vjw0rm | ed72bc404ec337cec45f1abdf37571e0397b8186a079f2ad58b0c171a0e3e4c2

Analysis

max time kernel
596s
max time network
601s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
30-10-2023 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order Specifications.pdf.htm
Size

127KB
MD5

8d2855d34692cd5417bfd21adbb1634d
SHA1

8f67897cd88b9dfa12f5e45e9df122fb535dc8c6
SHA256

637ecc50435b38915fc3d8bbd7f84133045c838258b343cafac112916053af37
SHA512

0dc734c34b7eb5f377b614af476c8db946917e2a12645404737cd35b833aab97e4a5a3d064878f0444746674fd24c07991a3da051719a352a408246cdd64c6c3
SSDEEP

3072:SgIX4IUtjxktYlaPsM8AK863Srla3Ca/5eYCG4X/Fn8GfXoEhNfyJxsKlR:SnIIUtCuluob3Yha/5eY4vFnhfXkyKlR

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 64 IoCs

flow	pid	Process
36	3288	WScript.exe
37	3288	WScript.exe
38	3288	WScript.exe
39	3288	WScript.exe
40	3288	WScript.exe
42	3288	WScript.exe
46	3288	WScript.exe
47	3288	WScript.exe
48	3288	WScript.exe
49	3288	WScript.exe
50	3288	WScript.exe
51	3288	WScript.exe
52	3288	WScript.exe
59	3288	WScript.exe
60	3288	WScript.exe
61	3288	WScript.exe
62	3288	WScript.exe
63	3288	WScript.exe
64	3288	WScript.exe
65	3288	WScript.exe
71	3288	WScript.exe
72	3288	WScript.exe
73	3288	WScript.exe
74	3288	WScript.exe
75	3288	WScript.exe
76	3288	WScript.exe
77	3288	WScript.exe
78	3288	WScript.exe
79	3288	WScript.exe
80	3288	WScript.exe
81	3288	WScript.exe
82	3288	WScript.exe
83	3288	WScript.exe
84	3288	WScript.exe
86	3288	WScript.exe
87	3288	WScript.exe
88	3288	WScript.exe
89	3288	WScript.exe
90	3288	WScript.exe
91	3288	WScript.exe
92	3288	WScript.exe
93	3288	WScript.exe
94	3288	WScript.exe
95	3288	WScript.exe
96	3288	WScript.exe
104	3288	WScript.exe
105	3288	WScript.exe
130	3288	WScript.exe
131	3288	WScript.exe
132	3288	WScript.exe
133	3288	WScript.exe
134	3288	WScript.exe
135	3288	WScript.exe
136	3288	WScript.exe
137	3288	WScript.exe
138	3288	WScript.exe
139	3288	WScript.exe
140	3288	WScript.exe
141	3288	WScript.exe
142	3288	WScript.exe
146	3288	WScript.exe
147	3288	WScript.exe
148	3288	WScript.exe
149	3288	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Specifications.pdf.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Specifications.pdf.js\:Zone.Identifier:$DATA	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Windows\CurrentVersion\Run\T2RV3JE2PV = "\"C:\\Users\\Admin\\AppData\\Roaming\\Order Specifications.pdf.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4472	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Order Specifications.pdf.js:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Roaming\Order Specifications.pdf.js\:Zone.Identifier:$DATA	WScript.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3160	firefox.exe
Token: SeDebugPrivilege	3160	firefox.exe
Token: SeDebugPrivilege	3160	firefox.exe
Token: SeDebugPrivilege	3160	firefox.exe
Token: SeDebugPrivilege	3160	firefox.exe
Token: SeDebugPrivilege	3160	firefox.exe
Token: SeDebugPrivilege	3160	firefox.exe
Token: SeDebugPrivilege	3160	firefox.exe
Token: SeDebugPrivilege	3160	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3160	firefox.exe
3160	firefox.exe
3160	firefox.exe
3160	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3160	firefox.exe
3160	firefox.exe
3160	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3160	firefox.exe
3160	firefox.exe
3160	firefox.exe
3160	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 3160	656	firefox.exe	71
PID 656 wrote to memory of 3160	656	firefox.exe	71
PID 656 wrote to memory of 3160	656	firefox.exe	71
PID 656 wrote to memory of 3160	656	firefox.exe	71
PID 656 wrote to memory of 3160	656	firefox.exe	71
PID 656 wrote to memory of 3160	656	firefox.exe	71
PID 656 wrote to memory of 3160	656	firefox.exe	71
PID 656 wrote to memory of 3160	656	firefox.exe	71
PID 656 wrote to memory of 3160	656	firefox.exe	71
PID 656 wrote to memory of 3160	656	firefox.exe	71
PID 656 wrote to memory of 3160	656	firefox.exe	71
PID 3160 wrote to memory of 4596	3160	firefox.exe	72
PID 3160 wrote to memory of 4596	3160	firefox.exe	72
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 4156	3160	firefox.exe	73
PID 3160 wrote to memory of 584	3160	firefox.exe	74
PID 3160 wrote to memory of 584	3160	firefox.exe	74
PID 3160 wrote to memory of 584	3160	firefox.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Order Specifications.pdf.htm"
1⤵
- Suspicious use of WriteProcessMemory
PID:656
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Order Specifications.pdf.htm"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.0.1340276953\1666280356" -parentBuildID 20221007134813 -prefsHandle 1676 -prefMapHandle 1644 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {879197c7-6f6b-4508-ad39-296f8f2646c7} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 1764 20ae11eb158 gpu
    3⤵
    PID:4596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.1.816853556\2028560472" -parentBuildID 20221007134813 -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 21797 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5b1f0b6-1400-456c-8859-2ef377d48065} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 2140 20acef71b58 socket
    3⤵
    PID:4156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.2.446575938\1851332357" -childID 1 -isForBrowser -prefsHandle 2904 -prefMapHandle 2996 -prefsLen 21835 -prefMapSize 232675 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e1b0377-8355-4b29-adef-e1d6ef83a7c5} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 3196 20ae50f8b58 tab
    3⤵
    PID:584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.3.1770668736\1326579105" -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3320 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65f6b55f-d3c8-492c-85d7-3e6126b144f6} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 2620 20acef66b58 tab
    3⤵
    PID:3140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.5.1066564364\428426240" -childID 4 -isForBrowser -prefsHandle 4840 -prefMapHandle 4844 -prefsLen 26714 -prefMapSize 232675 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fb11438-ebad-4fb1-89a8-e1c2e971bb22} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 4832 20ae79bee58 tab
    3⤵
    PID:316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.6.977604338\426965848" -childID 5 -isForBrowser -prefsHandle 4696 -prefMapHandle 4668 -prefsLen 26714 -prefMapSize 232675 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07b82a08-7ce1-4cf8-acaf-642013042c07} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 5028 20ae7b05658 tab
    3⤵
    PID:1456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.4.1742873692\1069790151" -childID 3 -isForBrowser -prefsHandle 4204 -prefMapHandle 4688 -prefsLen 26714 -prefMapSize 232675 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1383b0f8-3674-46c7-9f43-d380166db2b9} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 4704 20acef2e858 tab
    3⤵
    PID:4916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2856

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Order Specifications.pdf.js"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- NTFS ADS
PID:3288
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Order Specifications.pdf.js
  2⤵
  - Creates scheduled task(s)
  PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d25hmlvg.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
a9d010929ce4b572c748511eb74b6b17

SHA1
71cab3be0a6636c4e62659503b8531d95e6888b2

SHA256
8ddd1139d23e301f24e761dd8b3a3d2aa2e3befee3d99edf734cd00e3fd30be8

SHA512
9b5dbbb012065c0429ae349557a565c1c2f0f3718337ad2d0e52cfc09b575032c85bc483526d8b5d8f9992975d5a2fb425d0f2cf9131d369c3d3740f7ffbf833

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d25hmlvg.default-release\cache2\entries\51D52D298316CD3F9A90A40E946BB34EFA1BFB72

Filesize
13KB

MD5
a6043fa629911cf2d50945aa8788e218

SHA1
fd4a8824fd2b78cd1dbf72bde87c55c111d994a9

SHA256
e9e43a0f8556314c88b36731d082bffc6146e07c24a752035cd745d0ecc0ffb1

SHA512
24a3f91a2fd8f1bc1ad68090de255b8d0be876a87d84a2f2aa3df618a6d0905c31249ff055eb20cb3f4c7d68616c3db8573b33eaf7bc53e83adba55a9e2063fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
d5442b448ef651c7a9d9bbf5904209c7

SHA1
9a7efca93d7a8da9093813871661905bf0896d26

SHA256
31185210010df3aa8a42a3ec8085ef3d3b65d11dec48800e7a68d962242335cf

SHA512
d5b1035dd3f8b6b7d3783930ebdfbb4d723a865a1ee5cb70f6c4d66cea453b88d225c03d8305e0c771c7f79aeed83bc95ff9d5ac71c010abf06b70e077345481

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\prefs-1.js

Filesize
8KB

MD5
cde16be0714170ab0633c403a4e91284

SHA1
9d35f4d479a703d2c8e73af4fe2062349798cb96

SHA256
699bda832d2cba98c711c663fbbfa924d7c3d2e9f1bfc5e49dddb33769d4c440

SHA512
7ebd284e32ee08b2b4e8e8aabd22831438a12fa6b7e4922dfce354f6fd723b38f677f52f553d5e52a005dd0d65d1ac5325fa81e4ba02404d2906d10ecd574635

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\prefs-1.js

Filesize
9KB

MD5
aa26fc94308fe15de4cbdc0292353c04

SHA1
6bc5f944fcb92627ac03a5ab84f945a3eca05bd8

SHA256
65ec4c6d7aa58bb9444d9a8d71f86b92d65464528d5df422edfb51687c2abb88

SHA512
ce770597e0b8daf9efc41322616d2cd546c3f04b2e28d2cfe5deb921421c156a65dc54d702b8e46b14d2f5b75e46fe2c1876b2784e50ff5a152801d6e01f7aaa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\prefs-1.js

Filesize
7KB

MD5
8e7504946a1f6c62b742fdd30d4bd102

SHA1
882859604031ce6f2dbbb0a615fff8b45910560e

SHA256
33386c34255a20b4830747ad768677bd6a036686e29f15ad8a0c3128eab2178f

SHA512
36226082fcd2b9949cb25579fb48b4c981b4d08d5dc8ae820a0523543a5b5cd94f9bea998dfa257ce534cab97df247f8ffb882cef0a31a97d53238481f2fb1e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\prefs.js

Filesize
6KB

MD5
8206c1b94e5fe7ba339979ae9ac54bd4

SHA1
de6246c840747878f8e3e74c3cc0db3ea233f877

SHA256
f9895a9cf43dc85acc41e21e23ab5d26bb3c157a1adc3b423d0dbbf2707733da

SHA512
b5bae53ea724a2f69a3ba675a24187476b66f5e9bc6c9cfbc78f3168bd6d8519cf7425d197e25ea57bd291b3db1e4b73089f0c824ec48f7b83e7e9342b3d74e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
52ae84df9e68e897c65142f859c9c4b5

SHA1
89864ae3809947b5f19f0441962da23f64878d9b

SHA256
ba2f3964fb54c4525b08d0caf4039be8439fb518a52c47cf2e0a6ff9d1711126

SHA512
fc521869889472f92a7d392d18e28b8628a4f2458e857c4b44e62cab6b32581f684bafcebda6f61fe6dc34cd7644489164e76c59bd8ff637a93c9e53c214e673

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
400KB

MD5
0518669d06e42a5651fce0483bda9cd1

SHA1
b95e37de2f7558e25e771c00d1ce6526e0a62283

SHA256
a5537c23da73978b67764f7540db5f3c3baa432550ebced23e888271f4f6970e

SHA512
b03811acda876540d4cb20b54403c5e728b671b18d25ef97a2cfa70975ba5d5299f6229ebef24c844c27a505857891a267dd23c85c4af554548175f1d2e018b8

Download Submit
C:\Users\Admin\Downloads\Order Specifications.mw4W5hX0.pdf.js.part

Filesize
24KB

MD5
198410ad7e2c3c89d7050ff83ae2782e

SHA1
8cf5f22778a7a0bd24f1db1d49428cae60734316

SHA256
95a01d5aed591a14b81c24fe6d2dfc4d42cb931e06b3e49f2d3f5763a8046df4

SHA512
9d14104211b58b501ce3a3617deb8e229250db2ec75ad7cbb4e0e744cb7be2587c663a861acd1f08f2dc87380e6a3f25c5c5b10c6ac0f3ea0588abe3f54ee31a

Download Submit
C:\Users\Admin\Downloads\Order Specifications.pdf.js

Filesize
24KB

MD5
198410ad7e2c3c89d7050ff83ae2782e

SHA1
8cf5f22778a7a0bd24f1db1d49428cae60734316

SHA256
95a01d5aed591a14b81c24fe6d2dfc4d42cb931e06b3e49f2d3f5763a8046df4

SHA512
9d14104211b58b501ce3a3617deb8e229250db2ec75ad7cbb4e0e744cb7be2587c663a861acd1f08f2dc87380e6a3f25c5c5b10c6ac0f3ea0588abe3f54ee31a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads