Resubmissions
08-07-2024 02:35
240708-c24z3s1apa 1008-07-2024 02:34
240708-c2gjsa1alg 108-07-2024 02:25
240708-cwrgssyajk 10Analysis
-
max time kernel
272s -
max time network
293s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 02:35
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://github.com/roylikesdick/one-click-method
Resource
win10v2004-20240704-en
General
-
Target
http://github.com/roylikesdick/one-click-method
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1252398261596196885/TejCVh7vOmj4x78lg-iJsSRTloPmJ3qW0o_84ZXso3MJRa08ELdG1gmXlXzhhWUrGLyH
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions One Click Robux Method.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions One Click Robux Method.exe -
Downloads MZ/PE file
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools One Click Robux Method.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools One Click Robux Method.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion One Click Robux Method.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion One Click Robux Method.exe -
Executes dropped EXE 2 IoCs
pid Process 4980 One Click Robux Method.exe 1976 One Click Robux Method.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 92 discord.com 147 discord.com 80 raw.githubusercontent.com 81 raw.githubusercontent.com 82 raw.githubusercontent.com 83 raw.githubusercontent.com 91 discord.com -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 84 ip4.seeip.org 85 ip4.seeip.org 86 ip-api.com 144 ip4.seeip.org 145 ip-api.com -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum One Click Robux Method.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 One Click Robux Method.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum One Click Robux Method.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 One Click Robux Method.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S One Click Robux Method.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S One Click Robux Method.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString One Click Robux Method.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString One Click Robux Method.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 One Click Robux Method.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 One Click Robux Method.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName One Click Robux Method.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 One Click Robux Method.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation One Click Robux Method.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer One Click Robux Method.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName One Click Robux Method.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 One Click Robux Method.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation One Click Robux Method.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer One Click Robux Method.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\One Click Robux Method.exe:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5792 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5628 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1492 firefox.exe Token: SeDebugPrivilege 1492 firefox.exe Token: SeDebugPrivilege 4980 One Click Robux Method.exe Token: SeDebugPrivilege 4872 taskmgr.exe Token: SeSystemProfilePrivilege 4872 taskmgr.exe Token: SeCreateGlobalPrivilege 4872 taskmgr.exe Token: 33 4872 taskmgr.exe Token: SeIncBasePriorityPrivilege 4872 taskmgr.exe Token: SeDebugPrivilege 1492 firefox.exe Token: SeDebugPrivilege 1492 firefox.exe Token: SeDebugPrivilege 1492 firefox.exe Token: SeDebugPrivilege 1976 One Click Robux Method.exe Token: SeDebugPrivilege 1492 firefox.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
pid Process 1492 firefox.exe 1492 firefox.exe 1492 firefox.exe 1492 firefox.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe -
Suspicious use of SendNotifyMessage 52 IoCs
pid Process 1492 firefox.exe 1492 firefox.exe 1492 firefox.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe -
Suspicious use of SetWindowsHookEx 43 IoCs
pid Process 1492 firefox.exe 1492 firefox.exe 1492 firefox.exe 1492 firefox.exe 1492 firefox.exe 1492 firefox.exe 1492 firefox.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5628 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe 5788 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5052 wrote to memory of 1492 5052 firefox.exe 81 PID 5052 wrote to memory of 1492 5052 firefox.exe 81 PID 5052 wrote to memory of 1492 5052 firefox.exe 81 PID 5052 wrote to memory of 1492 5052 firefox.exe 81 PID 5052 wrote to memory of 1492 5052 firefox.exe 81 PID 5052 wrote to memory of 1492 5052 firefox.exe 81 PID 5052 wrote to memory of 1492 5052 firefox.exe 81 PID 5052 wrote to memory of 1492 5052 firefox.exe 81 PID 5052 wrote to memory of 1492 5052 firefox.exe 81 PID 5052 wrote to memory of 1492 5052 firefox.exe 81 PID 5052 wrote to memory of 1492 5052 firefox.exe 81 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 1600 1492 firefox.exe 84 PID 1492 wrote to memory of 2368 1492 firefox.exe 86 PID 1492 wrote to memory of 2368 1492 firefox.exe 86 PID 1492 wrote to memory of 2368 1492 firefox.exe 86 PID 1492 wrote to memory of 2368 1492 firefox.exe 86 PID 1492 wrote to memory of 2368 1492 firefox.exe 86 PID 1492 wrote to memory of 2368 1492 firefox.exe 86 PID 1492 wrote to memory of 2368 1492 firefox.exe 86 PID 1492 wrote to memory of 2368 1492 firefox.exe 86 PID 1492 wrote to memory of 2368 1492 firefox.exe 86 PID 1492 wrote to memory of 2368 1492 firefox.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://github.com/roylikesdick/one-click-method"1⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://github.com/roylikesdick/one-click-method2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.0.1999716070\2113990282" -parentBuildID 20230214051806 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1904301-7d75-4cc6-aa50-ae0960f16f14} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 1864 271d3eea158 gpu3⤵PID:1600
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.1.878632112\500378699" -parentBuildID 20230214051806 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f43149c8-93da-41eb-8d24-6f7637a25d37} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 2448 271c818a058 socket3⤵PID:2368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.2.2045745537\824960148" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2724 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48a751b6-ace5-4ecf-9419-5709ed41becf} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 1612 271d7e50858 tab3⤵PID:4212
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.3.1625934309\1679983847" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 2840 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26a774ce-5375-437d-ab2a-7a1f6526f424} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 3604 271d970d758 tab3⤵PID:3628
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.4.1027945645\746868191" -childID 3 -isForBrowser -prefsHandle 4948 -prefMapHandle 4944 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5865c60-353b-4171-a8a8-b58509dcc69c} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 4960 271daea7558 tab3⤵PID:3784
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.5.992144932\766484119" -childID 4 -isForBrowser -prefsHandle 5360 -prefMapHandle 4792 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {556cda6d-5e4f-4f50-bebc-2cc177b9b6e5} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 5372 271dbfe0258 tab3⤵PID:4020
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.6.2035670267\1207078404" -childID 5 -isForBrowser -prefsHandle 5596 -prefMapHandle 5592 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d670038-8cba-4aa9-a0a7-f85e2fd610ba} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 5604 271dc242858 tab3⤵PID:1320
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.7.857092671\66064499" -childID 6 -isForBrowser -prefsHandle 5728 -prefMapHandle 5724 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45e66fed-27c5-4537-94b1-1654e545170c} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 5648 271dc244058 tab3⤵PID:4176
-
-
C:\Users\Admin\Downloads\One Click Robux Method.exe"C:\Users\Admin\Downloads\One Click Robux Method.exe"3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4872
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4980
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5292
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5628 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\{D726FD1B-623F-4A4D-98BD-A9D388BE916C} - OProcSessId.dat2⤵PID:5712
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\chrome_installer.log1⤵
- Opens file in notepad (likely ransom note)
PID:5792
-
C:\Users\Admin\Downloads\One Click Robux Method.exe"C:\Users\Admin\Downloads\One Click Robux Method.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5788 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\tmpaddon-12⤵PID:5580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD502bda42daaa36d550e37d0e7d7b9b321
SHA15cccf64dd1514a92f128cd1e21d7fbf3e50e9672
SHA256333fe7dc3fd52d35cd054deeba517a51775978b4360817c8a92a632093a00570
SHA512313a20e360b47461b913f902517442eb0f41a43155c730ddf19454e80951dfaebe7f23637af5a51045125b2ff1d7682ccc75c03773cd330c8864a7de6f2f3169
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD597a2bd77f607e178a12bcca2be84604d
SHA1c60edd50dba87167c21500dcb4335718b8c706ad
SHA25617b0946f388c89b200e62b20f58e1c35de2f97ae9776726107a8472b6aaa6c51
SHA512ff978e6d071a776490a515e4e58a2af8a6aa542233a283e15aa44a2578a0d6200330b7288b5662f27a132522911bdce079f94edeed64762d9aaf896f8e60e454
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD5a178506eb8154bdbc923a08d7e24363c
SHA1107c69b2f943982fefb73ff1db001c55f8fc7234
SHA256147776fe3e09a585c5ef75b187da75521387ea20e21d66737cf2c412ae0ae2c7
SHA512eb0e207029653577aae1596c13186cd56387454df62d8f5b3c97efb621e4e530ab222ab1fd8c5038c9bb48cb83c87655601e9db9a2f39e65eddda7086a2c8c16
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD554756992a6fe2f9be62e496733674a2f
SHA13703d09a50960a13edb1c3393f7fd6fb177e26e9
SHA2561dcbbb70f763af6cec112d3c545fcf67961d58dc73f078f362b4cbc54be1a68c
SHA5122241f5ed5bc5f007c00680d99a3776572685a3e1ddd332d0864a7f22e68ded6943f28d27192297f7729d4db117e23f7fe7a41aad277bba56fe786a55b78b857e
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1RGLLCH7M5U5U223TLGE.temp
Filesize10KB
MD5b0ca373d73147fd295216959922261a7
SHA140ef4ebdaed8c5d8f03814c4b8a1032a1b7a505c
SHA256b84abde2b3251ed3d7eb56c953ffb7232b3f15efaf7b0b1e559029b084b31621
SHA512ae9dcce62351290e5e15f25bffff55d5f51f581441655993636afd9431e727e6a2aee7d8505dcaf3ef81ee0e9f6657ed4f0f8b9087da615e77dbafe612b9fb00
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
8KB
MD5afc2a91a55c241755f337a884778ca17
SHA17be5334663abf8fd65acd8483c6882f37b7e5a07
SHA2567becab18235eed37609613736f3501db382df80526449f7363f6572bf685436f
SHA5120e70a938c4da63e924a418014dc2ee8d74cbe6c1451d512a8d5226fd0e733a4eac79223498e63a2907fcbcdb07d9f11e597ea7e57ae83ab86b23ed6decdd5fcc
-
Filesize
6KB
MD50b3ea4f98af7b163408c5aad0cd7c686
SHA1e270e7be8149ecdf222e2db1ff849fcb70e4be56
SHA256ff6d5ced56c01cf79ba0b76753ef3d77ea47c1bd3c2540b44e30ddbee9ddcf5c
SHA51273b7eff7e98c8b3ebeaf3c1696f439b1cb016fa847ab8572a87c6028f2fa932ee2d915c3860a238363752913ed8c6fe6375f6111c09035180d85c7330abf082d
-
Filesize
6KB
MD58518e9f516db84d8fb708544240a5871
SHA19a0a9d34f7e032912c8f648e72369b463bc7cf66
SHA2565c1c6bbf56bcc22c645be29335f35aa6eff70bbe5395eeeb41e616c65144a99d
SHA51200e5e4c041f8a81319c4453fe5d09f4ede3147aada23793b232b8d0b23e40fb43da9df23efcf4b450ac1f3e82010b915e3117fb099a3a50e202a9557789d3e2c
-
Filesize
6KB
MD55a8ae01a47a9a786537a6de9a7c866bc
SHA14dc6325044b34cb3a75f1a34335312f46fd57dc7
SHA2561418082bf5d64369cab3cddf1acca32d5df4fb7f7bac36df1f8fd10372ec7b22
SHA5128dda59532bb50391cb32fab2c725b2c1689f235d45de1a9c278cfe30071a1b62c9e22cbba8845bd28b6a3e404fe3c25b9bdbd6a9b3aefc452f804ffda70eceac
-
Filesize
6KB
MD52dd587ba2a529a869b2e8995caffbb42
SHA1d92a1c22d5827331e9c338b421388629d9edfe7a
SHA256303338a5f1429a01801e5ca71a9724a349b6f8a3a15fa92dc8ed3eed15bac1a5
SHA5123c17c6c3f93d5a61fd2ab7eb9372d28c391f08299e6db059860014326eace10ed033a9907ef68a314d4f468bb087d085676388dccd98254bf05de04a40528022
-
Filesize
7KB
MD562d7f4d6f891d28250605b5baf9899a5
SHA1ebd9f700338fff594a38254a0d100ed02ab2c6ea
SHA25651a980526356e5d4070b822e8b267214fffd1b7bef3181a0293fe3fb8a801839
SHA51275963e171a9c4fdb14e4b2bfaeb434716593bd1b605be100d4d5a5f33da85af727f618bed10d446404858da270e90341003dd7163c00db3299cda50fedd768e1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5c01a944135a325b79021df86abc3fad5
SHA13b81fc4badd967531daa6074daa3daa09d8ee238
SHA2569b7094255b0df5eb1bede0853d8b49a8f7f23b577c53e157b4d4a267f6f0fe87
SHA512848c979cbc9f4911c298da1b124b5ff05a5ad27c947901ea1c6d69f47c5b130166ba8a1b246707d8cd38efa6a33095216ed4be8a1236fe254d96cd0594fb2a9d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD591cb38bfc31ef861b771d71416d189d1
SHA1f46bf6139d13876ecac6232dc01bae937873eb3b
SHA256eafefd73dc46a1c7db675df4937cb594ed564eb0da78c800a8090e7f73a7f874
SHA5122b99962fcf65f10609b67aee28d25624ea9b3f63636d0f7029bda0136ebe77339df1f6980b7cd7dc0dd5536fd622292f963d15a9dcb24228f4333dfb35fa2906
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD55a29f86b598fe0a19cfeffe105f64ddd
SHA19c79c7a4c5929444077572d8a97cdc9db92ad1ba
SHA2563a265ae369dd21565721f6e3c79638729f6d269e89908c7fc2f422f86192e0e1
SHA51276a19d75cb8aa72d5752aa192d22fbfbc7736b5a68e90829c1e283f5151ff3d077f03657bbeecbd3fcf628fa123a13b99987b30c91ade190fbc8b2088881084d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD522afa6b56f75ea983716ff4f7e1b1c3e
SHA158fa1a522f82cceb70ba9c7f7713384f5bc0ccea
SHA256fa63e226e2b60665e42db017c8d61e71320c0495d706c813ebd53f911d74f3e8
SHA5124b5bbfe10ed6cc6c4202f7db6a34a6e73cb5e813760dde386bc6c3821dc0e683c86f72556121fa8ed1b6d987e4c1cd37b3550b66ee06fa526aef4d7dce21b8e0
-
Filesize
464KB
MD5f2c80a45ed328f94ff879254f277e46e
SHA1e92027bf9768de2f3d16f42289124f1b5cee8a55
SHA256d081fc4e821aed48b32b42733f346a04576c28b6bc9a82a486ac8cf08f01807f
SHA51283e0e67d0125abe2c39a34b8d5081692fbaccb686e64fc69dcc1dde2499258bec1c8729d617ac19b9ea340b3572eed39b4701b8294a128c3c6d3e2f843d39dea