653bfeb94f41c3a3e35b39f8f980393fcbed4c4ee1f82c2e82d9f1089f2b08fa

Analysis

max time kernel
495s
max time network
497s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-10-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

free robux by jan.exe
Size

37KB
MD5

890ee6656ca4c3b83fd466f7cfb985d4
SHA1

b66619a4c85075912452f245ad488698819716ea
SHA256

653bfeb94f41c3a3e35b39f8f980393fcbed4c4ee1f82c2e82d9f1089f2b08fa
SHA512

08bdf9bdedd4921b2b302daa533c314676bb8ccfe2346e07daf19e7eb03142223238865ed80a94841de3b8269be7ee7436b297354473986986240dc4f08186ff
SSDEEP

384:4yVvEiTbTvpWNcZ0y8fvCv3v3HLkacparAF+rMRTyN/0L+EcoinblneHQM3epzX9:JV7TZ38fvCv3v1cQrM+rMRa8Nudrt

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3160	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\78bd20d76fe16a23d2ebbd3cf81edd1c.exe	free robux by jan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\78bd20d76fe16a23d2ebbd3cf81edd1c.exe	free robux by jan.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\78bd20d76fe16a23d2ebbd3cf81edd1c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\free robux by jan.exe\" .."	free robux by jan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\78bd20d76fe16a23d2ebbd3cf81edd1c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\free robux by jan.exe\" .."	free robux by jan.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	7.tcp.eu.ngrok.io
11	7.tcp.eu.ngrok.io

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	free robux by jan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31138818"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "479731186"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
760	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe
3384	free robux by jan.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3384	free robux by jan.exe
760	POWERPNT.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe
Token: SeIncBasePriorityPrivilege	3384	free robux by jan.exe
Token: 33	3384	free robux by jan.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe
3904	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
760	POWERPNT.EXE
760	POWERPNT.EXE
760	POWERPNT.EXE
760	POWERPNT.EXE
760	POWERPNT.EXE
760	POWERPNT.EXE
760	POWERPNT.EXE
3904	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 3160	3384	free robux by jan.exe	81
PID 3384 wrote to memory of 3160	3384	free robux by jan.exe	81
PID 3384 wrote to memory of 3160	3384	free robux by jan.exe	81
PID 3952 wrote to memory of 3904	3952	firefox.exe	103
PID 3952 wrote to memory of 3904	3952	firefox.exe	103
PID 3952 wrote to memory of 3904	3952	firefox.exe	103
PID 3952 wrote to memory of 3904	3952	firefox.exe	103
PID 3952 wrote to memory of 3904	3952	firefox.exe	103
PID 3952 wrote to memory of 3904	3952	firefox.exe	103
PID 3952 wrote to memory of 3904	3952	firefox.exe	103
PID 3952 wrote to memory of 3904	3952	firefox.exe	103
PID 3952 wrote to memory of 3904	3952	firefox.exe	103
PID 3952 wrote to memory of 3904	3952	firefox.exe	103
PID 3952 wrote to memory of 3904	3952	firefox.exe	103
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 2088	3904	firefox.exe	104
PID 3904 wrote to memory of 1532	3904	firefox.exe	105
PID 3904 wrote to memory of 1532	3904	firefox.exe	105
PID 3904 wrote to memory of 1532	3904	firefox.exe	105
PID 3904 wrote to memory of 1532	3904	firefox.exe	105
PID 3904 wrote to memory of 1532	3904	firefox.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\free robux by jan.exe
"C:\Users\Admin\AppData\Local\Temp\free robux by jan.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\free robux by jan.exe" "free robux by jan.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3160

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
PID:4284

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\CompressUnregister.odp" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1872 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {030678ea-ab3d-40c0-ba6d-7b294ab33969} 3904 "\\.\pipe\gecko-crash-server-pipe.3904" gpu
    3⤵
    PID:2088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad3835f4-ec57-443e-8a89-9c046c942449} 3904 "\\.\pipe\gecko-crash-server-pipe.3904" socket
    3⤵
    PID:1532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2956 -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 2936 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03a5d6dc-8b2c-4785-abd4-f52bad71a567} 3904 "\\.\pipe\gecko-crash-server-pipe.3904" tab
    3⤵
    PID:1220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3908 -childID 2 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39d5a7a1-e222-43b9-becc-cedfdce5ff6d} 3904 "\\.\pipe\gecko-crash-server-pipe.3904" tab
    3⤵
    PID:1676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4828 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4856 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44dea375-d30b-4418-99c3-630d2a2145e4} 3904 "\\.\pipe\gecko-crash-server-pipe.3904" utility
    3⤵
    - Checks processor information in registry
    PID:2764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 5292 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1628175e-49da-4133-b85f-94300ec94f93} 3904 "\\.\pipe\gecko-crash-server-pipe.3904" tab
    3⤵
    PID:2488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2342a81-3a3b-40af-9a99-4b877843ff45} 3904 "\\.\pipe\gecko-crash-server-pipe.3904" tab
    3⤵
    PID:2296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 5 -isForBrowser -prefsHandle 5668 -prefMapHandle 5672 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50e0aae4-1745-4970-bfe2-7315414359f7} 3904 "\\.\pipe\gecko-crash-server-pipe.3904" tab
    3⤵
    PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\maevrvll.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
eaa6abf7dd8a31e3857f13843e877215

SHA1
d5a02562a9366f582b00e43e6c361766d1a97ee7

SHA256
b08489330b3c0f9f8df816205f74288cddaf2a6ad398a36c011ae634fdceca0a

SHA512
fdda627b390ec4ca6e7e3a91f53509fedce3e2254154340e9ab3fc02e53af7c009987fa2fd2650b098637a8f8b6958343fe6dd2d2ad5b10991313fece4d45408

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\98a603e3-05c5-4812-a5df-288aacfa38a6.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
8361fa2b07928e3efbabcc26b0935e4b

SHA1
fc0849f04fea5b6cfb5c10324a7af28a44ec39a2

SHA256
c759ce4b15fc85df61f92c82d91a2a48e15d3ae98dd41d6e39a44847abc1f8b7

SHA512
630b67359ea4db9aaf506a63c4d729e1989b6af8be1a969137451ff3175cce959102e4245f72f7fbd879453ff9b1fc02d3f1e0401cdf9af233a8199448190cfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
4d151f0266e9f33a72a9f03aa768e7fa

SHA1
8f2b1dc2ca2f7fed56118939ee86f7d087a64238

SHA256
fca3a8ae6b3b89ab80bde2bd90fc00c191f948b5e2e2b0c504385b81ffc6da44

SHA512
48aaefe6dcfa5ea3cbfb9f2c2dcc4666db1b867d2e00da1ad40b041daf2549225f9b2b5ed662c551cacc8f694f881f73a1bff0168c04d4555bed57fe0c8de0ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
e8bd5b27a9e498bbe7854929f3b201f2

SHA1
b32661425ec0a4e898d22b794c3895e6178efc8c

SHA256
64c28feac44f15c6e6b6e9489c588e9909da1d9a1d5386fcc8ac7854ddac208f

SHA512
6aa14f71e56d3bdab184b10824374906641a1f7e742dd7c0de78b60cdd417c3da983c4a5b4fd376a26de6cae767f1c6b150e87c3802358e9d445876dd2672c22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\600a09e1-dc8f-49c3-bfc8-657e27d7712b

Filesize
982B

MD5
0852ae4563bf3c7176fd9e8ffcfcc823

SHA1
99a706978278c427aaac406516183e43b6c20753

SHA256
7952c91bde93cd271b61f15ebfc020428fb0dbcb448c42a0e6b54a15e3c91791

SHA512
f428658169498aef59a6ece063a1eaf587984e925f6a7bb0a7936a2ae4cf7838195a76e998c93c4100ac6c7a2b0afb5405ed28b8dd831cea065fed0ecf0a550f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\6c2d6db8-6d7f-4827-a904-df5306ae5a00

Filesize
25KB

MD5
02159ce28f925e266ffdd2882879bf06

SHA1
73ed8ce39794c10654850b7202f93848b23c3be2

SHA256
5b73e37f7ddcd3f5064da9af3ca6a9bc24c7cb374b614babdf41311d5ef522d9

SHA512
6718567d61244009623f736de8c1c746e6019dcfd79ffd048140313b32f1944b66ea054aa908a43ab9c2a2aef0c3a2fbb172b0b854d1d1cdd4ecea8be0753a68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\fea8e137-05f0-46de-9f2f-57809bef1155

Filesize
671B

MD5
8c91f292c7eac1f9ac41a373ca6ef1ad

SHA1
1adebfb24a1bf4d026e98d3c640af68fa029a98a

SHA256
33420935007b77fddf9bb0abd4c9ab56245a6dec3d559302c62b53d63a6a0894

SHA512
aeb06af1bbd14ee983986c52a24c61154db0eea87011d6db01fd5bd5e5fb969918dedc8515811eab58d856fdcd585a3deec4003f8dd1b716b6713f7270253e9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\prefs.js

Filesize
11KB

MD5
2d2b34013945e09f1f2b0d0850605ed2

SHA1
0fe96cec076aa27b68f047528ff6b605c88644f2

SHA256
09b1b931d2082abbd6912c896702dafb8a8e62282a50ac98cc8d48331b7b074a

SHA512
7fece66e371cdef68169d8f4986de49c328e3124303fd138508cc419ae8258283256e6e6181ed56d3349266221709081274510ab55daf7ecf43dd1c8122aa6ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\prefs.js

Filesize
11KB

MD5
dae55cd5ea3e187184b46514d2f6aa40

SHA1
bb236360aee2cc2ede81c6f25c61522fb51e1800

SHA256
3daa7157f4e7b6bf8b83b10bc223ffa1e9416a147f4d9abf2b7742c03c9b53cc

SHA512
74d93f8185a13fb5bb1a9473f42e229ab0ef261bbbeee983af646a83e50b2fe092a264063518962a45b9c4059d171fbbd833acbc4fffce9c6fbe2a3af10057e7

Download Submit
memory/760-20-0x00007FFCD8510000-0x00007FFCD8520000-memory.dmp

Filesize
64KB

Download
memory/760-16-0x00007FFCD8510000-0x00007FFCD8520000-memory.dmp

Filesize
64KB

Download
memory/760-19-0x00007FFCD8510000-0x00007FFCD8520000-memory.dmp

Filesize
64KB

Download
memory/760-21-0x00007FFCD5970000-0x00007FFCD5980000-memory.dmp

Filesize
64KB

Download
memory/760-22-0x00007FFCD5970000-0x00007FFCD5980000-memory.dmp

Filesize
64KB

Download
memory/760-17-0x00007FFCD8510000-0x00007FFCD8520000-memory.dmp

Filesize
64KB

Download
memory/760-18-0x00007FFCD8510000-0x00007FFCD8520000-memory.dmp

Filesize
64KB

Download
memory/3384-0-0x0000000074DC1000-0x0000000074DC2000-memory.dmp

Filesize
4KB

Download
memory/3384-9-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3384-8-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3384-7-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3384-6-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3384-5-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3384-4-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3384-2-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3384-1-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download