formbook | hxxps://bazaar[.]abuse[.]ch/download/6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463/

Analysis

max time kernel
232s
max time network
236s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2023 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/download/6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463/

Score

10^/10

formbook hesf rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hesf

Decoy

rizublog-aromama-a.com

87b52.club

allportablepower.com

brownkrosshui.com

schuobu.fun

qevtjrobrb.xyz

throne-rooms.com

hostcheker.net

buzztsunamiloja.com

kkudatogel27.com

91fulizifen.com

148secretbet.com

outlookthailand.com

zonaduniabet.net

boursobankk.com

tuneuphypnosis.com

sahabatzulhelmi.com

usbulletinnow.com

durdurdarshi.com

zz-agency.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/5360-335-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/5360-338-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/208-369-0x0000000000670000-0x000000000069F000-memory.dmp	formbook
behavioral1/memory/208-371-0x0000000000670000-0x000000000069F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
732	6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463.exe
2708	taol.dll

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 5360	2708	taol.dll	120
PID 5360 set thread context of 3224	5360	RegSvcs.exe	37
PID 208 set thread context of 3224	208	colorcpl.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4152	ipconfig.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463.exe
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2708	taol.dll
2708	taol.dll
2708	taol.dll
2708	taol.dll
2708	taol.dll
2708	taol.dll
2708	taol.dll
2708	taol.dll
2708	taol.dll
2708	taol.dll
2708	taol.dll
2708	taol.dll
5360	RegSvcs.exe
5360	RegSvcs.exe
5360	RegSvcs.exe
5360	RegSvcs.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe
208	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
5360	RegSvcs.exe
5360	RegSvcs.exe
5360	RegSvcs.exe
208	colorcpl.exe
208	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	firefox.exe
Token: SeDebugPrivilege	4340	firefox.exe
Token: SeDebugPrivilege	4340	firefox.exe
Token: SeRestorePrivilege	5100	7zG.exe
Token: 35	5100	7zG.exe
Token: SeSecurityPrivilege	5100	7zG.exe
Token: SeSecurityPrivilege	5100	7zG.exe
Token: SeDebugPrivilege	5360	RegSvcs.exe
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeDebugPrivilege	208	colorcpl.exe
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
5100	7zG.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe
4340	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 4340	2996	firefox.exe	27
PID 2996 wrote to memory of 4340	2996	firefox.exe	27
PID 2996 wrote to memory of 4340	2996	firefox.exe	27
PID 2996 wrote to memory of 4340	2996	firefox.exe	27
PID 2996 wrote to memory of 4340	2996	firefox.exe	27
PID 2996 wrote to memory of 4340	2996	firefox.exe	27
PID 2996 wrote to memory of 4340	2996	firefox.exe	27
PID 2996 wrote to memory of 4340	2996	firefox.exe	27
PID 2996 wrote to memory of 4340	2996	firefox.exe	27
PID 2996 wrote to memory of 4340	2996	firefox.exe	27
PID 2996 wrote to memory of 4340	2996	firefox.exe	27
PID 4340 wrote to memory of 2032	4340	firefox.exe	85
PID 4340 wrote to memory of 2032	4340	firefox.exe	85
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4456	4340	firefox.exe	87
PID 4340 wrote to memory of 4796	4340	firefox.exe	88
PID 4340 wrote to memory of 4796	4340	firefox.exe	88
PID 4340 wrote to memory of 4796	4340	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://bazaar.abuse.ch/download/6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463/"
1⤵
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://bazaar.abuse.ch/download/6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463/
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.0.673856937\1908120240" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bd466aa-ab8e-4dbf-85d3-9d34c48e0fd7} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 1964 193dd5d9358 gpu
    3⤵
    PID:2032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.1.233746778\673627892" -parentBuildID 20221007134813 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8c2c51a-e9ba-4415-830e-0ab6bb41e4ae} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 2404 193dd4f0558 socket
    3⤵
    - Checks processor information in registry
    PID:4456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.2.1605458455\1197978657" -childID 1 -isForBrowser -prefsHandle 3312 -prefMapHandle 2964 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {092394cf-032b-4459-99ff-b385fa83a7e3} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 3008 193e12eb258 tab
    3⤵
    PID:4796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.3.1366186747\174828162" -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4608451b-9376-4c1b-b585-a414ff2ea3a4} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 3628 193d0b67c58 tab
    3⤵
    PID:4660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.5.122722996\364282853" -childID 4 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {165a4f52-dcc3-4538-a3af-0ffb58fa0cda} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 5148 193e4123358 tab
    3⤵
    PID:3800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.4.1368999126\2078558951" -childID 3 -isForBrowser -prefsHandle 4996 -prefMapHandle 4992 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0e84443-2794-4a2f-afff-54a8ac9ae426} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 5008 193e4121e58 tab
    3⤵
    PID:1388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.6.1448057545\1597784411" -childID 5 -isForBrowser -prefsHandle 5424 -prefMapHandle 5328 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fc4c6e9-29de-4223-87cd-02cb70545292} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 5028 193e4123f58 tab
    3⤵
    PID:4936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4340.7.581640097\1952642687" -childID 6 -isForBrowser -prefsHandle 5380 -prefMapHandle 5808 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9d8aec3-6edb-46fb-9858-bddee5430c5d} 4340 "\\.\pipe\gecko-crash-server-pipe.4340" 5372 193dedd1b58 tab
    3⤵
    PID:3576

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3224
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463\" -spe -an -ai#7zMap13755:190:7zEvent24064
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5100
- C:\Users\Admin\Desktop\6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463.exe
  "C:\Users\Admin\Desktop\6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  PID:732
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\opw-s.vbe"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taol.dll hoxcaxg.msc
      4⤵
      PID:960
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taol.dll
        
        taol.dll hoxcaxg.msc
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2708
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        6⤵
        
        PID:3392
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5360
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
      4⤵
      PID:3908
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:4152
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:208
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uzw33i5d.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
f22590ce73aee4a7715db66963a5c2cf

SHA1
6bee7ab7f5be977c620fa361b4e965dd45c9af2f

SHA256
633552439f296193bba0522cc9aba66891ffe11dab2eb1a7c9bee50c6a3b3f2a

SHA512
956c0b471d25864d78c616dd52fbc2ee27824bc09b9146532f433027174f47cd276eceea8d7a96e617ea1811af59f31166b5e185777aeb293fe0951635f502aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bbcpmgvfqh.txt

Filesize
36KB

MD5
5da9afc278ffb2274a11e358952488b6

SHA1
03b59988b177d85196fa24ad16b3f479885a1225

SHA256
e6ddac6f7529b465d32ef9b859101978823c8548eb2abff81a24d4a157cb4f7c

SHA512
02f58173b7941cfa072129f3cc246659b09c97fe531aa8fb09a6c8c24a221d89feaf44392a29315817d0c981f3d8f33fff57dd1c3082b8832c8111620569f9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hoxcaxg.msc

Filesize
99.9MB

MD5
7ce501e5d4da15b684f8af06858b42bd

SHA1
6aa3bf27660d54c339e7bd4b62240af304958030

SHA256
7ba659601042af782be15538c14574e8607649547cb07815f385f257b7c9a4d7

SHA512
d86f9e0420bca82e9325038691c40c017fd0acc21fba48e27b347f2aa7b8510efe192d9a71674a0357c63c2872e494ad9b2763620029fc4fa12791efef490d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\opw-s.vbe

Filesize
52KB

MD5
e0eaf1e9ac5bf23c5fe44e27a1846835

SHA1
becc298f97effe56108d3cf51a4a827763bed2bf

SHA256
7c5feaf38228475be4d3396fafe423f0331f8d6d4ad8ba6f669d8739932daaa7

SHA512
39a0c9fc6f610ffaf3502e9ef4e5819ba5b649c5f351e9d87f6511415fd8b5d5b07733f9362704c3f2119d058d34a46a8795d984a51c2d77d808e4c5852bad0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taol.dll

Filesize
925KB

MD5
874798cb576e238642281b10189b031c

SHA1
eafb30e710d557918533a6f10f09ca1f4227c77e

SHA256
e24858235af8c85aed95375be6dea083c7910917f78731ef4d195799e6f49713

SHA512
eaa0cff408fd3366813f1a80cf866bd590a885984a525d4a1b07fdf21c2d6df07c98fd0782050539f912a93b7df6a5a8831b676cb6200592995f108cb2659b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vfgio.ssj

Filesize
352KB

MD5
8cddef3c2e89cfe5b2bc527cdf316725

SHA1
1a689db5e39e1e788605316d3524b50d499c84e2

SHA256
bf1169787491f2f717aa645277d678e34593aff8996044f1623dfa1b046d4352

SHA512
a85d6d2926765a256006fbdd9e0b3e62ff0f4ffe42a2c1b4f29269671ac4b5bf0eaad3b181814d6bbf89e7faf96134f1f2f850550c8c0ecbebe554803bd22586

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\prefs-1.js

Filesize
6KB

MD5
b42fd7c7d0ea4b9446bdd22b9bf9a5c8

SHA1
8311f2b7f4e4643f261bc05325cdd9538a71427e

SHA256
cecabdb5c503b7c27a223a484ec1aab0a6b4ce48f3d2155254f747393a66e47c

SHA512
15012239f725ffa6df1f9d3fdf05b45439cbb5c254988ad13396b10c7ae720debbe5f6bdd6b0dd34a102e50079c13ae1320eeaa8fb62b99d95240e30652bad9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\prefs-1.js

Filesize
6KB

MD5
5bd8d5a1d861147f2ff9d95fff1d1997

SHA1
ae3619d71e1c999a7063f14cd6917db9197051ae

SHA256
d93cef113cb7e56bceed97be46e402fd0b8a0b525335f9e8f7d7255f60be2a36

SHA512
c201217a774a87a0a06b4bec190399043fd136c047583d6bfd2a51f19327791738fb5a1c86f002965190bcb46e5fabb4c6d9c45fc7a2a022027ccd33885e8dbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\prefs-1.js

Filesize
7KB

MD5
b070752bb4f9d4058327d31df28d939b

SHA1
6fc725e08405b244ae6e0cdf8f709a671003a4b0

SHA256
52f3edbbd548367b19435b5fba8929d88e6b39ae8004b921e542d5c7c531b311

SHA512
ab36f240a89957dd790abd77fbe391405e35d2ca5b50175ccfcafe9b2c1e0a32f4de63ac1238ca739ded0aa01274ea1207a89a0ce9c6041580a28f44187f0b08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
291d9bd551309a4fbd29f78b06af6054

SHA1
f0c5ff559e981198d6714d73acaada477104a4da

SHA256
f9ecc68ef0b34c3b70fcfb1be15641892ae83e2241b5c4fcb023ec7280a02e50

SHA512
8617a336fa7c7fd67feb64d17156a89469b018f0f4e993530441afc459448fe5ba605fac0571cf471f48c638a2cd6fa73a53cb25a6d422d2f2d999eb1ca20600

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\sessionstore.jsonlz4

Filesize
3KB

MD5
f700d076f801969eb8208276bee64946

SHA1
dfc61a8ac93414e0ffa24005dbfc5625a27748ec

SHA256
916eb6355bc40c22341156fe6e680a57f4b8f631a5a7bd9e0e024b731dc50bed

SHA512
b7b2513cd8f05c8ca0377a6619cfe37ae3b94f894c004b98104251cba3afd318f6952cea1670b7f8f5eba282951df6cb158d36b1c3976404d3c6038904b97271

Download Submit
C:\Users\Admin\Desktop\6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463.exe

Filesize
1005KB

MD5
e9577305797da56c4538f35d2da1e6ef

SHA1
4b19ed069368fa3b9433c9c8d8b4a050dfae77bc

SHA256
6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463

SHA512
28427e4d980c8aceb27fe0fd31275bf7fbf6fdac1b9730c80ff9e3917c6b064b0a605f83c0df3fd7cc0642305797e159711ffe5f94f6aaa3d42d3cc8373077f5

Download Submit
C:\Users\Admin\Desktop\6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463.exe

Filesize
1005KB

MD5
e9577305797da56c4538f35d2da1e6ef

SHA1
4b19ed069368fa3b9433c9c8d8b4a050dfae77bc

SHA256
6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463

SHA512
28427e4d980c8aceb27fe0fd31275bf7fbf6fdac1b9730c80ff9e3917c6b064b0a605f83c0df3fd7cc0642305797e159711ffe5f94f6aaa3d42d3cc8373077f5

Download Submit
C:\Users\Admin\Downloads\6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463.YYrmpt2l.zip.part

Filesize
560KB

MD5
60413d380336f51d48a8316b1634cae4

SHA1
a5947cc1559236cc21f6558d95c4375bde85a072

SHA256
3601ca403eecd38ecb1b0093226ee404ec1fdb1ab84e1425d1848daf2bfb83ff

SHA512
dad1c54cc3faf950e043b935c7f89c532258429d573ccc350f4c71b4dfc548f1cc246af99ec27e29333ce8e8669d774e54c2a59662df87740cbff1a1a8b42358

Download Submit
C:\Users\Admin\Downloads\6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463.zip

Filesize
887KB

MD5
7acb7c95f28b4b10bde9af64a4f3f2b4

SHA1
77c4a4179b9a5e27cb19177f698778c5f6294dd2

SHA256
b4c734a8ff4c4d79e81a947681acc33c0701b1633510a5a1a40f000a29dcf646

SHA512
7783df98d1dfa909cfd564a43e523992ac168ed010057f453de494e94f6eb4d302ff2d94a61191e32e944b2fd9b2ced0f5dcbabe070623c49ed63ec3a93e61a5

Download Submit
memory/208-371-0x0000000000670000-0x000000000069F000-memory.dmp

Filesize
188KB

Download
memory/208-370-0x0000000002610000-0x000000000295A000-memory.dmp

Filesize
3.3MB

Download
memory/208-374-0x0000000002450000-0x00000000024E3000-memory.dmp

Filesize
588KB

Download
memory/208-359-0x0000000000130000-0x0000000000149000-memory.dmp

Filesize
100KB

Download
memory/208-369-0x0000000000670000-0x000000000069F000-memory.dmp

Filesize
188KB

Download
memory/208-353-0x0000000000130000-0x0000000000149000-memory.dmp

Filesize
100KB

Download
memory/3224-340-0x000000000BA20000-0x000000000BB9B000-memory.dmp

Filesize
1.5MB

Download
memory/3224-372-0x000000000BA20000-0x000000000BB9B000-memory.dmp

Filesize
1.5MB

Download
memory/3224-376-0x000000000BD60000-0x000000000BE91000-memory.dmp

Filesize
1.2MB

Download
memory/3224-377-0x000000000BD60000-0x000000000BE91000-memory.dmp

Filesize
1.2MB

Download
memory/3224-379-0x000000000BD60000-0x000000000BE91000-memory.dmp

Filesize
1.2MB

Download
memory/5360-336-0x0000000001740000-0x0000000001A8A000-memory.dmp

Filesize
3.3MB

Download
memory/5360-339-0x0000000001170000-0x0000000001184000-memory.dmp

Filesize
80KB

Download
memory/5360-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5360-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download