xloader | 50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158

Resubmissions

19-04-2024 23:58

240419-31f5qsah44 10

19-04-2024 23:51

240419-3wagdsag36 10

Analysis

max time kernel
1200s
max time network
1204s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_38575943.exe
Size

341KB
MD5

2a11ef715093c4429cd05dc3950c7f89
SHA1

3199e3c72fc349d9cce951c2c8830d88a8da4454
SHA256

50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158
SHA512

24f2d7a608d421258334144217e97dccdeb023d5e621774f213eda210a8937df0c7d12cfd02e8c96d5951011d6142a320ca3b40bedb8ac6ad5f95ccc6d3d2d0a
SSDEEP

6144:HqPwmYdAbc0C3LFDDOQmjUi0GL9jDAlPMKpPbd6j62AeI4KR0VoFtDFF7g:HqPwmYdAbc0CboQmjIGN6Pzd6j6/eWtU

Score

10^/10

xloader c6si loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c6si

Decoy

tristateinc.construction

americanscaregroundstexas.com

kanimisoshiru.com

wihling.com

fishcheekstosa.com

parentsfuid.com

greenstandmarket.com

fc8fla8kzq.com

gametwist-83.club

jobsncvs.com

directrealtysells.com

avida2015.com

conceptasite.net

arkaneattire.com

indev-mobility.info

2160centurypark412.com

valefloor.com

septembership.com

stackflix.com

jimc0sales.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1208-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1208-18-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2632-25-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader
behavioral1/memory/2632-27-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader

Deletes itself 1 IoCs

pid	Process
2436	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 1208	1620	IMG_38575943.exe	28
PID 1208 set thread context of 1136	1208	IMG_38575943.exe	20
PID 2632 set thread context of 1136	2632	rundll32.exe	20

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2700	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1208	IMG_38575943.exe
1208	IMG_38575943.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1136	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1208	IMG_38575943.exe
1208	IMG_38575943.exe
1208	IMG_38575943.exe
2632	rundll32.exe
2632	rundll32.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	IMG_38575943.exe
Token: SeDebugPrivilege	2632	rundll32.exe
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeDebugPrivilege	2936	firefox.exe
Token: SeDebugPrivilege	2936	firefox.exe
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeShutdownPrivilege	1136	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2700	POWERPNT.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1136	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1208	1620	IMG_38575943.exe	28
PID 1620 wrote to memory of 1208	1620	IMG_38575943.exe	28
PID 1620 wrote to memory of 1208	1620	IMG_38575943.exe	28
PID 1620 wrote to memory of 1208	1620	IMG_38575943.exe	28
PID 1620 wrote to memory of 1208	1620	IMG_38575943.exe	28
PID 1620 wrote to memory of 1208	1620	IMG_38575943.exe	28
PID 1620 wrote to memory of 1208	1620	IMG_38575943.exe	28
PID 1136 wrote to memory of 2632	1136	Explorer.EXE	29
PID 1136 wrote to memory of 2632	1136	Explorer.EXE	29
PID 1136 wrote to memory of 2632	1136	Explorer.EXE	29
PID 1136 wrote to memory of 2632	1136	Explorer.EXE	29
PID 1136 wrote to memory of 2632	1136	Explorer.EXE	29
PID 1136 wrote to memory of 2632	1136	Explorer.EXE	29
PID 1136 wrote to memory of 2632	1136	Explorer.EXE	29
PID 2632 wrote to memory of 2436	2632	rundll32.exe	30
PID 2632 wrote to memory of 2436	2632	rundll32.exe	30
PID 2632 wrote to memory of 2436	2632	rundll32.exe	30
PID 2632 wrote to memory of 2436	2632	rundll32.exe	30
PID 1136 wrote to memory of 2188	1136	Explorer.EXE	34
PID 1136 wrote to memory of 2188	1136	Explorer.EXE	34
PID 1136 wrote to memory of 2188	1136	Explorer.EXE	34
PID 1136 wrote to memory of 2344	1136	Explorer.EXE	38
PID 1136 wrote to memory of 2344	1136	Explorer.EXE	38
PID 1136 wrote to memory of 2344	1136	Explorer.EXE	38
PID 2344 wrote to memory of 2936	2344	firefox.exe	39
PID 2344 wrote to memory of 2936	2344	firefox.exe	39
PID 2344 wrote to memory of 2936	2344	firefox.exe	39
PID 2344 wrote to memory of 2936	2344	firefox.exe	39
PID 2344 wrote to memory of 2936	2344	firefox.exe	39
PID 2344 wrote to memory of 2936	2344	firefox.exe	39
PID 2344 wrote to memory of 2936	2344	firefox.exe	39
PID 2344 wrote to memory of 2936	2344	firefox.exe	39
PID 2344 wrote to memory of 2936	2344	firefox.exe	39
PID 2344 wrote to memory of 2936	2344	firefox.exe	39
PID 2344 wrote to memory of 2936	2344	firefox.exe	39
PID 2344 wrote to memory of 2936	2344	firefox.exe	39
PID 2936 wrote to memory of 808	2936	firefox.exe	40
PID 2936 wrote to memory of 808	2936	firefox.exe	40
PID 2936 wrote to memory of 808	2936	firefox.exe	40
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41
PID 2936 wrote to memory of 1740	2936	firefox.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe
  "C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe"
    3⤵
    - Deletes itself
    PID:2436
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\UseWatch.vbe"
  2⤵
  PID:2188
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.0.1982480018\1999003810" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1200 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a68208f3-e2eb-42f6-886a-82a336be1570} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 1284 110d9f58 gpu
      4⤵
      PID:808
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.1.1593921627\930197998" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1285206-f8cb-42b5-8916-385384fdce72} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 1476 e71058 socket
      4⤵
      Checks processor information in registry
      PID:1740
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.2.976708967\636304082" -childID 1 -isForBrowser -prefsHandle 1736 -prefMapHandle 1820 -prefsLen 20933 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44d02ea1-1bb9-4501-b2d7-592b433672a1} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 1816 1a68d358 tab
      4⤵
      PID:1224
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.3.1940931308\542606876" -childID 2 -isForBrowser -prefsHandle 2484 -prefMapHandle 2460 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f97b9d26-cae7-4731-b1d1-42e6911f80d9} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 1696 1b204158 tab
      4⤵
      PID:2516
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.4.1434964176\340638636" -childID 3 -isForBrowser -prefsHandle 2848 -prefMapHandle 2856 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc855f11-65dd-4412-bdcd-36ac534a77a9} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 2876 1c3e4b58 tab
      4⤵
      PID:2492
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.5.675461071\2005140542" -childID 4 -isForBrowser -prefsHandle 3712 -prefMapHandle 2132 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c059f97-4ea3-4fbd-a168-42b9583d1b2d} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 3724 1ebd3058 tab
      4⤵
      PID:1416
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.6.1197564116\192084989" -childID 5 -isForBrowser -prefsHandle 3836 -prefMapHandle 3840 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b66524d-9282-4628-be53-8e4d2da529dc} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 3824 1919d858 tab
      4⤵
      PID:2024
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.7.1069555548\1051251683" -childID 6 -isForBrowser -prefsHandle 3892 -prefMapHandle 3888 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a5ca2c5-efa0-4f92-946b-acf0d2a9a830} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 3900 1919ed58 tab
      4⤵
      PID:2156
- C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\ExportImport.pps"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2700
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
cf921cc981a01c4f9559bc0bf28a71c2

SHA1
aa338c598796262a36d8174ade95acc2ac5527bc

SHA256
75e62d04a301dbc28d69855f68d5b492f1b122e8193589d882208bcb584a2c2f

SHA512
dfc395ce42b93795ad9350a6cb91fbfde04e0417894d59945415ba374d6c4da693ef7e8e630d2073a672036f722afccdf50d2420f8132d19ef93035c819d51aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\pending_pings\dc7484ba-f354-4607-822b-03fd35ef454f

Filesize
733B

MD5
a7b6de8a8778b21dd84ae0cd8e04c41d

SHA1
d75f71ecfd0f931cfb75daed7681ae76df9574ac

SHA256
417594d02bfd32d15ba80f726b21e16fb6821f4ae62a316cb5f52ed2edf25492

SHA512
0b4673f2330dac1ce2c7db55ff44f9fdf52df61ea331473f7a133b5ceac833e9266dbaa0a0ac6f7d3bba03ef58f42ca5db14447df27c16eb904fd6dc5dc1b348

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\prefs-1.js

Filesize
6KB

MD5
09f7ab95062fb215cd79d082fc2f6b28

SHA1
09b077b119807714c2b44fe3cebb1e4f7d250a63

SHA256
7d10a44780463b124a112cae362fc975f85f8593943860d770229c4d9ff2dd34

SHA512
ae4ff4a184167d9edb74695a286e501397ad6addc9c7590dedd4af06bb7ea2ba9a5b831b1186ffeac683d1145330c01dbd24223a3f962acdebb3689e526d4b6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\sessionstore.jsonlz4

Filesize
833B

MD5
9d13a6319724c60b41b7ab4719f76e66

SHA1
ffaa427d7011d82c83634ce0c18429031f580fac

SHA256
323a8280135fe91e73258790881e3d052a26ac43c115b2784ec84cbdfa31bb28

SHA512
70388d08a6e2e0badcbcf3166de674a0120fc7ca57d54c1b1a43d8e55efb37f46537ffe56f3af714a3283f8fef3a1555fb3fbb9401d7a2e20e1ad3c948f3fd27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
4320ce7420f98292514c38a19219b6ee

SHA1
dce25fcf96e260817b1ea364e92ccb44142bb95e

SHA256
9db1021823085cf69ee2fb20abadba274fa02c7cb5f26fef76579e3c55161b8b

SHA512
7396cc3f5e48b72c5dd93837e8abed8fd9ee705b3dabb00abf18670d119a8e781273468985af54f34a1bf9c77c2bceee14388d5fa7a793618e5100b0a34c33ef

Download Submit
memory/1136-88-0x0000000004D20000-0x0000000004DF7000-memory.dmp

Filesize
860KB

Download
memory/1136-20-0x0000000004450000-0x000000000451D000-memory.dmp

Filesize
820KB

Download
memory/1136-95-0x0000000004D20000-0x0000000004DF7000-memory.dmp

Filesize
860KB

Download
memory/1136-17-0x0000000003B40000-0x0000000003C40000-memory.dmp

Filesize
1024KB

Download
memory/1208-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1208-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1208-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1208-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1208-15-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/1208-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1208-19-0x00000000001C0000-0x00000000001D1000-memory.dmp

Filesize
68KB

Download
memory/1620-4-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/1620-2-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1620-0-0x0000000001130000-0x000000000118C000-memory.dmp

Filesize
368KB

Download
memory/1620-3-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/1620-6-0x0000000004CB0000-0x0000000004D0E000-memory.dmp

Filesize
376KB

Download
memory/1620-5-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1620-14-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/1620-1-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-30-0x0000000000C20000-0x0000000000CB0000-memory.dmp

Filesize
576KB

Download
memory/2632-27-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/2632-26-0x00000000023A0000-0x00000000026A3000-memory.dmp

Filesize
3.0MB

Download
memory/2632-25-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/2632-24-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/2632-21-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/2632-22-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/2700-240-0x000000002D6E1000-0x000000002D6E2000-memory.dmp

Filesize
4KB

Download
memory/2700-242-0x0000000071F8D000-0x0000000071F98000-memory.dmp

Filesize
44KB

Download
memory/2700-245-0x0000000071F8D000-0x0000000071F98000-memory.dmp

Filesize
44KB

Download