reflectivegnome | hxxps://bazaar[.]abuse[.]ch/download/b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0/

Analysis

max time kernel
171s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2023 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/download/b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0/

Score

10^/10

reflectivegnome downloader loader

Malware Config

Signatures

ReflectiveGnome
ReflectiveGnome is a loader used for FlawedGrace RAT.
loader reflectivegnome

ReflectiveGnome Downloader 2 IoCs

Detects ReflectiveGnome x64 downloader in memory.

downloader

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0.exe	reflectivegnone_x64
C:\Users\Admin\Desktop\b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0.exe	reflectivegnone_x64

Executes dropped EXE 1 IoCs

Processes:

b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0.exe

pid process

5988 b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0.exe

pid	process
5988	b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

taskmgr.exe

pid	process
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

5804 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

firefox.exe7zG.exetaskmgr.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1164	firefox.exe
Token: SeDebugPrivilege	1164	firefox.exe
Token: SeDebugPrivilege	1164	firefox.exe
Token: SeRestorePrivilege	5788	7zG.exe
Token: 35	5788	7zG.exe
Token: SeSecurityPrivilege	5788	7zG.exe
Token: SeSecurityPrivilege	5788	7zG.exe
Token: SeDebugPrivilege	5804	taskmgr.exe
Token: SeSystemProfilePrivilege	5804	taskmgr.exe
Token: SeCreateGlobalPrivilege	5804	taskmgr.exe
Token: SeManageVolumePrivilege	4612	svchost.exe
Token: 33	5804	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5804	taskmgr.exe

Suspicious use of FindShellTrayWindow 54 IoCs

Processes:

firefox.exe7zG.exetaskmgr.exe

pid	process
1164	firefox.exe
1164	firefox.exe
1164	firefox.exe
1164	firefox.exe
5788	7zG.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe

Suspicious use of SendNotifyMessage 52 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
1164	firefox.exe
1164	firefox.exe
1164	firefox.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

1164 firefox.exe
1164 firefox.exe
1164 firefox.exe
1164 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3788 wrote to memory of 1164	3788	firefox.exe	firefox.exe
PID 3788 wrote to memory of 1164	3788	firefox.exe	firefox.exe
PID 3788 wrote to memory of 1164	3788	firefox.exe	firefox.exe
PID 3788 wrote to memory of 1164	3788	firefox.exe	firefox.exe
PID 3788 wrote to memory of 1164	3788	firefox.exe	firefox.exe
PID 3788 wrote to memory of 1164	3788	firefox.exe	firefox.exe
PID 3788 wrote to memory of 1164	3788	firefox.exe	firefox.exe
PID 3788 wrote to memory of 1164	3788	firefox.exe	firefox.exe
PID 3788 wrote to memory of 1164	3788	firefox.exe	firefox.exe
PID 3788 wrote to memory of 1164	3788	firefox.exe	firefox.exe
PID 3788 wrote to memory of 1164	3788	firefox.exe	firefox.exe
PID 1164 wrote to memory of 1504	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 1504	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3068	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3560	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3560	1164	firefox.exe	firefox.exe
PID 1164 wrote to memory of 3560	1164	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://bazaar.abuse.ch/download/b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0/"
1⤵
- Suspicious use of WriteProcessMemory
PID:3788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://bazaar.abuse.ch/download/b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0/
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.0.1588207249\1121371723" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e190ebfb-b880-4ae5-9610-79f1431fb14c} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 1948 21ebd0dd558 gpu
3⤵
PID:1504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.1.678634490\659741621" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 21676 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {149d4bb2-5012-4caa-b984-99de5c0c4491} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 2368 21eb0678858 socket
3⤵
- Checks processor information in registry
PID:3068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.2.511251610\793363579" -childID 1 -isForBrowser -prefsHandle 3176 -prefMapHandle 3004 -prefsLen 21779 -prefMapSize 232645 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39fb5b19-a7bf-4bb9-b22d-944c56ceaf38} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 3164 21ec0bf2a58 tab
3⤵
PID:3560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.3.1000565744\510163874" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3580 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae3c6830-f429-4797-8930-429a0b520622} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 3592 21ebf749158 tab
3⤵
PID:1264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.4.615216878\1448787824" -childID 3 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75a56d0d-53ec-4cec-88ac-6bfe730da294} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 5160 21ec3b9d358 tab
3⤵
PID:2144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.5.109226242\1458712908" -childID 4 -isForBrowser -prefsHandle 5300 -prefMapHandle 5384 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a27a555-3656-4eb7-aaa0-9bd88b42685f} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 4496 21ec4350f58 tab
3⤵
PID:2668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.6.1315184390\1033707868" -childID 5 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cc800d6-0a65-4537-8450-8f5cd9a38d7f} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 5576 21ec4351558 tab
3⤵
PID:3748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.7.235218059\1722771920" -childID 6 -isForBrowser -prefsHandle 5468 -prefMapHandle 5676 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18d6d161-0326-44bc-82b6-efe52c0705a3} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 5356 21ec438a858 tab
3⤵
PID:4604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5280

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0\" -spe -an -ai#7zMap29164:190:7zEvent14861
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5788

C:\Users\Admin\Desktop\b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0.exe
"C:\Users\Admin\Desktop\b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0.exe"
1⤵
- Executes dropped EXE
PID:5988

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5804

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
Filesize
16KB

MD5
e5a9c96c2af8244d5a4c75a2b54549e6

SHA1
9d8ba1f659a6412aa591395c4ddfec2b5363890a

SHA256
11ce3e042068b3bc453a873e8fbcf3fab861d56a24e4b50c74c3da94e5373701

SHA512
43574600883d7aa31ff458fc157ae9e1ed80dbcca23d86024331684ba9e80c1e9fb9725f6bd1c2dd8bd2961da039ef3d0c10129447f5533da86c3fe55ff1a0bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wp0zrwot.default-release\activity-stream.discovery_stream.json.tmp
Filesize
22KB

MD5
730d1646b987f87f5b283b972eee9fa3

SHA1
48115fc2a8b4eae341cebd7daaddd803b8968e10

SHA256
d9edd9ec08b1bdb71679c17aa778d57543f492dce9dd1a73a1875761a263407b

SHA512
cadeac983615fd886aac9ae2b762242b9ad505554b48afdf3a56d901a20ffc209b05fc11023f3ae66e5ab7690a83a6bc4886de01283f56b07406eacf0716452f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\prefs-1.js
Filesize
6KB

MD5
573b3c42acf6431c62aed7012facb2f7

SHA1
b3d4cdb3bbfd8769ecae48b53a7ccc99cfb33898

SHA256
e5e542cf0857be004141d49fd8c704c9c175a85090f01c6f76bf23366b3946dc

SHA512
1d9e6f568494503c304f51e696c4e4460c864560f43709b59757f045f34d1c3765767490d982df463b876f697afa2db5e711cb536cf439f4e22f9b5fa031306d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\prefs-1.js
Filesize
6KB

MD5
0f4b067822a904644e2ec4bc2b9be93a

SHA1
851353ea893fad8692b69db50ca16e8188aab6bb

SHA256
2337ffb69cc13ecdaaf38d8dd98094c6fcb7ddcb88477bd1aaf27aa46cd2e605

SHA512
3b9d5a057952a88f45a40a9730265ddc078c60b575e1eac45601a4e40dc2ebf6f6233ac5583919ca0ec919893a272782f8319544282ef20a15eb50e600cbdae4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
01170ebfc6c45e7b0321543c21c45f22

SHA1
afce79ff5604439bfbf32e841554845ee13e3fad

SHA256
c71e59def08c97483902d55fd729e73ee19d2c71d954324e2df4699d7fee74aa

SHA512
1be8e3c5dd0a97623b7fec7a3843507268a07279d6dbe7e206a4b6b949d5bf7fc0045478a99f61b3b63d23d71c1594d6e130fc1a1d1fc4bc8bde8e3a2e0e84f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\sessionstore.jsonlz4
Filesize
3KB

MD5
a6bf4e941dbb2f80e1f8ee59c5c8bf88

SHA1
9ba33067ee6c867f838082d2ed90e28af168e8b7

SHA256
0b26f421efa8945057f402018166bd890dc7ceb2723fa7f29fb8d43b1fd7d81a

SHA512
33a15130a99a04bdf321aa5fb1520ce15f5682fc19a105e6b2656430177ea85b607bd29f6294f6a80edd4d93243f386f2ff51cc14c89dcea88c9b3cf6dc458f2

Download Submit
C:\Users\Admin\Desktop\b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0.exe
Filesize
5KB

MD5
25039dc6e6d5e262b059005fe2bd0895

SHA1
521a9668dbcd2a7b4a9b41797d748c92ecb642f5

SHA256
b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0

SHA512
45b86dbd5a861f700959d4ee43f2ded80ef4546c15f7ee65b9d72f625424b7eb388fc0e34b5254edd352c28b07e3d9198a123a9ed16dd0fac13cd218e9c70126

Download Submit
C:\Users\Admin\Desktop\b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0.exe
Filesize
5KB

MD5
25039dc6e6d5e262b059005fe2bd0895

SHA1
521a9668dbcd2a7b4a9b41797d748c92ecb642f5

SHA256
b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0

SHA512
45b86dbd5a861f700959d4ee43f2ded80ef4546c15f7ee65b9d72f625424b7eb388fc0e34b5254edd352c28b07e3d9198a123a9ed16dd0fac13cd218e9c70126

Download Submit
C:\Users\Admin\Downloads\b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0.zip
Filesize
2KB

MD5
e6c719001c296ee2a56d43dd21817c07

SHA1
cc1bc533286c6b9bf8f3871d32aa7c49abf8f8a8

SHA256
061bb43d45c2357a7afdc33cac945d06bd73d008691b66395367592be1cc6047

SHA512
535be141d0bbf7174f7177ffb6fe48ceba3245765f056327dbb46ca97b6b844340602a5a4db9dd41de05ff31bbdde4ef0f579ca13097cdce5c2e712523e1aca4

Download Submit
C:\Users\Admin\Downloads\luWY-Bde.zip.part
Filesize
2KB

MD5
e6c719001c296ee2a56d43dd21817c07

SHA1
cc1bc533286c6b9bf8f3871d32aa7c49abf8f8a8

SHA256
061bb43d45c2357a7afdc33cac945d06bd73d008691b66395367592be1cc6047

SHA512
535be141d0bbf7174f7177ffb6fe48ceba3245765f056327dbb46ca97b6b844340602a5a4db9dd41de05ff31bbdde4ef0f579ca13097cdce5c2e712523e1aca4

Download Submit
memory/4612-359-0x000001D64D740000-0x000001D64D741000-memory.dmp

Filesize
4KB

Download
memory/4612-361-0x000001D64D360000-0x000001D64D361000-memory.dmp

Filesize
4KB

Download
memory/4612-386-0x000001D64D5B0000-0x000001D64D5B1000-memory.dmp

Filesize
4KB

Download
memory/4612-385-0x000001D64D4A0000-0x000001D64D4A1000-memory.dmp

Filesize
4KB

Download
memory/4612-384-0x000001D64D4A0000-0x000001D64D4A1000-memory.dmp

Filesize
4KB

Download
memory/4612-382-0x000001D64D490000-0x000001D64D491000-memory.dmp

Filesize
4KB

Download
memory/4612-370-0x000001D64D290000-0x000001D64D291000-memory.dmp

Filesize
4KB

Download
memory/4612-367-0x000001D64D350000-0x000001D64D351000-memory.dmp

Filesize
4KB

Download
memory/4612-364-0x000001D64D360000-0x000001D64D361000-memory.dmp

Filesize
4KB

Download
memory/4612-318-0x000001D645040000-0x000001D645050000-memory.dmp

Filesize
64KB

Download
memory/4612-334-0x000001D645140000-0x000001D645150000-memory.dmp

Filesize
64KB

Download
memory/4612-350-0x000001D64D710000-0x000001D64D711000-memory.dmp

Filesize
4KB

Download
memory/4612-351-0x000001D64D740000-0x000001D64D741000-memory.dmp

Filesize
4KB

Download
memory/4612-352-0x000001D64D740000-0x000001D64D741000-memory.dmp

Filesize
4KB

Download
memory/4612-353-0x000001D64D740000-0x000001D64D741000-memory.dmp

Filesize
4KB

Download
memory/4612-354-0x000001D64D740000-0x000001D64D741000-memory.dmp

Filesize
4KB

Download
memory/4612-355-0x000001D64D740000-0x000001D64D741000-memory.dmp

Filesize
4KB

Download
memory/4612-356-0x000001D64D740000-0x000001D64D741000-memory.dmp

Filesize
4KB

Download
memory/4612-357-0x000001D64D740000-0x000001D64D741000-memory.dmp

Filesize
4KB

Download
memory/4612-358-0x000001D64D740000-0x000001D64D741000-memory.dmp

Filesize
4KB

Download
memory/4612-362-0x000001D64D350000-0x000001D64D351000-memory.dmp

Filesize
4KB

Download
memory/4612-360-0x000001D64D740000-0x000001D64D741000-memory.dmp

Filesize
4KB

Download
memory/5804-305-0x000002A23D270000-0x000002A23D271000-memory.dmp

Filesize
4KB

Download
memory/5804-307-0x000002A23D270000-0x000002A23D271000-memory.dmp

Filesize
4KB

Download
memory/5804-317-0x000002A23D270000-0x000002A23D271000-memory.dmp

Filesize
4KB

Download
memory/5804-316-0x000002A23D270000-0x000002A23D271000-memory.dmp

Filesize
4KB

Download
memory/5804-315-0x000002A23D270000-0x000002A23D271000-memory.dmp

Filesize
4KB

Download
memory/5804-306-0x000002A23D270000-0x000002A23D271000-memory.dmp

Filesize
4KB

Download
memory/5804-313-0x000002A23D270000-0x000002A23D271000-memory.dmp

Filesize
4KB

Download
memory/5804-312-0x000002A23D270000-0x000002A23D271000-memory.dmp

Filesize
4KB

Download
memory/5804-314-0x000002A23D270000-0x000002A23D271000-memory.dmp

Filesize
4KB

Download
memory/5804-311-0x000002A23D270000-0x000002A23D271000-memory.dmp

Filesize
4KB

Download