File opened for modification	C:\Windows\SysWOW64\SETB79E.tmp	Msvbvm50.exe
File opened for modification	C:\Windows\SysWOW64\SETB7AF.tmp	Msvbvm50.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm50.dll	Msvbvm50.exe
File opened for modification	C:\Windows\SysWOW64\KB896559.TXT	VisualBasic6-KB896559-v1-ENU.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SETB7E2.tmp	Msvbvm50.exe
File created	C:\Windows\SETB7E2.tmp	Msvbvm50.exe
File opened for modification	C:\Windows\regtlib.exe	Msvbvm50.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Msvbvm50.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\VisualBasic6-KB896559-v1-ENU.exe:Zone.Identifier	firefox.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Msvbvm50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REGTLIB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VisualBasic6-KB896559-v1-ENU.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\TypeLib\ = "{97177EBC-0C54-11D0-B407-00AA00C14969}"	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\TypeLib\Version = "5.0"	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StdPicture\CLSID	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B285-BAB4-101A-B69C-00AA00341D07}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\ProxyStubClsid32	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\TypeLib\Version = "5.0"	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC4801A3-2BA9-11CF-A229-00AA003D7352}\ProxyStubClsid32	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\TypeLib\ = "{97177EBC-0C54-11D0-B407-00AA00C14969}"	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00020412-0000-0000-C000-000000000046}\ProxyStubClsid32	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\ProgID	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\ProgID	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3AF24290-0C96-11CE-A0CF-00AA00600AB8}\ProxyStubClsid32	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}\ProxyStubClsid32	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\ = "PropertyBag"	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\TypeLib\Version = "5.0"	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\NumMethods	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\TypeLib	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3AF24290-0C96-11CE-A0CF-00AA00600AB8}\NumMethods	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01E44665-24AC-101B-84ED-08002B2EC713}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B288-BAB4-101A-B69C-00AA00341D07}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B288-BAB4-101A-B69C-00AA00341D07}\NumMethods	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97177EBC-0C54-11D0-B407-00AA00C14969}\5.0\ = "Visual Basic runtime objects and procedures"	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\ProxyStubClsid32	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B28F-BAB4-101A-B69C-00AA00341D07}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B28B-BAB4-101A-B69C-00AA00341D07}\NumMethods	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22F03340-547D-101B-8E65-08002B2BD119}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BF80980-BF32-101A-8BBB-00AA00300CAB}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ProxyStubClsid32	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B28C-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97177EBC-0C54-11D0-B407-00AA00C14969}\5.0\FLAGS\ = "4"	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}\TypeLib\ = "{97177EBC-0C54-11D0-B407-00AA00C14969}"	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\ = "AsyncProperty"	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\TypeLib\ = "{97177EBC-0C54-11D0-B407-00AA00C14969}"	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\TypeLib\ = "{97177EBC-0C54-11D0-B407-00AA00C14969}"	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OldFont\CLSID	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020425-0000-0000-C000-000000000046}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1FAF330-EF97-11CE-9BC9-00AA00608E01}\ProxyStubClsid32	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\5.0\FLAGS\ = "0"	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}\TypeLib	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD1AE5E0-A6AE-11CE-BD37-504200C10000}	Msvbvm50.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StdFont\CLSID	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StdPicture	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD52380-4E07-101B-AE2D-08002B2EC713}\NumMethods	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}\ = "_Collection"	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97177EBC-0C54-11D0-B407-00AA00C14969}\5.0\9	Msvbvm50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\TypeLib\Version = "5.0"	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22F55882-280B-11D0-A8A9-00A0C90C2004}\ProxyStubClsid32	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C2CAD80-3424-11CF-B670-00AA004CD6D8}\NumMethods	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B28F-BAB4-101A-B69C-00AA00341D07}\NumMethods	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55980BA0-35AA-11CF-B671-00AA004CD6D8}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C466B8-499F-101B-BB78-00AA00383CBB}\TypeLib	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\ProxyStubClsid32	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97177EBC-0C54-11D0-B407-00AA00C14969}	Msvbvm50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD52380-4E07-101B-AE2D-08002B2EC713}\ProxyStubClsid32	Msvbvm50.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Msvbvm50.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\VisualBasic6-KB896559-v1-ENU.exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	firefox.exe
Token: SeDebugPrivilege	3100	firefox.exe
Token: SeDebugPrivilege	3100	firefox.exe
Token: SeDebugPrivilege	3100	firefox.exe
Token: SeDebugPrivilege	3100	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
2800	26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe
3100	firefox.exe
3100	firefox.exe
3100	firefox.exe
3932	26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 3100	5024	firefox.exe	86
PID 5024 wrote to memory of 3100	5024	firefox.exe	86
PID 5024 wrote to memory of 3100	5024	firefox.exe	86
PID 5024 wrote to memory of 3100	5024	firefox.exe	86
PID 5024 wrote to memory of 3100	5024	firefox.exe	86
PID 5024 wrote to memory of 3100	5024	firefox.exe	86
PID 5024 wrote to memory of 3100	5024	firefox.exe	86
PID 5024 wrote to memory of 3100	5024	firefox.exe	86
PID 5024 wrote to memory of 3100	5024	firefox.exe	86
PID 5024 wrote to memory of 3100	5024	firefox.exe	86
PID 5024 wrote to memory of 3100	5024	firefox.exe	86
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 792	3100	firefox.exe	87
PID 3100 wrote to memory of 4264	3100	firefox.exe	88
PID 3100 wrote to memory of 4264	3100	firefox.exe	88
PID 3100 wrote to memory of 4264	3100	firefox.exe	88
PID 3100 wrote to memory of 4264	3100	firefox.exe	88
PID 3100 wrote to memory of 4264	3100	firefox.exe	88
PID 3100 wrote to memory of 4264	3100	firefox.exe	88
PID 3100 wrote to memory of 4264	3100	firefox.exe	88
PID 3100 wrote to memory of 4264	3100	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe
"C:\Users\Admin\AppData\Local\Temp\26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe
"C:\Users\Admin\AppData\Local\Temp\26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba8bbafd-31e4-449f-abb5-8768d0848cef} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" gpu
    3⤵
    PID:792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {854d14de-ee9c-4dc8-8dac-1eca22fa607b} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" socket
    3⤵
    PID:4264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3172 -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 2972 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1315eade-8777-42fc-b5ab-3b155802714d} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:1356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3440 -childID 2 -isForBrowser -prefsHandle 3532 -prefMapHandle 2716 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47a0fdc0-2a4f-4633-8dc3-027c5f56fa4e} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:3156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4228 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {912f9ae1-9979-4f1d-92ca-420e65d9a9ae} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" utility
    3⤵
    - Checks processor information in registry
    PID:4776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5372 -prefMapHandle 5368 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdc67b85-3163-4b83-a960-98521a419d36} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:2700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5524 -prefMapHandle 5528 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04649f86-e3c9-4c1d-b785-9dfbd42b6f16} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:1828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5692 -prefMapHandle 5696 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca6d493e-f496-4342-92ed-96a6e2842351} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:4792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6140 -childID 6 -isForBrowser -prefsHandle 4640 -prefMapHandle 4636 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e6c7159-a968-45f2-8a7a-d2ef131304b8} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:3560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5244 -childID 7 -isForBrowser -prefsHandle 4156 -prefMapHandle 5436 -prefsLen 27823 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9525e9a-7e26-4c33-ba03-26e71e3856a9} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:1236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 8 -isForBrowser -prefsHandle 5480 -prefMapHandle 5476 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {affb1568-8a16-420a-aad8-4d996930d461} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:3032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6468 -childID 9 -isForBrowser -prefsHandle 5200 -prefMapHandle 5192 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fbcc2e8-82cf-4412-a636-51c72a56eb2d} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:4640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 10 -isForBrowser -prefsHandle 5764 -prefMapHandle 5760 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {392435d2-282f-4c74-8e4a-bd4a8e27290e} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6248 -childID 11 -isForBrowser -prefsHandle 6580 -prefMapHandle 5836 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfc26c0e-973b-40d0-8175-a585e021086a} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3416 -childID 12 -isForBrowser -prefsHandle 5188 -prefMapHandle 5676 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61fd3036-5e35-4785-860d-fbd310c2f857} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:3460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6676 -childID 13 -isForBrowser -prefsHandle 6292 -prefMapHandle 5836 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe65a0ac-b176-4594-a49d-6a68e75bd14b} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:2452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3780 -childID 14 -isForBrowser -prefsHandle 4156 -prefMapHandle 3912 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccd04405-d580-4d80-8eaf-2ecf03e804fd} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:4724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6432 -childID 15 -isForBrowser -prefsHandle 6652 -prefMapHandle 6648 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c57c4b3f-b8c3-42e1-a3bb-63897f017dea} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:1292
- - C:\Users\Admin\Downloads\Msvbvm50.exe
    "C:\Users\Admin\Downloads\Msvbvm50.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\REGTLIB.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\REGTLIB.EXE -q stdole2.tlb
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3904 -childID 16 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3712f56f-4f91-4642-a85f-d08d3dca6c91} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:5052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2628 -childID 17 -isForBrowser -prefsHandle 5168 -prefMapHandle 3788 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e12bd913-137b-4d6a-a810-4cd77923f6db} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:4748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -childID 18 -isForBrowser -prefsHandle 6524 -prefMapHandle 6420 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0ad759e-28e9-4ebc-8802-c1b3a5ed714a} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:3012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6400 -childID 19 -isForBrowser -prefsHandle 6052 -prefMapHandle 6660 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {367b3a15-3168-4230-a6af-b2a690da1277} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:1968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2728 -childID 20 -isForBrowser -prefsHandle 6444 -prefMapHandle 6368 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c303d1d-8cd3-47b8-9efe-3db4dc4b89d1} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:3456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7396 -childID 21 -isForBrowser -prefsHandle 7488 -prefMapHandle 7432 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d30f4417-d2f0-49d6-8c5f-d437914a195a} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:2752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7388 -childID 22 -isForBrowser -prefsHandle 1768 -prefMapHandle 6200 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {146c7940-3e12-42d5-921e-3ead4b864085} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6368 -childID 23 -isForBrowser -prefsHandle 6468 -prefMapHandle 7376 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7939a013-79d5-43ee-9e85-bb9e5b405a96} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:1288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7376 -childID 24 -isForBrowser -prefsHandle 6516 -prefMapHandle 6460 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa476e71-7884-4c68-afdf-ed87ddc9a2d4} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:3696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6440 -childID 25 -isForBrowser -prefsHandle 5424 -prefMapHandle 6868 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53f375a4-2c72-425e-b1e9-446bcd91ef4f} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:4568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6492 -childID 26 -isForBrowser -prefsHandle 6500 -prefMapHandle 5736 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19c82655-5973-4b51-b417-fb1ff6be8143} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:2764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4188 -childID 27 -isForBrowser -prefsHandle 7764 -prefMapHandle 7556 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27b70f11-fdca-444a-9395-bca15ecc59a8} 3100 "\\.\pipe\gecko-crash-server-pipe.3100" tab
    3⤵
    PID:4092
- - C:\Users\Admin\Downloads\VisualBasic6-KB896559-v1-ENU.exe
    "C:\Users\Admin\Downloads\VisualBasic6-KB896559-v1-ENU.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3472

C:\Users\Admin\AppData\Local\Temp\26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe
"C:\Users\Admin\AppData\Local\Temp\26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Users\Admin\AppData\Local\Temp\26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe
"C:\Users\Admin\AppData\Local\Temp\26d76f5d90188a9461bed041e372975875208394e16963a26b8404e240cfa5ac.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
836a2d3356e469e2cef7de6ff168e010

SHA1
f2cb2bb0760b59846251574f1ce8808c5a78d143

SHA256
6c5e979b6c686e2aef2a5278e333bf8d456d08c4e07f4e82b4f101363dfd53d9

SHA512
b5a191d5fb045b39575d13e566c41cb646e03a2ec725777084d95d9d51595fedcfc897c57c8754c4833b7382fad221cea1f1f8f4a3c892d172820a82c56fb0c7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\cache2\entries\84354BEE8B7CD125358DE19BD508B38FF31C8D45

Filesize
58KB

MD5
28e28a9c1b573f51d2f9380c3d17a3e2

SHA1
25d96ade60ed0ec998f28c1d036f1c3a0a3c473d

SHA256
573cea6816a9f211a34933232bbf143d106b07ac8293c7492ca4462c412c98ff

SHA512
50e68db2cb2fa367a956159cddc398c52d69db0eba5a4e5e5ffffc7d0810694bc0c97e3965d9e0c6da744164b179f62893151c72ffa0d3bbc269fa866330dd3f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\cache2\entries\97439B8B6B7FE82935C3AA67B51A6BD98623DE46

Filesize
91KB

MD5
08d96e6551b450be4a51459a61a6520c

SHA1
f7081f8d908ceda40c83d89ddcc3f2d014086748

SHA256
7a7e5ff2af443b61a7e94c32fb9d84b4afffdfb95af45dd79a6081b8087dff2e

SHA512
dd2057bff351af4a7d1aec2494055c405d8093dff2f5a16f3d1ae6a51c851bca6f8681a5c14bb05f4e2ba0a4df1063ed9548965f9e0f8213392451bfcca8da15

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\cache2\entries\9C14E0C9D8814C7AB7F06D84A3485E4E9F7269F1

Filesize
41KB

MD5
8a7579135a1d48f828567a3997ee5d88

SHA1
967070f2092d5acecb33fdc13296950573f2f0df

SHA256
3c6288adb0b06384c619973fa181289d7d025a74219b0ac6d5901677e1c3206c

SHA512
38f38e0dd688c5a86ebde0a9dd9f1120600502ab54098da134e74bf4337963c13af0be18d9dc56f7c9000efcfb10f08e86446d6ca23ccbc98f791887c5d7eeaa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\cache2\entries\AEB798CFBF60351747CE1D9826E62FF95DC7AA9A

Filesize
17KB

MD5
e0b124f7fd7814d0a0dd08a3840de8e0

SHA1
d50981a08741252a3135f7aaf6c6ea8d705fc0c3

SHA256
ea00fd61d1371aa84fb3bca1e8be210e9347ad0966438df5f4afb50481c0a220

SHA512
6c94a2c1d1f86f69bf927513b783943fcae2968a36b1735a3c78678452a54cc5cdfc542060eca4f92bda8031f8bf0ec14e91ad62936113c8b0f5880ee40ffbd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
89KB

MD5
84f97568ea488bdfa0199a14ecd0bc7b

SHA1
6db4d2ffcccdccfd37dd120eeec06e3f7a81f705

SHA256
b3646276b0422103489d72e1696e8a1c03d20127907c54aed619e4f94825d649

SHA512
d996c0a7df303519a23075fa63f7d0c11ac5a255f382fe10eeda67a83d70a950c206ad32ec8a83cd8982ca37b052d98683e7cba532955ab5573aea17d534b4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
89KB

MD5
8a4480b7a567df3f8531e65b3d0b032d

SHA1
e4500a06df3fa7c0808f1ca675daacb12a536b09

SHA256
a789fc22029ec3727dc2bd107b1bdf056910966e3eb885a7cd9579782ced1bbe

SHA512
acf5a8e007201c1df16a36ff03a3f2b9888e55b2f52d648a8ee4faee27f4d68feebfd3459bce9994cce9854a0efe76040aae69fce9dae282502b9eb6d3d38dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ASYCFILT.DLL

Filesize
115KB

MD5
5068aaf253eef6fa21f86c5f6eb43a9b

SHA1
ca2f39e980036bf8e1bd8f7b542ab4ad655b0398

SHA256
16e9cd0eff1648a408067bcdef9e4b0b7babca3615d243122feecfb53e618333

SHA512
417fffe24e9d80cee72d6f93b42e8f1196cdac8fc231a99861c6d0d834f3fd30a63e962ca40fa01f98bf8141659782537faa5e698842845a26872c7cfdd604f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COMCAT.DLL

Filesize
21KB

MD5
900c7e2ca4c38157b013224504091131

SHA1
0545c729d18e31f6f0735cbdeb28375125c00086

SHA256
f538a680e3b2fd77ddd066284517ab9a2f82da6acc636509c98db213e2142ea2

SHA512
8259f7821ed016a2610d13c8096aa3cd54722d51e92d1148c21c07f29c5851761becc032dd9905b42e1b1e5da3ad14868f4ed1c7a31eb08c7f59c728bff71cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KB896559.TXT

Filesize
13KB

MD5
c2fa3ed360c475a9feac84e33f7ea327

SHA1
c5326f988c4f471020ee828f425e3094686e7b0c

SHA256
6ded4badcbd14dfc99d234ec6aa1155b868ef8ecf98d1c3a11cca9a8c7c2a232

SHA512
27a871f440de71e8f7197e5cefd001f95246003ccbce1c3f1b422e3ad09103815c9b1f18780665b77924edcd05d6f6f6292c8314f6d9a549927dbc0fae3770b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSVBVM50.DLL

Filesize
1.3MB

MD5
157b3267a46a79dd900104f241da8c4c

SHA1
178271eaf8c48384e206cbaebcbbc12030980410

SHA256
8611dc1b60ae5c383bba6cb3ffd8a51aeebff23b95844f0ab3d6e5ecd0fadc84

SHA512
acb496d811386c98ac67664ce9aeda86e49309e45430a4b66bd8433030afd0eab87ddabfda60b5bfbbfa2c84c118f89a5e636de7d0280c668a1c85bb5cbf7fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OLEAUT32.DLL

Filesize
480KB

MD5
6976dbbe4c97571c86d4aa19b10b1296

SHA1
c15f20a741730e45f315b8e0f7e475c471a03d7d

SHA256
b889857d7253b0a8f39c5f5372795a99e236783002d2c257da9b367edbdf3091

SHA512
db37e48b2c80591fbb19d48ea80b8eee599c4be84de191c08a8aba16dfc2c7f265f7ba2cdf9e32189ee118ccd6d501453a9a790908aafecc777f1a1906a35ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OLEPRO32.DLL

Filesize
112KB

MD5
52d36ae89a6e6c5fef146a85073b4684

SHA1
7b4f61434490ebd5a75970c6acd6299042263ddf

SHA256
3f480ad866e9f9fe8766b94472341a91909dfe312331284f6f8ba12f33d9a26d

SHA512
8ecf98c817a03557048bf2ad268af0ce90c8c35adf41d275c5a8fbde02f7882a8947e8937f63a41cf4dfaae01e39aca125b4686cacb4fef84e9dc7f90846c44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\REGTLIB.EXE

Filesize
30KB

MD5
d66097f64f04f2b843f80b5a1ee79813

SHA1
240bac109c3ecd6bc4210ac0759fc781e0c63b47

SHA256
2fbdce253b9ee5fe055ef05f2b90ccf095aac1216fb96564e82701d90b3827c8

SHA512
23935d1af6ad019a6377db49c2c79581ad9360f7659901e377df29bd439206e0bb6f2f3a9ca0eb56a80d69f29f5808025d1939fb398b0ab0827210e45127df2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STDOLE2.TLB

Filesize
16KB

MD5
bbbe928ff61c35367ff6e08cf79af0ae

SHA1
770f7a63275b7c387dc9762c9c1505d7a8e5a1e7

SHA256
8a6368eb6075a3676d1010ee0d4e6450b10cc40276dd7571bf108039e17f359e

SHA512
37f0829111353f6067c8ba89b248e6f39299f8c95d0426613b9c5a2e4fc2f5be1999df0b34b3ca1e0fa524db36c0bc07c56bfc08b8c9db5270cad72b43f6fa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\comctl32.ocx

Filesize
1.3MB

MD5
2640ad05ab39321e6c9d3c71236ca0df

SHA1
03d30b572f312c2b554e76b3a18fbbb4a38a9be4

SHA256
634d27df20591de4d9b44dfb7f1ef03284c1d120f61b0801d668c1076d72cb6d

SHA512
7ea1357dcb7c22870c4993df30b00a79e61731cbea87775d800b7ff7f435858167780b22fd5af6a2df59edc1c5d5fb0e184c5f7ed4436c70ea5f91b8be4a1e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mscmupd.inf

Filesize
685B

MD5
214274e313cc092c47473fe9318553d3

SHA1
7056dfe74db125072888e577350e1442392b23f7

SHA256
d498ca1eacbc22329c2c0fce0113a8e783fd65ad1957a14c6e3e441ebe0f4cc7

SHA512
940b4ac5d56f104870b7b0542a633da64e90cfea71dc3daeb0128104278966734c423e0ebf702076b6492489927874f458cdd9ea6253b6d2051c0a4eded1185d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mscomctl.ocx

Filesize
1.0MB

MD5
d268668751ee22997d7ef1417034cb04

SHA1
d8a87438ab0df47fe252b06162a986399cafffe1

SHA256
fac6736251d3c61ecbd63be0420d1c75d5cd0442181d479013330155ca37d358

SHA512
75f40cc8c92e3fcdd381669f6aa0bf1e76ee6fec0c5cbf53ea0bbfbff199ac7229fc1405f737420badd24f438b49b8d2eed2bb0f3fad0bf8a974f54bd6964a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msvbvm50.inf

Filesize
858B

MD5
9c90bc2513596943faae36814a9416c2

SHA1
00bb4607b311aa8b4dafcd498bbebf57bdb40d7d

SHA256
02cb70cd3214c2eefdb0524d1ad2260d8af1af3ef7e6355a24eefb31811011f4

SHA512
a850ebaa4a3b0f03e961d13f2697f2e2cc4dd604f54a61a6344f26e64ec05cc80a8598e07ec3a31d1b608c84d2ca59ad71414e8d9f024ef2c0a178bcc08f928f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\AlternateServices.bin

Filesize
8KB

MD5
bab23d3edf26ef6ef49e521d70979ede

SHA1
8fb0a6dae2b04cd9cdc5cee19df8e7f2fe8fbc4a

SHA256
8eb491132335a56790e6c5db0e157999f5787d65ddc51eb4a7f070505eb5b1b1

SHA512
3dc8f845486bc6c18022aaccf23bc5d0b593f609dd3fabfe28f98d7517aee2d8acdfb5abb9d169513fe0dc44b7f27b008c9eb3cbf6a518bc6d516b98ca0dfd18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\AlternateServices.bin

Filesize
12KB

MD5
9910d806e90e6c00bb3492187234becf

SHA1
ffa1360186801e35bfcc7752f0bcb638b9301cce

SHA256
7fd4f17b78831d75cf15e16907bc73698c75e446b123f3c33cf6f96930c78830

SHA512
29ec00d410922747c27396d1e85921696c2b9630996b409352affcc524d5855b3ad3413bcc28e09d0f09bcd7e81bdd8174e52a06635ccbb8b56f0edcf2202347

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
80d6ef421eb2f9e8f89a486db2e2e6eb

SHA1
f692aa1485c91d571f2d8a19d91261e698d0d345

SHA256
e9b55dc1c5978366521d082f107632fa016c2473511d117c4afa57b12bdcd223

SHA512
fddaae9dee69c4ecaa603eebd8e0932f2aad0ab9a5405a01e8bc5c298e54a696ec9ffb73f7a7276b763339f948ed7389540514d74a2cf776dd20ec66ec530208

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
06aebdc6101d547d06eb12a4341bcdc4

SHA1
8cf25f45011f324503e0e4cdbf863cd6f2a62fd2

SHA256
a3db3fa744b74a5dfeb17f3befccd71e4778eea592151d9fc5f77b86009ed1b3

SHA512
87c58080e8195e679300f0a5f6083f93efeee0d14b2290d569c895a7365699dd4b036682e884a3b8848fb315e7947cc2d7dd05235864dea234401a4c343c921a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\122e5f79-875b-4a9b-9900-f4cfcac40344

Filesize
982B

MD5
827797a6f09acbe5de9903de12d5a311

SHA1
4d27dbf85bc342b471fa28646851ae5fcf0a758f

SHA256
d429ea2377b31fb5efff5d9d1f6b0e109b7f81be46e2e8b232af1ea0a9243af5

SHA512
c3dab5249e58cff509e1d9b72c5d5d87158e65cff9e1cf1e5f6e0254425f9fa4db8b3a5fa5a2360ae845710884638d5a652a6842bb300c7e3e7329e1ec2cc8a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\b9ea3150-aeff-4447-a4bf-6674fe400ad0

Filesize
671B

MD5
40e1888cb4068b0c58e9e57421ed0e2b

SHA1
25217feceb8bf1affdf2372aa19fd8a73f7b6836

SHA256
a20e658d37eaf57adf168dbef872f2122243ae58ea403a2e46c853bb044548d6

SHA512
0c28c3699824a34e3ac878fc8488a51f1440ec3f9ef9adf90e7bb7c8a820a86c2fb7a4724cbc421e7999e1f5aabdf0b77292deae90e8cbe5db9fa458c033d3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\f1b08a41-d26b-4eb7-861d-62426736cc7d

Filesize
25KB

MD5
ac5a84b23f3c7e40bed28dfccb254495

SHA1
a6faf4147aa7400bae898a82e69317ac86f44ed1

SHA256
dffc9af2004f37a95b1d4108b36994e38397efb7d8decdac3246c78a8847a78c

SHA512
500656634117304ad6fa856e4c5d97f96d123096eb5ffee0c866547c6af93155ee88bbd0c8d3b029b4741c69c6d039f8221f281918af4346aa4f9a544ee6f98a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs.js

Filesize
10KB

MD5
4dffbed5f18cc8ef90273b19599e2652

SHA1
9ad56e0007cb05b4dd68152f4366247769ea7e1f

SHA256
2dc07bad44639f22df41fafad04f9eb9a28094d7df2ddfd7834230e5ec6d0679

SHA512
9ac9196591b96dae153ede216f72be2e858cba96fbfac991db5c68867af0e94117d3f9225f7207aad23e95358acce55ee7452e3204eba0bdb3bb96ebb833d0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs.js

Filesize
10KB

MD5
305eb0ade7cb343c7fe103f58a76a2b8

SHA1
60a14afcae92e0dec89e8be38fafd79fd5e6fc83

SHA256
553e4e61fdf74db7792781cec84ece3b96371d28f7a2fefea2ba1fd1b253de13

SHA512
07c523e8ef58534e9281d3d310405dc95b6941b39568628ef402c4d5339fbf01ee34d863f90e61ef27e2f477074cfb4c18e96ea3f0ae96d1cc06bbedc72261de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
4af6bf0c64651106731920a210253122

SHA1
54aec29b069cc97f1268ee6c5edb08b3b86ccc80

SHA256
2fa8d7756ef90ee4567c028db592430fc4df860987a982ca5472ca3e44cf4c5e

SHA512
d5302917a8aa363ea8beb9cb18076c7ce9d4714f96d1fa94145d2cb2b931737eebe94f815f4b207897ca6a7ac8a2906c66b8551b00436d93a4066195b797381c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
8b84dbf8013cace332fb438447ea83e1

SHA1
23525c71555bebe44176e731f8124f37494cc827

SHA256
d18223bd3af8ca2a3b699848b6e21cae9af58418a5e0bc2ce24a45172e44c90b

SHA512
4e38371c6447126b9c35ab189bd8aafe9ad34c5ea9c349df5641c091be5ec6a11629e2f4a8fc4b50ed37d1b4f66c33241f1400377134848fe4fb8d6de2ec8ff4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
c9da7d18727ec2a8151281806bb32838

SHA1
81d7b7079fda5f03568de3094c3d0f0c93ed4ee6

SHA256
ddd2c2e76553fbb98c504ece327fa16d526091e64d504d422db517478949d9ca

SHA512
9cbfd192ea1826f0d1a99102902249568c493bab3e8a9ee8e2ed4e62fbf13fcc63f21d2c898034f83c2c01627beec1c7a1ebe076e6bf1db98abf70e8b86c0e3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
02b2858d60ec397e3c45225d461d3b13

SHA1
8f941a668f3fc1f3db931523981f383d8ff3e7d2

SHA256
723a349220d717a9facbea00c54d9efda79c26ea7e5e2605ba52d73d8b556835

SHA512
b2b712db8caef9666c46d01561568408ef37f9450ff7877ee2d73941afb893b761e9726d55f9b65e8e774731ebe79d0f3f73ddd6ef21f16c43045cc6fae37b02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
1bfc6e2e878be84c392fcdfb103f7ff6

SHA1
0794ea8a2f004374e74693c70dddcc239f45ca77

SHA256
be7eb840b2cc4f00a473992b11be6608a2992241438225a9685cf0f173a42255

SHA512
28da4ff64735643e2aaea9aebe5407c8e53df734868dac5ece8d8234a89ff1ee989a482eff76e965ef5c284dfe0bb8fc5a06cd13bf9f6ac4bb2e4c7c119e0138

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
2051faa073e81cb73992fb338ffa5dc5

SHA1
084d87ec607452001b1178dd6290fb9ee0e4f0f6

SHA256
cf945819aca9d49615dd65924e6ec6bf5cf2ee7df1ae6f9f586b6a10fdc405c0

SHA512
5d84280876457a347af515e444fce2a8a90937692771453c8536335fd2555dd2c72e26897c30663148651482b594b525cd3e16e5ff34f0c7352d1e2f787ecc30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
52e660524d4e50b36ef4c48fa18720f4

SHA1
6a7bddbc174f2cb059282ada03a87b04f963604a

SHA256
d97c7428b3a26463ede43aab69016ed37378348c9c000d3629bd731f94651b3d

SHA512
90cb87c08f1adb5c119e49f6c3b5881b72daf02eb7f768e3b1beffe4451f9747d34a7c8900e7f922a413408688d17219c68c208264be2125830bf707e59b5dbe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
5d0a485c6575ffa77a45a9789921f9f0

SHA1
207468b870c413099bb675a3e162346ee2d417bc

SHA256
728b08f74ada44e54c1b8c28beb43047e7f2c34e6abf27484626975807a5a17c

SHA512
fc94ec23d20863fad9ac2e97d919efb4d40bb9a914df7ecaeb063e6284cb008bb5ae1ec37eacc25aa3ea706ef1f00f769632314bfd5ff615b4dc217c3ebbc279

Download Submit
C:\Users\Admin\Downloads\Msvbvm50.6u7jkPAR.exe.part

Filesize
969KB

MD5
e037b441d3eabd82f1e1842180919aa3

SHA1
28bfaf09b8ac32cf5ffa81252f3e2fadcb3a8f27

SHA256
b5f8ea5b9d8b30822a2be2cdcb89cda99ec0149832659ad81f45360daa6e6965

SHA512
4e01066e9d92e681cf3472388673b8bd46104108646145a77a2a159eb5f0f1895dc5bdb1760be8c14a8fb7c4ef3f669615d3bd3c47276b97957008f3b833a3e1

Download Submit
C:\Users\Admin\Downloads\Msvbvm50.exe:Zone.Identifier

Filesize
118B

MD5
756b7404fc11bb42548eba8ba7c7d8f0

SHA1
e6e9eb054f6f0a2a810603c374cda6c6bcb159a6

SHA256
15fe330708f868ea6295ee895e122087433e5ae48137bf9307b52f61bd771832

SHA512
f9ff0a313f6beca7b91f681b412b462b7d8fe76764776893940bb154fd0aa95e349e4554d54f75a21c098da9985cd983c6ccfbfc9eeb3eacf42c3f2cab6ddd72

Download Submit
C:\Users\Admin\Downloads\VisualBasic6-KB896559-v1-ENU.exe:Zone.Identifier

Filesize
191B

MD5
cc015b17ae04af1ae07cff32334552fb

SHA1
b29267eb7f42b72ca33f274cb86749fd46842ccc

SHA256
46c0a7c896420cc62e8d2241febba0c6e4a93db7cec8e9b38db91fc27c448005

SHA512
dd769462a9c3ba925a3a0e3e6e6a0026dd36dc333524206b6c2ea5fe9275da558cd1c02f2250bb5983b653d118e20855626d29decd99e338e4ae13513edb49b8

Download Submit
C:\Users\Admin\Downloads\VisualBasic6-KB896559-v1-ENU.sFIRfBm6.exe.part

Filesize
916KB

MD5
76758b356e8c447df3cde0f15d950620

SHA1
f271f3f5c8e0436b860cbd094133d97428bcd151

SHA256
32857e7b99254630f292b8f268fd60feb128b5dc5bd7e50f4c2c6baa5ea04eb3

SHA512
1eb4d9ee03de2fdbc5d3cd4e7bdc19104ffe7238fceb5f9156387c12ccdd938d768fda3893f991ad97007a42bc7d24254d1c2bf407b912907ea68c3dccdb0aeb

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads