download:

/attachments/1323723561990357072/1327141071070691358/hack_fivem_free_v9.rar

Full analysis: https://app.any.run/tasks/8e64149e-916c-4a59-9bf8-62e2bdd014f5
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: January 10, 2025, 21:16:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
discord
screenshot
telegram
remote
xworm
stealer
ims-api
generic
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

A71FB655D5BEA9DB004CBEFCBDC276BE

SHA1:

FCCC020A38F9C9B2882A65EE86A01EDBA1820213

SHA256:

FF21FAB497319957D4488DEC472E8330EDB333B2E729F18F6E0F98324CD76FB8

SSDEEP:

98304:v4ClofQKPfVfpUsxR/UwGTqdI07qCDGFCgqVkYb2g8BRLN0SwBCuVDNuVpE1/UIq:+ECXid4RUnv8J2/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 8124)
    • Changes powershell execution policy (Bypass)

      • hack fivem free v9.exe (PID: 6640)
      • dasHost.exe (PID: 6164)
      • f1.exe (PID: 6260)
      • cmd.exe (PID: 5720)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6228)
      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 6496)
      • powershell.exe (PID: 6604)
      • powershell.exe (PID: 444)
      • powershell.exe (PID: 7852)
      • powershell.exe (PID: 344)
      • powershell.exe (PID: 7540)
      • powershell.exe (PID: 1044)
    • Adds path to the Windows Defender exclusion list

      • hack fivem free v9.exe (PID: 6640)
      • dasHost.exe (PID: 6164)
      • s8.exe (PID: 7272)
      • f1.exe (PID: 6260)
      • cmd.exe (PID: 6168)
    • Adds process to the Windows Defender exclusion list

      • hack fivem free v9.exe (PID: 6640)
      • f1.exe (PID: 6260)
    • Executing a file with an untrusted certificate

      • s8.exe (PID: 8016)
      • s8.exe (PID: 7272)
    • Changes the autorun value in the registry

      • dasHost.exe (PID: 6164)
      • f1.exe (PID: 6260)
    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 7520)
    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 7232)
    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7520)
    • Changes settings for real-time protection

      • powershell.exe (PID: 7520)
    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7520)
    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7520)
    • Actions looks like stealing of personal data

      • s8.exe (PID: 7272)
    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 7520)
    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 7520)
    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 2776)
    • Uses Task Scheduler to run other applications

      • f1.exe (PID: 6260)
    • Create files in the Startup directory

      • f1.exe (PID: 6260)
    • XWORM has been detected (SURICATA)

      • f1.exe (PID: 6260)
    • Connects to the CnC server

      • f1.exe (PID: 6260)
  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 7528)
      • HTTPDebuggerSvc.exe (PID: 8144)
    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 8116)
    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 7312)
    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 7312)
      • HTTPDebuggerSvc.exe (PID: 8144)
    • Creates files in the driver directory

      • HTTPDebuggerSvc.exe (PID: 8144)
    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 7368)
      • dasHost.exe (PID: 6164)
      • f1.exe (PID: 6260)
    • Executable content was dropped or overwritten

      • HTTPDebuggerSvc.exe (PID: 8144)
      • hack fivem free v9.exe (PID: 6640)
      • dasHost.exe (PID: 6164)
      • s8.exe (PID: 8016)
      • csc.exe (PID: 7728)
      • f1.exe (PID: 6260)
    • Reads Microsoft Outlook installation path

      • HTTPDebuggerUI.exe (PID: 6868)
    • Adds/modifies Windows certificates

      • HTTPDebuggerSvc.exe (PID: 8144)
    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • hack fivem free v9.exe (PID: 7980)
    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 7424)
      • mshta.exe (PID: 7204)
    • Uses TASKKILL.EXE to kill process

      • mshta.exe (PID: 7424)
    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 7204)
      • s8.exe (PID: 7272)
    • Checks for external IP

      • svchost.exe (PID: 2192)
      • hack fivem free v9.exe (PID: 6640)
      • s8.exe (PID: 7272)
    • Script adds exclusion process to Windows Defender

      • hack fivem free v9.exe (PID: 6640)
      • f1.exe (PID: 6260)
    • Script adds exclusion path to Windows Defender

      • hack fivem free v9.exe (PID: 6640)
      • dasHost.exe (PID: 6164)
      • f1.exe (PID: 6260)
      • cmd.exe (PID: 6168)
    • Possible usage of Discord/Telegram API has been detected (YARA)

      • HTTPDebuggerSvc.exe (PID: 8144)
      • HTTPDebuggerUI.exe (PID: 6868)
    • Starts POWERSHELL.EXE for commands execution

      • hack fivem free v9.exe (PID: 6640)
      • dasHost.exe (PID: 6164)
      • f1.exe (PID: 6260)
      • cmd.exe (PID: 6168)
      • cmd.exe (PID: 7232)
      • cmd.exe (PID: 5720)
      • cmd.exe (PID: 7728)
      • cmd.exe (PID: 1576)
    • Reads the date of Windows installation

      • dasHost.exe (PID: 6164)
    • The process executes via Task Scheduler

      • dasHost.exe (PID: 6164)
      • servers.exe (PID: 6524)
      • servers.exe (PID: 360)
      • servers.exe (PID: 7788)
    • Process drops legitimate windows executable

      • s8.exe (PID: 8016)
    • The process drops C-runtime libraries

      • s8.exe (PID: 8016)
    • Process drops python dynamic module

      • s8.exe (PID: 8016)
    • Application launched itself

      • s8.exe (PID: 8016)
    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 7232)
    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 7232)
    • Found strings related to reading or modifying Windows Defender settings

      • s8.exe (PID: 7272)
    • Get information on the list of running processes

      • cmd.exe (PID: 4056)
      • s8.exe (PID: 7272)
      • cmd.exe (PID: 7388)
    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 5720)
    • Base64-obfuscated command line is found

      • cmd.exe (PID: 5720)
    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5720)
    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7728)
    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 7852)
    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 8104)
    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7928)
    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 5556)
    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 7280)
    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 1348)
    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 3140)
    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6820)
    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3920)
    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • f1.exe (PID: 6260)
    • Connects to unusual port

      • f1.exe (PID: 6260)
    • Contacting a server suspected of hosting an CnC

      • f1.exe (PID: 6260)
  • INFO

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4488)
      • msiexec.exe (PID: 7256)
      • WMIC.exe (PID: 7284)
      • WMIC.exe (PID: 7280)
      • WMIC.exe (PID: 6820)
    • Manual execution by a user

      • firefox.exe (PID: 6924)
    • Application launched itself

      • firefox.exe (PID: 6924)
      • firefox.exe (PID: 6944)
    • Reads the software policy settings

      • explorer.exe (PID: 4488)
      • msiexec.exe (PID: 7312)
      • hack fivem free v9.exe (PID: 6640)
    • The process uses the downloaded file

      • explorer.exe (PID: 4488)
      • WinRAR.exe (PID: 6696)
      • msiexec.exe (PID: 7368)
      • dasHost.exe (PID: 6164)
      • f1.exe (PID: 6260)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6696)
      • msiexec.exe (PID: 7256)
      • msiexec.exe (PID: 7312)
    • Checks supported languages

      • msiexec.exe (PID: 7312)
      • msiexec.exe (PID: 8064)
      • HTTPDebuggerSvc.exe (PID: 8144)
      • msiexec.exe (PID: 7368)
      • HTTPDebuggerUI.exe (PID: 6868)
      • HTTPDebuggerUI.exe (PID: 2904)
      • hack fivem free v9.exe (PID: 7980)
      • hack fivem free v9.exe (PID: 6640)
      • dasHost.exe (PID: 6164)
      • f1.exe (PID: 6260)
      • s8.exe (PID: 8016)
      • s8.exe (PID: 7272)
      • rar.exe (PID: 8104)
      • cvtres.exe (PID: 6208)
      • MpCmdRun.exe (PID: 2776)
      • servers.exe (PID: 6524)
    • Manages system restore points

      • SrTasks.exe (PID: 7924)
    • The sample compiled with english language support

      • msiexec.exe (PID: 7256)
      • msiexec.exe (PID: 7312)
      • HTTPDebuggerSvc.exe (PID: 8144)
      • dasHost.exe (PID: 6164)
      • s8.exe (PID: 8016)
    • Creates files or folders in the user directory

      • explorer.exe (PID: 4488)
    • Checks proxy server information

      • explorer.exe (PID: 4488)
      • HTTPDebuggerUI.exe (PID: 6868)
      • hack fivem free v9.exe (PID: 6640)
    • Reads the machine GUID from the registry

      • HTTPDebuggerSvc.exe (PID: 8144)
      • HTTPDebuggerUI.exe (PID: 6868)
      • hack fivem free v9.exe (PID: 7980)
      • hack fivem free v9.exe (PID: 6640)
      • dasHost.exe (PID: 6164)
      • rar.exe (PID: 8104)
      • csc.exe (PID: 7728)
      • servers.exe (PID: 6524)
    • Reads the computer name

      • HTTPDebuggerSvc.exe (PID: 8144)
      • HTTPDebuggerUI.exe (PID: 2904)
      • certutil.exe (PID: 7860)
      • HTTPDebuggerUI.exe (PID: 6868)
      • hack fivem free v9.exe (PID: 6640)
      • dasHost.exe (PID: 6164)
      • s8.exe (PID: 8016)
      • f1.exe (PID: 6260)
      • s8.exe (PID: 7272)
    • Creates files in the program directory

      • HTTPDebuggerSvc.exe (PID: 8144)
    • Local mutex for internet shortcut management

      • explorer.exe (PID: 4488)
    • Process checks computer location settings

      • msiexec.exe (PID: 7368)
      • dasHost.exe (PID: 6164)
      • f1.exe (PID: 6260)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 7312)
    • Disables trace logs

      • cmstp.exe (PID: 6272)
      • hack fivem free v9.exe (PID: 6640)
    • Reads Internet Explorer settings

      • mshta.exe (PID: 7424)
      • mshta.exe (PID: 7204)
    • Reads Environment values

      • hack fivem free v9.exe (PID: 6640)
    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 6272)
    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6228)
      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 6496)
      • powershell.exe (PID: 6604)
      • powershell.exe (PID: 7328)
      • powershell.exe (PID: 444)
      • powershell.exe (PID: 7520)
      • powershell.exe (PID: 344)
      • powershell.exe (PID: 7540)
      • powershell.exe (PID: 1044)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6228)
      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 6496)
      • powershell.exe (PID: 6604)
      • powershell.exe (PID: 7520)
      • powershell.exe (PID: 7328)
      • powershell.exe (PID: 444)
      • powershell.exe (PID: 344)
      • powershell.exe (PID: 1044)
      • powershell.exe (PID: 7540)
    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 2776)
      • cvtres.exe (PID: 6208)
      • rar.exe (PID: 8104)
      • f1.exe (PID: 6260)
    • Attempting to use instant messaging service

      • svchost.exe (PID: 2192)
      • f1.exe (PID: 6260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

ArchivedFileName: hack fivem free v9.exe
OperatingSystem: Win32
UncompressedSize: 9545216
CompressedSize: 9431664
FileVersion: RAR v5
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
218
Monitored processes
97
Malicious processes
13
Suspicious processes
8

Behavior graph

Click at the process to see the details
start winrar.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs explorer.exe msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs httpdebuggersvc.exe httpdebuggersvc.exe no specs httpdebuggerui.exe httpdebuggerui.exe no specs certutil.exe no specs hack fivem free v9.exe no specs cmstp.exe no specs CMSTPLUA mshta.exe no specs cmd.exe no specs conhost.exe no specs hack fivem free v9.exe mshta.exe no specs taskkill.exe no specs conhost.exe no specs svchost.exe SPPSurrogate no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs dashost.exe powershell.exe no specs conhost.exe no specs #XWORM f1.exe powershell.exe no specs conhost.exe no specs s8.exe conhost.exe no specs hack fivem.exe no specs powershell.exe no specs conhost.exe no specs s8.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs tasklist.exe no specs tasklist.exe no specs powershell.exe no specs conhost.exe no specs csc.exe mpcmdrun.exe no specs cvtres.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs rar.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs powershell.exe no specs schtasks.exe no specs conhost.exe no specs servers.exe no specs servers.exe no specs servers.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6696"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\hack_fivem_free_v9.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6924"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
6944"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
7068"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1904 -parentBuildID 20240213221259 -prefsHandle 1824 -prefMapHandle 1820 -prefsLen 31031 -prefMapSize 244583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95d89bae-b9ab-4f15-b1ee-4844b9ec1c7b} 6944 "\\.\pipe\gecko-crash-server-pipe.6944" 1ee2d2ee510 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
7112"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2152 -parentBuildID 20240213221259 -prefsHandle 2144 -prefMapHandle 2132 -prefsLen 31031 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6de38c67-ae92-4576-9017-0a1bfea2851f} 6944 "\\.\pipe\gecko-crash-server-pipe.6944" 1ee20380510 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
5004"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2732 -childID 1 -isForBrowser -prefsHandle 2796 -prefMapHandle 2768 -prefsLen 31447 -prefMapSize 244583 -jsInitHandle 1312 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1816113-c1a1-491c-b36d-a25079c891e1} 6944 "\\.\pipe\gecko-crash-server-pipe.6944" 1ee31f9df50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
5096"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2724 -childID 2 -isForBrowser -prefsHandle 4260 -prefMapHandle 2584 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1312 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2435b755-2e54-40e8-8671-99303b5ff81a} 6944 "\\.\pipe\gecko-crash-server-pipe.6944" 1ee343eca10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140_1.dll
6488"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 5032 -prefMapHandle 4996 -prefsLen 38006 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5846e3f-bb4a-4680-a95e-3843b53f99e9} 6944 "\\.\pipe\gecko-crash-server-pipe.6944" 1ee362b8910 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
6672"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5156 -childID 3 -isForBrowser -prefsHandle 5148 -prefMapHandle 4256 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1312 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {212bc8c2-ac79-4c7c-97ab-b0742455bc46} 6944 "\\.\pipe\gecko-crash-server-pipe.6944" 1ee34bdba10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140_1.dll
6468"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4428 -childID 4 -isForBrowser -prefsHandle 5184 -prefMapHandle 5172 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1312 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aae5ef9-78b6-4203-8324-0c6abdce33bc} 6944 "\\.\pipe\gecko-crash-server-pipe.6944" 1ee386c4d90 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
127 764
Read events
127 251
Write events
481
Delete events
32

Modification events

(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060242
Operation:writeName:VirtualDesktop
Value:
1000000030304456A48A294F7A40804AB924005FF030B61F
(PID) Process:(6696) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6696) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6696) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6696) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\hack_fivem_free_v9.rar
(PID) Process:(6696) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6696) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6696) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6696) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6696) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
55
Suspicious files
249
Text files
82
Unknown types
2

Dropped files

PID
Process
Filename
Type
6944firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
6696WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6696.11223\hack fivem free v9.exeexecutable
MD5:5FC5DB9653E6A9A8341E6721AFBBAABD
SHA256:CA175CADD1065D7006AA068A9C64F48EADB9CB40DE587AB128B07F21950F60B4
4488explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
6944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.jstext
MD5:5268B574548AF46D00B1B1C83E943348
SHA256:A8FC813984CCD696A62C096E0A6CFE8CF779C49D23A850BA1B87105C08834199
6944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
6944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:5268B574548AF46D00B1B1C83E943348
SHA256:A8FC813984CCD696A62C096E0A6CFE8CF779C49D23A850BA1B87105C08834199
6944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
4488explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msbinary
MD5:81F6FA75706823B39EC68E908B29A3F9
SHA256:C677470756034B08BE21B9F6E689DAB72C20A61014A7C2556207D0ACD18A5BE1
6944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
126
TCP/UDP connections
212
DNS requests
187
Threats
65

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/wr2
unknown
whitelisted
6944
firefox.exe
POST
200
2.16.168.113:80
http://r10.o.lencr.org/
unknown
whitelisted
6944
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/wr2
unknown
whitelisted
6944
firefox.exe
POST
200
2.16.168.113:80
http://r10.o.lencr.org/
unknown
whitelisted
6944
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/s/wr3/jLM
unknown
whitelisted
6944
firefox.exe
POST
200
2.16.168.113:80
http://r10.o.lencr.org/
unknown
whitelisted
6944
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/wr2
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2548
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2548
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
google.com
  • 142.250.185.78
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.68
  • 20.190.160.20
  • 40.126.32.134
  • 40.126.32.133
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.136
whitelisted
go.microsoft.com
  • 184.28.89.167
  • 23.35.238.131
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
Misc activity
ET HUNTING Telegram API Certificate Observed
54 ETPRO signatures available at the full report
No debug info