hxxps://www[.]roblox[.]com/games/17625359962/RIVALS

Analysis

max time kernel
166s
max time network
166s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
16/04/2025, 17:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.roblox.com/games/17625359962/RIVALS

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file 2 IoCs

flow	pid	Process
159	2248	firefox.exe
159	2248	firefox.exe

Executes dropped EXE 4 IoCs

pid	Process
2576	GandCrab.exe
1852	GandCrab.exe
1092	GandCrab.exe
2840	Petya.A.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
118	raw.githubusercontent.com
146	raw.githubusercontent.com
155	raw.githubusercontent.com
156	raw.githubusercontent.com
159	raw.githubusercontent.com
160	raw.githubusercontent.com
115	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Petya.A.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\GandCrab.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Petya.A.exe:Zone.Identifier	firefox.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2536	2576	WerFault.exe	94
3388	1852	WerFault.exe	100
5324	1092	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GandCrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Petya.A.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\GandCrab.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Petya.A.exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	firefox.exe
Token: SeDebugPrivilege	2248	firefox.exe
Token: SeDebugPrivilege	2248	firefox.exe
Token: SeDebugPrivilege	2248	firefox.exe
Token: SeDebugPrivilege	2248	firefox.exe
Token: SeShutdownPrivilege	2840	Petya.A.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2248	firefox.exe
2840	Petya.A.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2248	2784	firefox.exe	78
PID 2784 wrote to memory of 2248	2784	firefox.exe	78
PID 2784 wrote to memory of 2248	2784	firefox.exe	78
PID 2784 wrote to memory of 2248	2784	firefox.exe	78
PID 2784 wrote to memory of 2248	2784	firefox.exe	78
PID 2784 wrote to memory of 2248	2784	firefox.exe	78
PID 2784 wrote to memory of 2248	2784	firefox.exe	78
PID 2784 wrote to memory of 2248	2784	firefox.exe	78
PID 2784 wrote to memory of 2248	2784	firefox.exe	78
PID 2784 wrote to memory of 2248	2784	firefox.exe	78
PID 2784 wrote to memory of 2248	2784	firefox.exe	78
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 1596	2248	firefox.exe	79
PID 2248 wrote to memory of 4676	2248	firefox.exe	80
PID 2248 wrote to memory of 4676	2248	firefox.exe	80
PID 2248 wrote to memory of 4676	2248	firefox.exe	80
PID 2248 wrote to memory of 4676	2248	firefox.exe	80
PID 2248 wrote to memory of 4676	2248	firefox.exe	80
PID 2248 wrote to memory of 4676	2248	firefox.exe	80
PID 2248 wrote to memory of 4676	2248	firefox.exe	80
PID 2248 wrote to memory of 4676	2248	firefox.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.roblox.com/games/17625359962/RIVALS"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.roblox.com/games/17625359962/RIVALS
  2⤵
  - Downloads MZ/PE file
  - Drops desktop.ini file(s)
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1976 -prefsLen 27097 -prefMapHandle 1980 -prefMapSize 270279 -ipcHandle 2044 -initialChannelId {3955be28-46a9-4f7e-863c-8c8d190b4309} -parentPid 2248 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2248" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:1596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2428 -prefsLen 27133 -prefMapHandle 2432 -prefMapSize 270279 -ipcHandle 2440 -initialChannelId {b2f1ed4f-fcaf-40f5-8f81-979d3c5692f7} -parentPid 2248 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2248" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:4676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3840 -prefsLen 25164 -prefMapHandle 3844 -prefMapSize 270279 -jsInitHandle 3848 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3856 -initialChannelId {9d0a569e-5d8d-44b1-879b-eec03db4baf1} -parentPid 2248 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2248" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:5392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4004 -prefsLen 27274 -prefMapHandle 4008 -prefMapSize 270279 -ipcHandle 4080 -initialChannelId {e76eed6f-af4f-4cee-aa9b-1b34100df663} -parentPid 2248 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2248" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2812 -prefsLen 34773 -prefMapHandle 2816 -prefMapSize 270279 -jsInitHandle 2820 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3252 -initialChannelId {407555b3-cb90-4f53-aac1-496433a8cf6f} -parentPid 2248 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2248" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:4284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5028 -prefsLen 35010 -prefMapHandle 5032 -prefMapSize 270279 -ipcHandle 5016 -initialChannelId {a2e209f0-3a10-4fe7-a23c-44fc83b157c5} -parentPid 2248 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2248" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:5668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5332 -prefsLen 32900 -prefMapHandle 5336 -prefMapSize 270279 -jsInitHandle 5340 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5348 -initialChannelId {7550390f-566f-4a1d-b09c-ca2ee53f7092} -parentPid 2248 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2248" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:2200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5556 -prefsLen 32952 -prefMapHandle 5560 -prefMapSize 270279 -jsInitHandle 5564 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5396 -initialChannelId {37795d21-41c6-41c0-8b89-0586ca476da9} -parentPid 2248 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2248" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:2420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5724 -prefsLen 32952 -prefMapHandle 5728 -prefMapSize 270279 -jsInitHandle 5732 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5740 -initialChannelId {b5ab135d-6bdb-4100-b63c-e815d6dd193d} -parentPid 2248 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2248" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:5656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 1 -prefsHandle 2908 -prefsLen 35062 -prefMapHandle 6460 -prefMapSize 270279 -ipcHandle 6564 -initialChannelId {18a26d2a-7374-4da0-b754-bde20a8a7e87} -parentPid 2248 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2248" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 utility
    3⤵
    - Checks processor information in registry
    PID:708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5564 -prefsLen 32952 -prefMapHandle 6528 -prefMapSize 270279 -jsInitHandle 6508 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6512 -initialChannelId {4e9ab85f-fc01-458a-95d7-c9cf9ae9ed9f} -parentPid 2248 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2248" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:3044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2776 -prefsLen 35062 -prefMapHandle 2780 -prefMapSize 270279 -jsInitHandle 2788 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6772 -initialChannelId {755ef9dd-4dff-4751-9b1b-c826ba2e73f7} -parentPid 2248 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2248" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab
    3⤵
    - Checks processor information in registry
    PID:1276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2960 -prefsLen 36502 -prefMapHandle 2920 -prefMapSize 270279 -jsInitHandle 6964 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7036 -initialChannelId {0c76b733-4e00-4b26-94d4-4be211177dd9} -parentPid 2248 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2248" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 13 tab
    3⤵
    - Checks processor information in registry
    PID:3532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5680

C:\Users\Admin\Downloads\GandCrab.exe
"C:\Users\Admin\Downloads\GandCrab.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 256
  2⤵
  - Program crash
  PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2576 -ip 2576
1⤵
PID:2160

C:\Users\Admin\Downloads\GandCrab.exe
"C:\Users\Admin\Downloads\GandCrab.exe"
1⤵
- Executes dropped EXE
PID:1852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 220
  2⤵
  - Program crash
  PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1852 -ip 1852
1⤵
PID:5260

C:\Users\Admin\Downloads\GandCrab.exe
"C:\Users\Admin\Downloads\GandCrab.exe"
1⤵
- Executes dropped EXE
PID:1092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 220
  2⤵
  - Program crash
  PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1092 -ip 1092
1⤵
PID:1948

C:\Users\Admin\Downloads\Petya.A.exe
"C:\Users\Admin\Downloads\Petya.A.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2840

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\21fnvccy.default-release\activity-stream.discovery_stream.json

Filesize
26KB

MD5
45dac6d5af3e4396feda85bb1764fdc7

SHA1
9fc81727735fb004b189846fd7a35aef11ce05e8

SHA256
4bcb2880f58684c8a164d59f9072367a17014b8961a08332ee444214ab870b5d

SHA512
ee60a093b58d01af38cc041d65cd4466c7216e8e9fbcfd63944e624cc1eae49636e82c1b37ef46241098243bdcc08937a571f17377fa032734f093a95ba63dc0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\21fnvccy.default-release\cache2\entries\73EC3764FB3BA737E60C1F3545992FF513570DA7

Filesize
13KB

MD5
1575a816aa431165ea946d4caf931898

SHA1
49874f9006e26b458ae5503719adc175d46abff4

SHA256
671e176bdf2ce6fb4dca0fc2b2e1af86beecf5370ee71c11d519523c87e2d092

SHA512
08df270516558dbf4cff5cdd21060be04ca12d147e3d482d890e3b3dc0ab36ea037e59dd76944739902236fd0fca74b83ce4ac27a65d1cbd47a6eb51ba891389

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\21fnvccy.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
0cd4d49ba5fe5533ec9def3b19404a7d

SHA1
5d9b3faee4518c86b99b7a4c8b5b3ce2c22026e1

SHA256
6eecd8a630fb7b0da947c67d29c005f5190bf941b0aa4ad1e65a0901f8eeb8a9

SHA512
feaa66c8c8173e771f077f4b1c503e9637a732e56356fea5976f3ab77bda98d6d0114834dc67b54af1a2265a72ea58e36bf4d3a61336cb46e9d9698dbad02ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\AlternateServices.bin

Filesize
16KB

MD5
4f46fa6db4ff57b1e5b3395a5cedf8fb

SHA1
363a88d939994cc5d8960fc60e0ff35eb0f5ef25

SHA256
44b53cd2406c9fb291235fb7ff8c6d38404c6c1ed9f2c9afa9da7e696cd116eb

SHA512
a37381c27af87e5d9a690d34246c8dd10f37e3c0c1546e3fdcc72fb98cbba0bcd952c1cc58e5b336c8a934adb56c605633f8d685b8100608ec6fef0c3d2d7ecf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\AlternateServices.bin

Filesize
8KB

MD5
67aa6e454c12aef5ef2b9bab3b7af244

SHA1
fa890beb97dfcea7e36b827bf0ef66ba287727dc

SHA256
a1e207e0cbf69197d80dde861a6194ab649668879dc5768efaee4817b24341c1

SHA512
ae373bfe66bb57d73bfdc0fc64bc37b000648dc32a191215ee5167894fda0e853470190efe8e8892cb3108bd51eaba7d0f4750bc0a6216fb0e49c9b58e24205f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\SiteSecurityServiceState.bin

Filesize
5KB

MD5
97e165d4d123e9fe0f3a6ab5814ddbb2

SHA1
955e75c4aa5ef2e41628207cbcad050ad74eff9c

SHA256
5816680c761e10317a3a6e3fb460aeab8a2fee6b11d739559b7f711b1a65e29a

SHA512
805daefe08509a1f2d4596fc4c10e4c9588d7b68664a3a66c59f457b05eacb79e88ce9904e2b92c2a1b5703551fbd988bfe65deada584ebce9c28a6c3c5a003b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
ec65bb7ad896efdbaa8247637f9de616

SHA1
a73428adcf37dbe2e51cbb13946af948d10d3f32

SHA256
c0e356e9a51b559278c1b947c2f0d23be46ffa95cb7a809416a7ac52094a12f4

SHA512
6077732b7fef8691e9f62e67febbacb41120855a70177ffa379ba034f372329e0acdf8fc0b4a473cee94ee653c5b1ce7733fb7ef8f59f55b16721983327a408d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
153e225e06b7eea2eb06129191496dac

SHA1
82ed1cbba383b2bf86c54a127be548ff6c8ff2bb

SHA256
34b74fc8d310438b9f8986db01cf76a74ba3128570e65294330ede242bba10ce

SHA512
ca15e206d482ef0b7bcb7a8385ecc287de759367a9c68edfadfabfdec43904540e685bd4e6f6e23d9c0e01ab52d33b9e1cb267e0c6fa4e7dccd6ca0fa59dce5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
30e21a4a28268ac9799f7aaa600fd9d9

SHA1
6b020ae866b3a88dbafeb71ba3b4be9a675b0c37

SHA256
5f016d14a7f50de76ee88b197c27812d9066638816bd003c6e8239e14bb33680

SHA512
d6f1b8811b3899fbc2968cfd0dacda9d43fef9e754c4f7b03686e77b1a08029b03ffb7b18a1dd14b3ec3d1e7e6974d3a97c073714cd085777db038f86d072dd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\pending_pings\0bf63696-12d8-433e-bd38-71baa0c0bfdc

Filesize
235B

MD5
83fe955dfe29eada45555c8cd3e8208b

SHA1
b653a242089c5bd7a16d5f8f0da95c0a1fee470d

SHA256
9f199b4e48ff894fd3cd69ab8d53c67d8c96a632a97111916739a5d2fc0d4a4d

SHA512
f2a124c6866de4ff9e1020b990327fde2b261c8bd5c7939fda8794845aeecddb627847137db609bea13e69fa018922c5db6cb91495352cd6a903cba88ab40fac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\pending_pings\9cca9afd-857e-4610-a4fe-de7b9a307ebc

Filesize
886B

MD5
0f3ad320480fa4796fb5515d70f0a997

SHA1
76f82dc6368cf26588f6e3bbd611c14184e564ad

SHA256
141328873d749c47b438603fe6c4f882867018ce08b1171e741b3b8c72b67799

SHA512
66f0e9baa19042f63c0c8474e5cf9fca0fe32557ca738403a1944ac036044a58f48e8df937ab2ca1f4074953329959b69bd117b725c4388fccc86758444fe3b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\pending_pings\a3e2e16a-8bc7-420c-90a3-d5ba175fdb04

Filesize
2KB

MD5
6afec9e7074bdcb212930aeb96403a8e

SHA1
bf8e2dc46aede68ade045d41ef1220799b5f08a9

SHA256
a9ad18b32b902ae9173043a0700db48f192a1815d728f8a4dae91c64d869d1b4

SHA512
7d56ba272d0388f15bdc7fdac03da921c50e0f9d0df8b7bec039ec1275211aa2c3de475e0da7bccec2e90a37be6119b7d6964209eac2af2821d12ce52fd5abe4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\pending_pings\abed5cf1-c4b7-49cd-bd50-1355b20b7c50

Filesize
883B

MD5
e91ea6376ee35f2b5b2c2d76e48ba663

SHA1
d6abec8f1223e22c4717944a8555f10f53d68934

SHA256
4f40a1f8c54a0f0fb2b7d913b540e6ebbd60741e6df1acf229e862879be2d92c

SHA512
33309a2c2ac7a3fb10561f7972cbcc826878897172fd52a5bdd08c4e50c31240c0fa7f940685632f19f2dc7f4239b87957b0dcc84ffe63c352340e04c08d7b1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\pending_pings\da540feb-44bd-4e0a-8a6e-9f02491f62b2

Filesize
16KB

MD5
d50020e2947d5ac8ba4874165a949f3c

SHA1
dd7d0c3095027ae4b443d43c3e83b2eec96b07c3

SHA256
2e1a6ecd06e75ebfae3dde8cdbbfbd6875b792d90d16b945faec5b7c34f470d3

SHA512
8a8969153b9a38489caac42a5040deb71da46855fbe2713c9f174af4f7ae38d872f7e062dd3feda94028a160e372b2ea2334ff24e9823ef5a3597662170d9b53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\datareporting\glean\pending_pings\e22e9656-a369-4ac1-aabd-d95aacfe8cfe

Filesize
235B

MD5
22e46e0fb4c2168023a77a1ab9517671

SHA1
542f9510bb6c4f75c8338cd77755318988817160

SHA256
efe4aa8d3c8db347965eb1cb82c10292ad129d9b324ade8a1a1cf8a54f5adc21

SHA512
11bc99dff218518b0406919718f8c8278bb835bb69c5b51e234759e284ea0ed24ad3842d57592342f69f967aeff67cf6fb0243700464c2dd54e712e9f7809d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\extensions.json

Filesize
16KB

MD5
d5af6b8331a1ba2e503ac8bdff2e3754

SHA1
82fdf90dc358f8026ba85b56508e06e547049186

SHA256
7f920e65d3a705b9d869c4de32f8bc1f508b1f5b34552dea43f11d3e667400e6

SHA512
aa17942a26d90e2cbc2b684ad2d0916199a561fabccb7e9e26a4d5215530721f2e4ef4205d7b454c7cdadef8edaf87fb38104c28065d90f32d914bb5522aa10b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\prefs-1.js

Filesize
8KB

MD5
42c83bd1cf5b77c8d8492fdf537c76d7

SHA1
6012d31793ae46cc33590cb687565c61578bf0a7

SHA256
edb4e79d9e760426dde6bfb0a4b555846f697ba7413bb858114ad0668de17945

SHA512
9b45b7232f5601f02885cf8fe61057b1f354c372b33548eced0b2a25197a5eb1ca99e396f9e2d0075a9a92e899e5429e9a3738eed6fdf98f193e61736dd66981

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\prefs-1.js

Filesize
6KB

MD5
a134ef0a4b8388abae39758e0634b469

SHA1
63e3cd7e3a16bcfd97d711484ca1558a0abde28c

SHA256
1338e86a270179fe3a7178a457a684774dd76f03cc6ef35fa198fe779c9e8f29

SHA512
386c56f7ee4c6be203c5e455f26a98dc357c400dd4a24e2a334e553ca69f9c68b31fde46c4508dde1bd7efca641afcfeefa84cc2f7ff02e8a759f7d74edc1e8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\prefs.js

Filesize
7KB

MD5
c54ef8a48e1123161dc4212290956fdd

SHA1
351708a741465b2d56e974874918b000e7f6a17b

SHA256
38b1df5e1c8c0a5bbf72c11af9cae3ccbf848be2b036d306c195ede787051474

SHA512
7b6fa0294e0893c79821d1338e657ebb429ecbb52a3aa5209883b813cd080273a4683969a6dff10bcc6d17cbd1378c7ff9dea07c81570c0bcfd192969d5054d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
f77951318ef2a4511b621879a031d417

SHA1
32a07bb2fcdc0b2e7045630973e2564987b2dd84

SHA256
15d2f8723579bb0aaa0eac3eb09a64ce70ade27c936400766865a356a613b9f3

SHA512
bfc7a42776da7115b1e2245d917574d4113c7c7de00949bc327146453cf79e00dd7e9a0127ede75333687f0288195047be7559ba68483f83807e0126c624e572

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
0b97b0fe55ef77dcac34e525715a2f47

SHA1
e774d4b50c04156a265c6100b2de6630beb27a64

SHA256
0ebcb669231efd8210f78d26606ee3c3fc4bac1de5dcac91f939fc7d1b5a8f06

SHA512
8e8e1b808dffc5f132f8d9b6abd8fc065d9ac2e96045e8051d8116e4be28d963a0a024416eb27c09a3b5b53aff253890f99c2ab3d9122d0420cd883b15638093

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
2246199b457ab4a94da7c898bf67054b

SHA1
0f18cb7f61027d123a37b273bc435b311f19ec31

SHA256
d6920f3a1e0e269aa7877c506fa980f145467f3dce46ec588fae40f8cb52e45d

SHA512
80a4b038da099f3d340ce8641b006dc2fa40504ee01edbf6fbca9cb1c27fa9c2a2b85c6453f312c5e862ce80c8efc9d943aaf0425f1c2a781bda97876f7cd92c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
28e29dc414ff791ebd0eaa084249fd32

SHA1
7ec8b3ecdc081906c77878ba9718c041698145df

SHA256
7d4e98ab2b9ff78fad868aaeffe1b4795239a2aa3ae9e2da857771dda9625368

SHA512
e186d74fa9e2bef8baa0182b2e9affa0ddfd0b94dbb9e9acbedc62d856814d368dc9e30048e219fc847e1c3351e7a7c632883e130a56303a48100a5f46e13973

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\21fnvccy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.8MB

MD5
649ab888380d02ea9f658036f98327d7

SHA1
895c49a27db26870c46354ea019e8a9bf7eaeb5b

SHA256
cebad9809b1ed99c272b26662efcf19eac979af79d80c7df5d124cdab3810d1c

SHA512
be7bc3e4e3a6a6dc1086b852094aa575daf625852c8bc634b6e95bdfebd43597b16a57b52af43af4776606c162c0174b1eeccea8cbc9b7a123d106ee4c09a6fa

Download Submit
C:\Users\Admin\Downloads\GandCrab.CHFXt9e0.exe.part

Filesize
291KB

MD5
e6b43b1028b6000009253344632e69c4

SHA1
e536b70e3ffe309f7ae59918da471d7bf4cadd1c

SHA256
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a

SHA512
07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf

Download Submit
C:\Users\Admin\Downloads\Petya.qqOtCcDv.A.exe.part

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
memory/2576-1306-0x00000000054F0000-0x00000000055F0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads