29dc64e0ada4c711d0452801d3364b2f44cf4bd52337547aaa2f40744da97cd1

Resubmissions

29-06-2024 07:53

240629-jrbzwatdqe 10

29-06-2024 07:51

29-06-2024 07:48

29-06-2024 07:37

29-06-2024 07:36

29-06-2024 07:34

29-06-2024 07:33

29-06-2024 07:29

Analysis

max time kernel
210s
max time network
206s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo
Size

284KB
MD5

1c0a02c3390b9fd77746574def84b1d1
SHA1

2e62ae7936cf5b6398308f702ddbb06427091109
SHA256

29dc64e0ada4c711d0452801d3364b2f44cf4bd52337547aaa2f40744da97cd1
SHA512

4f62bc5c219a6fa412dc06653227561b10cb32d144be733e0b2e57dea24baa17683dc09b84c57237326e6909e27f42ea7e1f70032eeff455d12423364bc433a2
SSDEEP

6144:ibRoQ02n9dH5M2vkm0y3Cl3pId9Rj9vvZJT3CqbMrhryfQNRPaCieMjAkvCJv1VZ:qRoQ02n9dH5M2vkm0y3Cl3pId9Rj9vvC

Score

7^/10

execution upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000015f91-603.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
5404	Floxif.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000015f91-603.dat	upx
behavioral1/memory/5404-607-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libEGL.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msdaprst.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Windows.Presentation.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\Microsoft.PowerShell.PackageManagement.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdasqlr.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.CoreProviders.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sl.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_zh-TW.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsFormsIntegration.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	xpajB.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_id.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_fr.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	xpajB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\pipres.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msaddsr.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdaorar.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	xpajB.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapter.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\skchui.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdaer.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78000\java.exe	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\WordpadFilter.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadomd.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Engine.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadox.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabimp.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingEngine.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationCore.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\tiptsf.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	xpajB.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	Floxif.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	SecHealthUI.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5452	5404	WerFault.exe	103

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5348	xpajB.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	firefox.exe
Token: SeDebugPrivilege	4592	firefox.exe
Token: SeDebugPrivilege	4592	firefox.exe
Token: SeDebugPrivilege	4592	firefox.exe
Token: SeDebugPrivilege	4592	firefox.exe
Token: SeDebugPrivilege	4592	firefox.exe
Token: SeDebugPrivilege	5404	Floxif.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
5032	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 4592	1516	firefox.exe	79
PID 1516 wrote to memory of 4592	1516	firefox.exe	79
PID 1516 wrote to memory of 4592	1516	firefox.exe	79
PID 1516 wrote to memory of 4592	1516	firefox.exe	79
PID 1516 wrote to memory of 4592	1516	firefox.exe	79
PID 1516 wrote to memory of 4592	1516	firefox.exe	79
PID 1516 wrote to memory of 4592	1516	firefox.exe	79
PID 1516 wrote to memory of 4592	1516	firefox.exe	79
PID 1516 wrote to memory of 4592	1516	firefox.exe	79
PID 1516 wrote to memory of 4592	1516	firefox.exe	79
PID 1516 wrote to memory of 4592	1516	firefox.exe	79
PID 4592 wrote to memory of 1720	4592	firefox.exe	80
PID 4592 wrote to memory of 1720	4592	firefox.exe	80
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 4152	4592	firefox.exe	81
PID 4592 wrote to memory of 1580	4592	firefox.exe	82
PID 4592 wrote to memory of 1580	4592	firefox.exe	82
PID 4592 wrote to memory of 1580	4592	firefox.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo
1⤵
PID:3104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1764

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ShowReceive.js"
1⤵
PID:4428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4592.0.1909408434\1132906347" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1660 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50a2b993-ab87-40b5-a5be-10ec0cef3d0e} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 1764 21d576ca858 gpu
    3⤵
    PID:1720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4592.1.1954359986\321263733" -parentBuildID 20221007134813 -prefsHandle 2100 -prefMapHandle 2096 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e797860-4072-4db5-bb1a-cdd3147614e0} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 2120 21d5703dd58 socket
    3⤵
    PID:4152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4592.2.397572812\1399755907" -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 2936 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aab5b3a9-f060-4121-92e8-1538c463228a} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 2904 21d5b79a858 tab
    3⤵
    PID:1580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4592.3.1352009872\768780117" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b6359a3-0e3f-47ac-8dd8-7edae03efc48} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 3492 21d4c45b858 tab
    3⤵
    PID:1448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4592.4.1721711088\394532008" -childID 3 -isForBrowser -prefsHandle 3816 -prefMapHandle 3812 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dee8975-e361-4767-a387-9428da6b97f8} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 3828 21d5caaaa58 tab
    3⤵
    PID:2300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4592.5.41489440\2085671401" -childID 4 -isForBrowser -prefsHandle 4876 -prefMapHandle 4872 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {374ab4be-111b-4e3c-9ac7-88e074443858} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 4884 21d5dd06558 tab
    3⤵
    PID:4740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4592.6.1158381508\1721968814" -childID 5 -isForBrowser -prefsHandle 5028 -prefMapHandle 5032 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf6cbdab-cc4e-4ff1-94e9-692319304379} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 4468 21d5e31b158 tab
    3⤵
    PID:1372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4592.7.1369714757\918708371" -childID 6 -isForBrowser -prefsHandle 5208 -prefMapHandle 5212 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7ef61a7-0726-4e5a-a4f8-63b9e3e6d2f4} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 5200 21d5e31a558 tab
    3⤵
    PID:304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4592.8.1309112992\803281586" -childID 7 -isForBrowser -prefsHandle 4732 -prefMapHandle 5784 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce19f1ea-54ae-4808-815f-29a9877fc30d} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 5772 21d5d919258 tab
    3⤵
    PID:652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4592.9.1874260481\1783898087" -childID 8 -isForBrowser -prefsHandle 4916 -prefMapHandle 4944 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77dd616b-fc67-472c-a815-73f21849eeb9} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 4904 21d5f980c58 tab
    3⤵
    PID:3476

C:\Users\Admin\Music\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
"C:\Users\Admin\Music\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
1⤵
PID:1656

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Users\Admin\Music\The-MALWARE-Repo-master\Virus\Xpaj\xpajB.exe
"C:\Users\Admin\Music\The-MALWARE-Repo-master\Virus\Xpaj\xpajB.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
PID:5348

C:\Users\Admin\Music\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe
"C:\Users\Admin\Music\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 472
  2⤵
  - Program crash
  PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\27366

Filesize
12KB

MD5
f4561c3348a98ce628f90d167b293422

SHA1
01d6e639db87c578529d931d2803ae7b7988f5a7

SHA256
069c4ad7ca4b8e84ce11716fd4e9b5fda38a459852f45d8b761072753607a8a8

SHA512
d5055ec996627be4dc4f2b3d5b841c9ba586f9874a32cebe3933e5c7e0745a84608330ec38c10f3910f8b3e004e1907f71e7f2c359207c78384d6afaca91fe1a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\27640

Filesize
12KB

MD5
2f2d8bee68586ee2f3b7a8cd0571b001

SHA1
345417973dd952d66a1d783c8abef402f9dffed9

SHA256
b571f5cca0652e4ce3be2b154536be59a5685b8d221a2439330c90d692fc47dc

SHA512
8b23765b3447a1c9b22ac5bd6c946527f3eccba13e0ffdefbf2f0cd9a375c0dd5482df6c51a73a3ea37970c33617015f9632bb8428e27952e9864a4c96b7d3c2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\32711

Filesize
13KB

MD5
fb904f86d04ad007eac2a2e3afc2d10e

SHA1
e6f4c9c3ae59041d114fa98f8c827d4cb77ec576

SHA256
bb1b06a2785054836264797ea667ddd749bf4a878e4dd5543665fd26e75b4fa9

SHA512
2b87ea8afc463254b821afafbd6f9b878e46de9dc6b76d74ecace1e61a3de4ad66e1c626fdf21f387439ea7c12b47254bd0e4dec724dff030152048509baa4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
a46499826ff13c4337a477a3d390925e

SHA1
c72410e4e16786f2c11668b78058574e984a5b34

SHA256
ee0a9133a4aadc692183eed40f5ea2919f5dbb1b3cd6e2910dbcb2d340e0bfdd

SHA512
ca14c0ff167023a77286f0f844be6971b138f4e02ea97b9b6f4668ea229dfd14251509fd25844bf48105e699cdfe9aa92cde6e79d3f38ff8138600138ca445b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\755221a4-190d-41fa-af6e-d932b7578b0c

Filesize
10KB

MD5
479abe6cceb5b2603545a75a31f1fa9f

SHA1
025571e81bad26072078bfda476c16d2a48499b8

SHA256
6815206993c482d21a279ecc11faff8c42b363b2747f9d3cf2abc34e8b5ef048

SHA512
d3389641cd59ca8444f0fbadf0dc3375c53e139ba2fc8e9a2a954772da8383b06ed6fd8394b9269ec96b0bd2cc3b6de3f20b3318b342cc76943d3b6b77404c70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\982b1bac-aeeb-41f8-9da5-eb7fab07cc63

Filesize
746B

MD5
99a2d4546f6d7c0f26289a837462ccbe

SHA1
2f250a579cef5882df92e9348191efe1136f6331

SHA256
0d53607f2c4e22c8ac5eb862156946a7cb790ea90f6a3cff15853fc463d4c5c8

SHA512
7d456963c0a9b432bef8a58e9cd1f98be027117999bba5aa250c7233111b2b895655c0226861235568253eda4c1103d1178a6fd23aa3478aca62caa637731c48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
5878f1a56bf314ebb102af153fb11efc

SHA1
a90570d44f7b90d5b95d67d7c9e7383468e87104

SHA256
a4b27772d185f3b7e6805e5d1decbe6594e57dd72acce0ff44049e5c5dd8e706

SHA512
b857bfccad1f15c4903069624562a9bc9172c1de80fb0dea09e1a4268024163c6cc5ca59170f2a984e3ea6eebbba1a6bee88946a0aaad588534119f600c96d13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
7KB

MD5
f84044ad75ba3461e0afaf1f9162f09a

SHA1
d33f4d429f74876d2e0c5792da5aa5871c2589b4

SHA256
e6d02a84c4e549dc87d0772481146cbb0be0df57b83ad6419183ce57a9f24c2d

SHA512
56d64da80b47211f608edb71bd7573377a98ebbf5c43be6408ab1adee6c553d3b3369ceab37aa32f35c9e6aebbf1694bfe1f0b826024a40184320db2e63c6e45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
1a6c464f222ae7cdbedcc9a794442237

SHA1
34efeaa9115b653c55e50e622b4fcea88b687441

SHA256
863a965ab9f90542ee3d32fe135cca9589fa11a230856f9ec73b303d5d296197

SHA512
13d4741de9f3366686a1caeb770b5766bea57c863df91575c831e3a3e71d9f18db1b24a5ef5580b71aa0da86d4d7f4f5581d29cd5d3baab09722ce9b5d0f5a8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
7c8618a861fe7f3ea9f4313bbdc2d11b

SHA1
3756f9f4ecb0dd8de827465d540c99a2645fb93b

SHA256
1690ddc652c2db97ff824e11a6c99324554a36f8ba3a30e4d62d622e4c180d75

SHA512
fbd1c4c87bcac0d03f6e73b547191cba0edeeb6ae936beca9566c6dbf2e8e04ded15a2ef0d08395072e9f42f970826930ff6de3724c6548de35fbe06e939d0a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c14d53fb7031f909c5e5095d90e00721

SHA1
918f6d40ab621bc8741c8e6fa23a9a317f808b7e

SHA256
b3d1bc4be14c7c63f5ce296d35eade3ea6cb83219d9ce7e4a725b8776b324f0b

SHA512
134d0e0c98607562af636af3015e355c9d542534a3f78d6b81d65210660319241ed45edbe5f727b6b6660fe0db7f9b24f575c21db93e98f9216d8f4272917f2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
b81395d0140a5a423503e144f11ff7c4

SHA1
247622cb0df6925dd88f28b4179f8a73e589a993

SHA256
2616a57b80806f7ae07a532ec590d525888804f6558a6e865a58e531014ad03d

SHA512
4e4173d06f27d96040a7ab73836b26639f13608fb0819cc08c62e951f508da93bdbf58d28c2a2cd54d9477d05f6a5c2d023238f9af1f9ca694cbe9829308eccd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
8cf7ec40c78bfbca1ac10430c43f4cb7

SHA1
b4220a3857e06b43454d93009a632967ef9513ce

SHA256
bfa66064d533e16e0d76843a92537862c20df4621c809e311b5e69e36d3a3390

SHA512
03cb8d9de9008333e882b8acf5f3d850c974629de1b6717f1228c70bce40ec929c90ec51668056edc07a4734e1ba382f75913e5b847f86c50f5c4ea47ec41032

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
433a16788107f167affe5f239b0b31ee

SHA1
caa3aa718bb184a6a9a2ee2eda0ca23b29a1a2ee

SHA256
ef82b9817e6eb57fd1f434fb0638aeaec362e8b74c898f7d91cbdd9adbb289ba

SHA512
9e68c2d11a36d6a18150ee7a514dcb553b3e014d93583c4800ce4e927aee406add6b89802b864ffbc5311a5b5b228d4e27125829a5da6f70c7afc24d067bb477

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
1b18947edbf9009f0724e67b0dc2bb35

SHA1
f92a6b6f5ef2142072a14101c3b2ca101d913a63

SHA256
f17e30f4aa81ea66970820aef86e1434c66d014d4e74819a07e454711d387bdf

SHA512
6e4d36e2320e4896d9f38153510f37ec3907d1a11b1ac5faaeac3a9f68d6fcbc15d6366c0f9a2b4dd16e864d841f3b93574529268cc39e066713184f37bcac51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
0ed2663971e8051b2bcb574926400fa8

SHA1
467756bf41c377bdb07c8be10d5391f1df1d80a7

SHA256
0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c

SHA512
e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
72KB

MD5
ccf7e487353602c57e2e743d047aca36

SHA1
99f66919152d67a882685a41b7130af5f7703888

SHA256
eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914

SHA512
dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c

Download Submit
memory/5348-599-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5348-600-0x00000000006D0000-0x00000000006D3000-memory.dmp

Filesize
12KB

Download
memory/5348-601-0x0000000000490000-0x00000000004B4000-memory.dmp

Filesize
144KB

Download
memory/5404-607-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download