664555cf762648ba681ec342b9007d3d08a9c4e01754df5d350b81f6fb047585

Analysis

max time kernel
121s
max time network
151s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FF Logs Uploader.exe
Size

120.4MB
MD5

6a63ffc960eae0110988c2eba05bc53e
SHA1

bce4ae23d2f293f404db47adb13b896f82453722
SHA256

797bba78ca10fe875c03cdcd21b71f6e73e9c2f0bef68d85b4c55fb4adcc22b7
SHA512

2585bb841537abaca8b86b9d5ddac514ca039d0b04041f9adf2c8ffb1f69df9e55258a0fd062e7ad6edc1ddce264fc5c9ed6ad71231d8929f02eca1d2e6a8a3b
SSDEEP

1572864:OogF7swE5U3YlnuDcvgrQ7vXJIAgWzpYYHYYx0D+iQxs:23YJIY4Uw+Xs

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	FF Logs Uploader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	FF Logs Uploader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	FF Logs Uploader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	FF Logs Uploader.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

FF Logs Uploader.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	FF Logs Uploader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	FF Logs Uploader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	FF Logs Uploader.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280	FF Logs Uploader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e264b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	FF Logs Uploader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	FF Logs Uploader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	FF Logs Uploader.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

FF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exe

pid	process
2780	FF Logs Uploader.exe
2148	FF Logs Uploader.exe
2604	FF Logs Uploader.exe
2080	FF Logs Uploader.exe
1308	FF Logs Uploader.exe
1308	FF Logs Uploader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FF Logs Uploader.exe

description	pid	process	target process
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2860	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2780	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2780	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2780	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2148	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2148	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 2148	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 1308 wrote to memory of 3008	1308	FF Logs Uploader.exe	FF Logs Uploader.exe

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe" --type=gpu-process --field-trial-handle=964,3437853105311266578,452887265118622258,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=960 /prefetch:2
2⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=964,3437853105311266578,452887265118622258,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1440 /prefetch:8
2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2780

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe" --type=renderer --disable-background-timer-throttling --field-trial-handle=964,3437853105311266578,452887265118622258,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration --webview-tag --no-sandbox --no-zygote --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1604 /prefetch:1
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe" --type=gpu-process --field-trial-handle=964,3437853105311266578,452887265118622258,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=960 /prefetch:2
2⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe" --type=renderer --disable-background-timer-throttling --field-trial-handle=964,3437853105311266578,452887265118622258,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Temp\resources\app.asar\parser-ipc.js" --enable-remote-module --background-color=#fff --guest-instance-id=2 --enable-blink-features --disable-blink-features --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1872 /prefetch:1
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe" --type=renderer --disable-background-timer-throttling --field-trial-handle=964,3437853105311266578,452887265118622258,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Temp\resources\app.asar\parser-ipc.js" --enable-remote-module --background-color=#fff --guest-instance-id=2 --enable-blink-features --disable-blink-features --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:1
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
01676a784705ebd40cdc5c2bc722b13c

SHA1
53c200a55aa0c9a05b231e45a77b7adf4903b5e7

SHA256
34f37a500037ec2ff1d4f59c28a4583e66ef64b540ed915c36753b487aff10d5

SHA512
616e44310b2ad90a17b5bd79053eda536898b9168da32c1b6938bcbdc8d353b2c66bd5533b9bf77836c6a2465ece0ada43343c609b01d26367d769d922b9ebaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9d21d693595c0b44053629ef02ef063

SHA1
d8cbebd0962e621383674d4169e2bb632e47574b

SHA256
c2eb1327c53f7117828fd38cd6b8f7b2d05b10cf591aaab9405bbccfc77460a8

SHA512
91b337e70f0f81b96f4e6d4a1316b1d723098ff52b0f8b80665a694e4830370b168e023e6667b9e5245734cd700eb2e4b48ba4031a4ad4e731d368080f57fb73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd7a42853ea490aa81b71c75b0f304c0

SHA1
01443d4c8866a8012f2155308253bcf0dc4b10b7

SHA256
0329d4e5b149e6f679dbf7179734920de9cb21c8f550efc4ae919980e7d9da08

SHA512
48a84cc8d7334ad8ffa8ff78b8fc36e4848d74517e7926956c7889d37d0238bcf9a84d38fce772c49f6a511cbae2f569fcac26768f7be2ec219a22d336e43f14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53bbe94a7ff5d64c72d6517806dbd5fd

SHA1
70cf1f640fe54a2ca2239c672f1fc678088bd8ac

SHA256
c2341e5d45c24cf1d2110aa33c69dd5e7ccea8ce0c8f68943f171fb93d1d86c5

SHA512
7183404d2466628ef68a2bfbdfed3f2f4357d614385fb5cb1023441824fc446f5a1592d0f9c92adc11599fdf31ffa06696bc3ba3e0abcd26197781497ab96d3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0ecbeb85f32e44e6f6a90144747a97c

SHA1
c092b31de0a610482aeac92bdbbbe6847374a82a

SHA256
3bca2aa6ec1e1c57ff358c3eb479b6f414c70b844edfb719884156994bb24267

SHA512
834b19319d4a62afebe67355fcb2f6bd978f77d804c52c9356f8710f4d2c5fa748e97eee32c4c542f8a0e5db25bfaebbd3c54b7bcdb4cdbf2b6e49d07957e6d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b4ab1a205c0d5a4cb9bf63b3a000b4e

SHA1
5cc08443ff710225c6c8ca4a73fd53f4d884a94f

SHA256
a2651c614bed8efcf024c7733474249015c717ca129d8b410d5470c879ac6d48

SHA512
bda70e86d4eb8571594c7ef5c647d7bb606b0ac8f185dd3419ac61592e9c105cbba7b9cfa10f25f8a10377ac51998e360a8c98fee5abc38e48bc7cc7eabc29b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7c6893b7ed17795afcac482634ac834

SHA1
452406f36253e88d1df8cc3c1adf6e3904334859

SHA256
94b77e715f655d3750ef299e0e08fd4629ffce2807d0357acd0df8dfe5dd7331

SHA512
46b69b702833af0bd6f2a6119c06ee32e542ef51e1fd4b6ac9bccfb5adf656dd40b588b0bee9c337620ccec1389ece7e34654dd5d9d8569c1fd45d11c1627eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1DCF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1DF1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\fflogs\8cd26178-c0ae-4d70-8cd6-847f36e63a10.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\fflogs\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
9adc1c827531d5b06de472d4d99dde67

SHA1
059b0c1eeacd4a2a608850979c6ce671b7f296a2

SHA256
8db0627b077fd55a95e6a55b51b070bd7becc29dab66bde5ada429362be2f028

SHA512
46668bb86a5b54d2fd0f352e704563061160bc1c78e7953775dc6ec7f962dc0217f14536a2194ba529a2f5d80cc4d7c0a7da07aeb4bb3a271b9503e17e3aca69

Download Submit
C:\Users\Admin\AppData\Roaming\fflogs\Dictionaries\en-US-9-0.bdic

Filesize
441KB

MD5
a78ad14e77147e7de3647e61964c0335

SHA1
cecc3dd41f4cea0192b24300c71e1911bd4fce45

SHA256
0d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa

SHA512
dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101

Download Submit
C:\Users\Admin\AppData\Roaming\fflogs\settings.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/2860-33-0x0000000077160000-0x0000000077161000-memory.dmp

Filesize
4KB

Download
memory/2860-1-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download