Analysis
-
max time kernel
137s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 02:02
Behavioral task
behavioral1
Sample
RobloxPlayer.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RobloxPlayer.exe
Resource
win10v2004-20240508-en
General
-
Target
RobloxPlayer.exe
-
Size
78KB
-
MD5
8f3d0d4044ff8cc1d847687568c91e14
-
SHA1
fd9049e0e5c074603b78a2aea228b75e4ce6c099
-
SHA256
1c7ffa12df8fc6b0617ddd3e7bf89582154156c803ca2b2df7a6073d43e13dc0
-
SHA512
afd8aa0948e588de2bb7d44687afccd5da52e613a06a26bbec862945a3cd1a80423b2e1929256bce23e92bac5b09f27e436c1223583d4507c6782da3d46760e4
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+cPIC:5Zv5PDwbjNrmAE+QIC
Malware Config
Extracted
discordrat
-
discord_token
MTIxNTQyMjc0OTk4ODg4NDU3Mg.G8QiY3.e2k047pCmhPxBH-tdaOfxVTB1BY3dSfZIT_sXY
-
server_id
1201970766531530822
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 8 created 612 8 RobloxPlayer.exe 5 -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 70 discord.com 84 discord.com 99 discord.com 100 discord.com 102 discord.com 80 raw.githubusercontent.com 98 discord.com 101 discord.com 8 discord.com 20 discord.com 79 raw.githubusercontent.com 104 discord.com 7 discord.com -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 8 set thread context of 5424 8 RobloxPlayer.exe 108 -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5176 SCHTASKS.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000 svchost.exe -
Modifies data under HKEY_USERS 14 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 26 May 2024 02:03:56 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={8B7A11B3-DFB2-4302-BB6C-2DF5F3E835FF}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716689036" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 8 RobloxPlayer.exe 8 RobloxPlayer.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 8 RobloxPlayer.exe 6108 WerFault.exe 6108 WerFault.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5548 svchost.exe 5548 svchost.exe 5424 dllhost.exe 5424 dllhost.exe 8 RobloxPlayer.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 8 RobloxPlayer.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 8 RobloxPlayer.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 8 RobloxPlayer.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 8 RobloxPlayer.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe 5424 dllhost.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 1252 Process not Found 1172 Process not Found 1292 Process not Found 6056 Process not Found 1908 Process not Found 3080 Process not Found 3920 Process not Found 2504 Process not Found 1208 Process not Found 5404 Process not Found 2540 Process not Found 2996 Process not Found 5052 Process not Found 4684 Process not Found 2524 Process not Found 264 Process not Found 4032 Process not Found 5216 Process not Found 1072 Process not Found 3176 Process not Found 5264 Process not Found 6124 Process not Found 1476 Process not Found 5256 Process not Found 3052 Process not Found 5328 Process not Found 5884 Process not Found 4076 Process not Found 1988 Process not Found 4800 Process not Found 1036 Process not Found 5896 Process not Found 4156 Process not Found 5048 Process not Found 4172 Process not Found 4200 Process not Found 4708 Process not Found 4304 Process not Found 6004 Process not Found 5648 Process not Found 5816 Process not Found 4308 Process not Found 4356 Process not Found 4816 Process not Found 228 Process not Found 5640 Process not Found 5376 Process not Found 5972 Process not Found 5696 Process not Found 5520 Process not Found 5692 Process not Found 5724 Process not Found 5612 Process not Found 5720 Process not Found 6088 Process not Found 5292 Process not Found 3956 Process not Found 1080 Process not Found 5556 Process not Found 648 Process not Found 1288 Process not Found 956 Process not Found 4952 Process not Found 2592 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 8 RobloxPlayer.exe Token: SeDebugPrivilege 3596 firefox.exe Token: SeDebugPrivilege 3596 firefox.exe Token: SeDebugPrivilege 8 RobloxPlayer.exe Token: SeDebugPrivilege 5424 dllhost.exe Token: SeShutdownPrivilege 3536 Explorer.EXE Token: SeCreatePagefilePrivilege 3536 Explorer.EXE Token: SeShutdownPrivilege 3536 Explorer.EXE Token: SeCreatePagefilePrivilege 3536 Explorer.EXE Token: SeAuditPrivilege 2840 svchost.exe Token: SeShutdownPrivilege 3536 Explorer.EXE Token: SeCreatePagefilePrivilege 3536 Explorer.EXE Token: SeShutdownPrivilege 3536 Explorer.EXE Token: SeCreatePagefilePrivilege 3536 Explorer.EXE Token: SeShutdownPrivilege 3536 Explorer.EXE Token: SeCreatePagefilePrivilege 3536 Explorer.EXE Token: SeShutdownPrivilege 3536 Explorer.EXE Token: SeCreatePagefilePrivilege 3536 Explorer.EXE Token: SeShutdownPrivilege 3536 Explorer.EXE Token: SeCreatePagefilePrivilege 3536 Explorer.EXE Token: SeShutdownPrivilege 3536 Explorer.EXE Token: SeCreatePagefilePrivilege 3536 Explorer.EXE Token: SeShutdownPrivilege 3260 mousocoreworker.exe Token: SeCreatePagefilePrivilege 3260 mousocoreworker.exe Token: SeShutdownPrivilege 3260 mousocoreworker.exe Token: SeCreatePagefilePrivilege 3260 mousocoreworker.exe Token: SeShutdownPrivilege 3260 mousocoreworker.exe Token: SeCreatePagefilePrivilege 3260 mousocoreworker.exe Token: SeShutdownPrivilege 3260 mousocoreworker.exe Token: SeCreatePagefilePrivilege 3260 mousocoreworker.exe Token: SeAssignPrimaryTokenPrivilege 1896 svchost.exe Token: SeIncreaseQuotaPrivilege 1896 svchost.exe Token: SeSecurityPrivilege 1896 svchost.exe Token: SeTakeOwnershipPrivilege 1896 svchost.exe Token: SeLoadDriverPrivilege 1896 svchost.exe Token: SeSystemtimePrivilege 1896 svchost.exe Token: SeBackupPrivilege 1896 svchost.exe Token: SeRestorePrivilege 1896 svchost.exe Token: SeShutdownPrivilege 1896 svchost.exe Token: SeSystemEnvironmentPrivilege 1896 svchost.exe Token: SeUndockPrivilege 1896 svchost.exe Token: SeManageVolumePrivilege 1896 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1896 svchost.exe Token: SeIncreaseQuotaPrivilege 1896 svchost.exe Token: SeSecurityPrivilege 1896 svchost.exe Token: SeTakeOwnershipPrivilege 1896 svchost.exe Token: SeLoadDriverPrivilege 1896 svchost.exe Token: SeSystemtimePrivilege 1896 svchost.exe Token: SeBackupPrivilege 1896 svchost.exe Token: SeRestorePrivilege 1896 svchost.exe Token: SeShutdownPrivilege 1896 svchost.exe Token: SeSystemEnvironmentPrivilege 1896 svchost.exe Token: SeUndockPrivilege 1896 svchost.exe Token: SeManageVolumePrivilege 1896 svchost.exe Token: SeAuditPrivilege 2840 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1896 svchost.exe Token: SeIncreaseQuotaPrivilege 1896 svchost.exe Token: SeSecurityPrivilege 1896 svchost.exe Token: SeTakeOwnershipPrivilege 1896 svchost.exe Token: SeLoadDriverPrivilege 1896 svchost.exe Token: SeSystemtimePrivilege 1896 svchost.exe Token: SeBackupPrivilege 1896 svchost.exe Token: SeRestorePrivilege 1896 svchost.exe Token: SeShutdownPrivilege 1896 svchost.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3596 firefox.exe 3536 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4052 wrote to memory of 3596 4052 firefox.exe 96 PID 4052 wrote to memory of 3596 4052 firefox.exe 96 PID 4052 wrote to memory of 3596 4052 firefox.exe 96 PID 4052 wrote to memory of 3596 4052 firefox.exe 96 PID 4052 wrote to memory of 3596 4052 firefox.exe 96 PID 4052 wrote to memory of 3596 4052 firefox.exe 96 PID 4052 wrote to memory of 3596 4052 firefox.exe 96 PID 4052 wrote to memory of 3596 4052 firefox.exe 96 PID 4052 wrote to memory of 3596 4052 firefox.exe 96 PID 4052 wrote to memory of 3596 4052 firefox.exe 96 PID 4052 wrote to memory of 3596 4052 firefox.exe 96 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 3324 3596 firefox.exe 98 PID 3596 wrote to memory of 4728 3596 firefox.exe 100 PID 3596 wrote to memory of 4728 3596 firefox.exe 100 PID 3596 wrote to memory of 4728 3596 firefox.exe 100 PID 3596 wrote to memory of 4728 3596 firefox.exe 100 PID 3596 wrote to memory of 4728 3596 firefox.exe 100 PID 3596 wrote to memory of 4728 3596 firefox.exe 100 PID 3596 wrote to memory of 4728 3596 firefox.exe 100 PID 3596 wrote to memory of 4728 3596 firefox.exe 100 PID 3596 wrote to memory of 4728 3596 firefox.exe 100 PID 3596 wrote to memory of 4728 3596 firefox.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1012
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c465767e-89ff-4265-96fc-24603b3e59ec}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5424
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 612 -s 8882⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:6108
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:404
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:936
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1100
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1184 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2672
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1440
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2520
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:6120
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:5256
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2368
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:5584
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:5984
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:5476
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1500
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1528
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1692
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
- Modifies Internet Explorer settings
PID:1888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1964
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1348
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2128
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2184
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2736
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2888
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8 -
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77RobloxPlayer.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:5176
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.0.788320107\1977161413" -parentBuildID 20230214051806 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b937e675-f3b0-4a56-85ea-a26d45c616ce} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 1816 1d6c4a0dd58 gpu4⤵PID:3324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.1.478559409\447855270" -parentBuildID 20230214051806 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1e91bae-b680-4817-b0b4-b73610ceede7} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 2428 1d6b7d89f58 socket4⤵PID:4728
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.2.1300315223\281465491" -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3048 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29a2ffce-5f6c-46c8-90ea-55e92ea979bc} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 3104 1d6c75f0f58 tab4⤵PID:4332
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.3.2133370678\1211981237" -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6a4ae0d-63be-48f0-86ec-9ce04fe37be0} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 3796 1d6c9b70d58 tab4⤵PID:2776
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.4.1244995237\71464186" -childID 3 -isForBrowser -prefsHandle 5064 -prefMapHandle 5032 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7978ab8-1fd5-486c-8cd7-3d82e2e517fd} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 5072 1d6cb711b58 tab4⤵PID:2980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.5.762987501\1377002446" -childID 4 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ce6a594-6be4-4031-ba30-c238ee8ba6e8} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 5208 1d6cbe0ce58 tab4⤵PID:1620
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.6.1677371873\1294080851" -childID 5 -isForBrowser -prefsHandle 5496 -prefMapHandle 5492 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e97b633-92ec-45aa-bd66-65d66c1c5c6e} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 5504 1d6cbe0dd58 tab4⤵PID:4588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.7.224071960\2027648408" -childID 6 -isForBrowser -prefsHandle 5996 -prefMapHandle 5992 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b709ab7e-2deb-44ca-8767-3ee0d8cb9b13} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 6004 1d6cd8c6858 tab4⤵PID:5516
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3648
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2408
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4840
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3304
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:1756
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1352
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:3724
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:1044
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:1656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4748
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD53f30ddd8ea997ce603b1678a95d832af
SHA119ad957645484410657bb5445c4cc529c80dab0e
SHA256a06dfa409b124eb4f22f45ee3abf680336b9b03e695b6edfcb876d4edb1f8c59
SHA512bc341bed479fd927fe0d0cc6cfa394e93c64a53c32833bbadbce0a564d6fe36c238b7e0e672db0eaf07d9805d7eae6f8f2bf16fffebeb7d8d3dc2df5e77957a5
-
Filesize
13KB
MD58e791260e784fadf3e3ca81916f5f888
SHA1f529c66d975ffa742e57c5d739dfcec147b1c6d1
SHA256ceefdc2149e03b3dbfb106ad6c476b67ec8a342fe988f039ef0728d6e4f11498
SHA512173994d0de3c24dea367b90517f1399437e8ec09b0be474ceb016110ce6d7c1bec62c96f422e27fe4114f9f60d10d003fcfad34effd2361b393b3b4385b9ce78
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp
Filesize34KB
MD5ea8dafa1651618988d6083c1ca361215
SHA16ef2dcc79575cb9680b14c2ea3b2a24ddf96ccfa
SHA256627af7f1b8398e5d8448216ff07695f67e0c8652e19035e06ff5de75bdf25a8e
SHA512193af0d2e82ce6798bdd6cb17bd17b96eaa6ca8a6c51cf9b8bc7b22d3fb3a1e7d618a21fa6c55ad38f923499245fb9983028732dbc74b69548ab47137eb5b1f5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5d0050a862ea47efad1c07616553b30b2
SHA17609c30e6e26899e22b7610db77fbe5c97f68a67
SHA2564dd4a7fbe41263386664fe8014ff8f12be3fc6d5bb2aa07c3b4dd38a63af7289
SHA512de094a37c08c9c56ed87b4ba026b184efd4a187658932770c0cd962ef99d6ebfdc83bfb1f2a555eee9c9f2a9a6fab32049f70da83e368143d343efaa69dd6278
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4