3b61757c276c9f823c8d49f5322338891335c6ea17649ba0b39e36237d5d399d

Analysis

max time kernel
258s
max time network
266s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
14/02/2024, 11:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

malware-samples-master.zip
Size

50.8MB
MD5

04ff5205025adf73e9ce2d5284a7c816
SHA1

4f92ea61f1535165724316b471903df8e3f1a3e4
SHA256

3b61757c276c9f823c8d49f5322338891335c6ea17649ba0b39e36237d5d399d
SHA512

6afe2e19df0d2efe7aef97096393f3e1ab05eeeac4117d0928c356034694b688efbc7d3568f7cc1093b5f4c4e2d22ed9d1dc333c2ecf44783b4bff9e77c0d836
SSDEEP

786432:V/CyJ98/pUEUjJprn7YTB/jddy/Dhrbe5uGYjd0AFOOho49+qjbXAyXyFzToRye3:VTW+jJpQdC1zG0+A0x49+QbAb/oNJ

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4272278488\3302449443.pri	SecHealthUI.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1682406436-2801920780-981986064-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\malware-samples-master.zip:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2300	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5464	7zFM.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	firefox.exe
Token: SeDebugPrivilege	3136	firefox.exe
Token: SeDebugPrivilege	3136	firefox.exe
Token: SeDebugPrivilege	3136	firefox.exe
Token: SeDebugPrivilege	3136	firefox.exe
Token: SeDebugPrivilege	3136	firefox.exe
Token: SeRestorePrivilege	5304	7zFM.exe
Token: 35	5304	7zFM.exe
Token: SeRestorePrivilege	5464	7zFM.exe
Token: 35	5464	7zFM.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2300	EXCEL.EXE
2300	EXCEL.EXE
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
5304	7zFM.exe
5464	7zFM.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2300	EXCEL.EXE
2300	EXCEL.EXE
2300	EXCEL.EXE
2300	EXCEL.EXE
2300	EXCEL.EXE
2300	EXCEL.EXE
2300	EXCEL.EXE
2300	EXCEL.EXE
2300	EXCEL.EXE
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
1092	SecHealthUI.exe
2100	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 3136	3144	firefox.exe	81
PID 3144 wrote to memory of 3136	3144	firefox.exe	81
PID 3144 wrote to memory of 3136	3144	firefox.exe	81
PID 3144 wrote to memory of 3136	3144	firefox.exe	81
PID 3144 wrote to memory of 3136	3144	firefox.exe	81
PID 3144 wrote to memory of 3136	3144	firefox.exe	81
PID 3144 wrote to memory of 3136	3144	firefox.exe	81
PID 3144 wrote to memory of 3136	3144	firefox.exe	81
PID 3144 wrote to memory of 3136	3144	firefox.exe	81
PID 3144 wrote to memory of 3136	3144	firefox.exe	81
PID 3144 wrote to memory of 3136	3144	firefox.exe	81
PID 3136 wrote to memory of 2424	3136	firefox.exe	82
PID 3136 wrote to memory of 2424	3136	firefox.exe	82
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 4484	3136	firefox.exe	83
PID 3136 wrote to memory of 3780	3136	firefox.exe	84
PID 3136 wrote to memory of 3780	3136	firefox.exe	84
PID 3136 wrote to memory of 3780	3136	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\malware-samples-master.zip
1⤵
PID:1076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4556

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\SplitInstall.ods"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.0.1408178590\278961874" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1644 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc0f6c87-7d8d-437a-a423-adb37e9e3cb4} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 1764 251cb9bfe58 gpu
    3⤵
    PID:2424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.1.373956637\1996450021" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c49f99b-67ff-4dde-aac0-b2dab751a543} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 2120 251c0670d58 socket
    3⤵
    - Checks processor information in registry
    PID:4484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.2.1478307872\564401987" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2876 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b957286-addd-42e9-81eb-3afc63235f69} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 2892 251cb95ad58 tab
    3⤵
    PID:3780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.3.840135303\1808799186" -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3588 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57090005-9df0-4e3d-8fa0-44384ddea4bc} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 3600 251c0670158 tab
    3⤵
    PID:4332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.4.1985061314\1279000712" -childID 3 -isForBrowser -prefsHandle 3904 -prefMapHandle 3896 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bc15da8-e4c5-4362-8e27-c06eb452d5c5} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 3932 251cdff6858 tab
    3⤵
    PID:1596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.6.1125683814\78848045" -childID 5 -isForBrowser -prefsHandle 4988 -prefMapHandle 4992 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdc33e37-26e2-4937-a2e5-12b481c4298e} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 4980 251d2bee458 tab
    3⤵
    PID:4428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.5.742783987\411484253" -childID 4 -isForBrowser -prefsHandle 4848 -prefMapHandle 4552 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {397efbce-7ec5-48fa-b863-089a541e5bb7} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 4920 251d1fb9b58 tab
    3⤵
    PID:2416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.7.183670119\1258807961" -childID 6 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bb23306-5f78-44e5-b8c6-a52cbbda10c6} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5180 251d2bef358 tab
    3⤵
    PID:3212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.8.1278186307\1519257013" -childID 7 -isForBrowser -prefsHandle 5224 -prefMapHandle 4992 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93d243fe-26fb-4fbc-b8b4-f10a181736bb} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5492 251d3d61858 tab
    3⤵
    PID:608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.9.603251051\1233401772" -childID 8 -isForBrowser -prefsHandle 5732 -prefMapHandle 5656 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a2d6606-1fa0-4c8f-a747-76c83645b440} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5744 251ce013958 tab
    3⤵
    PID:4344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.10.1364061305\547226026" -childID 9 -isForBrowser -prefsHandle 6072 -prefMapHandle 5660 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12547b4a-2169-4768-9099-770357ae2e8e} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 6084 251cf84f658 tab
    3⤵
    PID:5692

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp2_malware-samples-master.zip\malware-samples-master\Allaple\29c7e87350cb03428fc108b03856095b.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5304

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp3_malware-samples-master.zip\malware-samples-master\Ransomware\Wannacry\smb-5cgc70g1.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5464

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3afc055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f0ea12addaadf039d6fd00ea3498022f

SHA1
825e2852fc4348a17e2b6d2d921d0c9da1247d61

SHA256
f661a35aa772d1d45fa89d563fadd7f9382ec3734928af362cf274f3f8b989ee

SHA512
77008098c10c87e44b467b6a23a4245e90fcfa8fb3dacf2fad8dfa2abc8fc63c9af47e75bbb9dcad717da286f5f81a56b21924d1436ca292991e9432f13a86d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\datareporting\glean\pending_pings\52920ff6-773c-498c-bcc7-e8b79f198337

Filesize
746B

MD5
470e8599790528faca247c0729e7434d

SHA1
8d2ea1d9519b24e68f6a1ef027812343fd5d33b3

SHA256
f651fcda51003c1ce6677dfbb275f84a4c4dff2448536aac98cbf506bdb6cfd0

SHA512
1edf30f16a530581a0258eb27125ddfc632d8250f29589d35f9c775888ee9142f389bff2c6f72b1c87b076f885c9b9d8cb63a018a84cf2ce853e546d93179774

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\datareporting\glean\pending_pings\b1751a84-64d6-4a43-92e0-63f186e65db9

Filesize
11KB

MD5
c974376c28fae5393291919d9b1595b7

SHA1
907f09085a5821c1e5a6b8a8fd3769b0660c5b72

SHA256
04dc4936453a2e18e73ff179793912b1a7c93bd65a4273066575e0bb6ac9c17d

SHA512
8caeb8662a7d543afffe2d4029e927c3b38a3b16f051e6bda80d905cb4cb9c775a3a279a0216e5747b5cbcd6f09e3ef527d2f6ed4a16945c6ff8d160a054af73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\prefs-1.js

Filesize
6KB

MD5
41caef63d92ef967783355780fa729d6

SHA1
6e400363a73e055fc111591f0bfc7e5f072098bf

SHA256
b0f873093369366b11c16983354c54818b177fdcac2628a95bfa09fc463e447e

SHA512
3604dbb2805c83228933744acb980fc4dab11acdfcc32e8e89ebf9d432eb61bfe890be9918074ff063ee810490c5bd57835fb6b54dfe118b69b6f2c942fc83eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\prefs-1.js

Filesize
6KB

MD5
59ff4d6581b4675a92aae1c6a9d5931b

SHA1
0d577781e18a3491eee6a3b03eeb830a2b0640ff

SHA256
1a5b3571923a82f79527f7e3125a0f8400cd865e88818f34897f083e25dbed48

SHA512
ec40605ac6cd77d6f1b0e66d3b418d7fabc63dd52c63eb960cec3b53cc4aca08821deb73f97a93afc3e41a03c3cb0dd1fef999326c588b3f724295f5a1029652

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\prefs-1.js

Filesize
6KB

MD5
719f932e77534b52596cefb2f2e883fe

SHA1
6e2df7fda7d9b1af3c883fd01cd9069ae490874f

SHA256
8c27371b96a894b5b1f077a6a4981cb7e3ff57e696b0e0e44ac5beb2e8fc2114

SHA512
5ac867d32d5c6886e2e042261ca44f62490340202391653c7352ab0868ef8c4f41f2b104207e20e1971c8bd8a0ef2d84e47e8baa53154e78b9ed04fb8bb17230

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\prefs.js

Filesize
6KB

MD5
d2ca97477cf70b490b7b9b752cc2d897

SHA1
9d30d1f0fb67573e0f75d38d7ee928c3a24fa94f

SHA256
40b6777ae9763888fd1f9e16857d072eba2d02434538918fd32aca25dcd75fe5

SHA512
66ef973adab2361a668fb5fe9d72627f3f4620c71861ea8efa49daa8794dbc345a17da38594975fa2416a4e611dc5546f669ee4939ce164ed399a86f8b15bac1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
42a84952b48c142bfad70897d6d86628

SHA1
42221fca0edf48f7d79d40841d9819692681657e

SHA256
1858623d0508564ae74a13dec5f1284d8b5d24ab748ea54cde04684b8a886281

SHA512
a394505684d5719b6d8483fef70d06934a94b6e7b35a818a3195ba9fcae33acc53bc5bd142ad19f650757e8f596175ed674f1f45c1a56490d1e534985a11d06c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
11415971667d87104b83b70d7537382e

SHA1
67f309f7d6df3f2374e753007855ce90e26d7fae

SHA256
2bbc22f0d15e0b81c1f64bdea1848ed6d981751ee05d5f8d61f8aa1422c0b903

SHA512
f97dadf7e053ea756c3f8e3ec9988ff126cc3860bb93a89d8cbb1900880ae5835fc4e6ac71e425510873fee9ceb09f34ad82c8b775649814737fe879dcaa2e24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
4d86cbeb9d94eb9aeec514284b1de444

SHA1
681abac3c5ba0090018aa42033823f338d036644

SHA256
820c133ebb6218a6f82062373d590176a99ef72329c3b34af03dbe7be00dc04d

SHA512
95cc8dfc95160dfcf27e1ddca1c86225c10b59df7fc1f6cd2e2f8ac68e8dd1142a7d793240fecb769549dfabb5730a2c25ca23cdc3f1139ec83163fc139bc783

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
b4d7981555c8026b7bfc071ba79d3064

SHA1
02bd44bf0b1b4a7ffab67ce7dbb5e78bf86aae1a

SHA256
0dc4cf700aaeb3a7ac17a6fa863bcda9fc5f493545d326551eabe5ef19659bfa

SHA512
b7f6104e98d98fe54d3d6cbc09518f21b41fd99ce2a9b123da078494c747811a70d886c06a47b508a97cef55786efedb3865d45dde47f30b9f5d10977b05b7d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
ae355bf648dd993f6351e5a6c32dc417

SHA1
ba5270b4ff2dc2dddb761150209e6181418d24fb

SHA256
cf87000915adae4d5db9e1cc77fa975abe48ce390241755ba5b644c0e1966e61

SHA512
438af78747846f313a9dd402cc4855f342cd640fff61b3a5722b93c69f0448c378e77c8dce8249a00fa018b39af9e77593380906fb8eb99e1712a3bcd3cad830

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\sessionstore.jsonlz4

Filesize
10KB

MD5
616f3a540ec7d39f3587aae05e964e8c

SHA1
b1fed0187e4f25ad207f28b5d820a4ba3738b02e

SHA256
588bbb48cbb41f5ac615403f220c78402ab16af43bca31de60852ff655be7769

SHA512
a3ba1997383e9cc38e0bcf64ffecbf76e7dee5bb5b38379a72e1560908be005d82640f1a1efc2ec9e7443814511ed1ca3d9a6c309fcb4245bfc7f9730f45f752

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
bf20dc1315515dade64329f90389941f

SHA1
32dd8169813e136a097e3547cdcdf80f94e77ffd

SHA256
4a47b9b7cf279c8dc87f5b49ddc221df16bbf89268b99d5f66ad942695fbe7c4

SHA512
aec03b09ccaecdbd27a35b8233082d5cb17fee1b4e35a96211cce25c4fe2c1d8e75a15d362dbf1b55f6d82a4483aede67677e1e91bfa7f6f4305e4bf5f85e93c

Download Submit
C:\Users\Admin\Downloads\malware-samples-master.psaROPBr.zip.part

Filesize
13.7MB

MD5
df2097e7804c852528ad1a32a7c949eb

SHA1
2c3dffbac5627b63024c8aa1f1997c96d9c676b8

SHA256
44e37d0ddc37663861e62a03e9949db087bb108f29730d2a5e913baf82067c92

SHA512
7797086f73498041fe7b134a2ced7b6d16e2b0a421202b718b4c224b7ce2bdd1964bbfb2c3fcc98505981aa54fb1e1cf6717e437c2bb38362a039cad4090104b

Download Submit
memory/2300-15-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-213-0x00007FFA3A600000-0x00007FFA3A610000-memory.dmp

Filesize
64KB

Download
memory/2300-17-0x00007FFA36F10000-0x00007FFA36F20000-memory.dmp

Filesize
64KB

Download
memory/2300-20-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-21-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-22-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-23-0x00007FFA77C60000-0x00007FFA77D0E000-memory.dmp

Filesize
696KB

Download
memory/2300-24-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-25-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-26-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-27-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-28-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-30-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-31-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-214-0x00007FFA3A600000-0x00007FFA3A610000-memory.dmp

Filesize
64KB

Download
memory/2300-216-0x00007FFA3A600000-0x00007FFA3A610000-memory.dmp

Filesize
64KB

Download
memory/2300-215-0x00007FFA3A600000-0x00007FFA3A610000-memory.dmp

Filesize
64KB

Download
memory/2300-19-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-217-0x00007FFA77C60000-0x00007FFA77D0E000-memory.dmp

Filesize
696KB

Download
memory/2300-218-0x00007FFA77C60000-0x00007FFA77D0E000-memory.dmp

Filesize
696KB

Download
memory/2300-219-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-18-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-16-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-14-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-0-0x00007FFA3A600000-0x00007FFA3A610000-memory.dmp

Filesize
64KB

Download
memory/2300-12-0x00007FFA36F10000-0x00007FFA36F20000-memory.dmp

Filesize
64KB

Download
memory/2300-13-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-11-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-10-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-9-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-6-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-5-0x00007FFA3A600000-0x00007FFA3A610000-memory.dmp

Filesize
64KB

Download
memory/2300-4-0x00007FFA3A600000-0x00007FFA3A610000-memory.dmp

Filesize
64KB

Download
memory/2300-3-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download
memory/2300-2-0x00007FFA3A600000-0x00007FFA3A610000-memory.dmp

Filesize
64KB

Download
memory/2300-1-0x00007FFA7A570000-0x00007FFA7A74B000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads