42cdb16f6dd64c4fec30c7a71960fe4d0015862c37e7b02c8dba5c0d68384c74

Analysis

max time kernel
1632s
max time network
1624s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rufus-4.4p.exe
Size

1.4MB
MD5

7a4662bb7f331d2252f3d949657d821d
SHA1

ad53fddfbcead7b3e6c322c0aad8c4a826bd4967
SHA256

42cdb16f6dd64c4fec30c7a71960fe4d0015862c37e7b02c8dba5c0d68384c74
SHA512

a1d111fc91cd470d36bd4640884b3550c6a4035e8c5bc5176dc9f67aa2ef8be6fc12956d0b351c272d8bb89646546dac868b32d1d1985dee86ffb6e971b14f3f
SSDEEP

24576:wOyBSB04yZT5Z6iqUbVEMs6MrhXlPrBnr/TwcEgzXIdVWLpuL94q:XgZT5ZSU1fUhXhrBnbTbaAIt

Score

7^/10

evasion trojan upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4804-0-0x00007FF79D4B0000-0x00007FF79D88F000-memory.dmp	upx
behavioral2/memory/4804-43-0x00007FF79D4B0000-0x00007FF79D88F000-memory.dmp	upx
behavioral2/memory/4804-53-0x00007FF79D4B0000-0x00007FF79D88F000-memory.dmp	upx
behavioral2/memory/4804-67-0x00007FF79D4B0000-0x00007FF79D88F000-memory.dmp	upx
behavioral2/memory/4804-86-0x00007FF79D4B0000-0x00007FF79D88F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rufus-4.4p.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rufus-4.4p.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rufus-4.4p.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rufus-4.4p.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rufus-4.4p.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rufus-4.4p.exe

Checks SCSI registry key(s) 3 TTPs 17 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	rufus-4.4p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	rufus-4.4p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	rufus-4.4p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	rufus-4.4p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	rufus-4.4p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	rufus-4.4p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	rufus-4.4p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	rufus-4.4p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	rufus-4.4p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	rufus-4.4p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	rufus-4.4p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	rufus-4.4p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	rufus-4.4p.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	rufus-4.4p.exe
Token: SeLoadDriverPrivilege	4804	rufus-4.4p.exe
Token: SeLoadDriverPrivilege	4804	rufus-4.4p.exe
Token: SeLoadDriverPrivilege	4804	rufus-4.4p.exe
Token: SeLoadDriverPrivilege	4804	rufus-4.4p.exe
Token: SeLoadDriverPrivilege	4804	rufus-4.4p.exe
Token: SeLoadDriverPrivilege	4804	rufus-4.4p.exe
Token: SeLoadDriverPrivilege	4804	rufus-4.4p.exe
Token: SeLoadDriverPrivilege	4804	rufus-4.4p.exe
Token: SeDebugPrivilege	4292	firefox.exe
Token: SeDebugPrivilege	4292	firefox.exe
Token: SeDebugPrivilege	4292	firefox.exe
Token: SeDebugPrivilege	4292	firefox.exe
Token: SeDebugPrivilege	4292	firefox.exe
Token: SeManageVolumePrivilege	1720	svchost.exe
Token: SeDebugPrivilege	4292	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4804	rufus-4.4p.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4292	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 4292	1172	firefox.exe	117
PID 1172 wrote to memory of 4292	1172	firefox.exe	117
PID 1172 wrote to memory of 4292	1172	firefox.exe	117
PID 1172 wrote to memory of 4292	1172	firefox.exe	117
PID 1172 wrote to memory of 4292	1172	firefox.exe	117
PID 1172 wrote to memory of 4292	1172	firefox.exe	117
PID 1172 wrote to memory of 4292	1172	firefox.exe	117
PID 1172 wrote to memory of 4292	1172	firefox.exe	117
PID 1172 wrote to memory of 4292	1172	firefox.exe	117
PID 1172 wrote to memory of 4292	1172	firefox.exe	117
PID 1172 wrote to memory of 4292	1172	firefox.exe	117
PID 4292 wrote to memory of 1956	4292	firefox.exe	118
PID 4292 wrote to memory of 1956	4292	firefox.exe	118
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2332	4292	firefox.exe	119
PID 4292 wrote to memory of 2076	4292	firefox.exe	120
PID 4292 wrote to memory of 2076	4292	firefox.exe	120
PID 4292 wrote to memory of 2076	4292	firefox.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\rufus-4.4p.exe
"C:\Users\Admin\AppData\Local\Temp\rufus-4.4p.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4804

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4452

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.0.1690810594\86090598" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f8ba0af-ef97-44b3-b4a9-8a9ce11f5643} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 1948 1ff39904d58 gpu
    3⤵
    PID:1956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.1.32192184\743428323" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2308 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48c9a3e8-8386-4ca6-a128-d5354d7e1b1a} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 2348 1ff387f1458 socket
    3⤵
    PID:2332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.2.1673190080\794022539" -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3244 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da8cd9f3-1dc6-4fd9-b2b3-cb5043489237} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 3256 1ff3c9a2c58 tab
    3⤵
    PID:2076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.3.1204679727\1232465676" -childID 2 -isForBrowser -prefsHandle 3464 -prefMapHandle 2996 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c70a27d5-8d88-49fa-bb5f-d2da1f98ac32} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 3692 1ff2bf67558 tab
    3⤵
    PID:2272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.4.2024291599\1614840423" -childID 3 -isForBrowser -prefsHandle 4452 -prefMapHandle 4448 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9552610-20ea-45bc-a29d-e43463b59452} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 4460 1ff3e5b1558 tab
    3⤵
    PID:968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.5.576900357\1205627692" -childID 4 -isForBrowser -prefsHandle 5048 -prefMapHandle 5044 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b5285ed-ae00-4b9e-a9e8-170d79075e6f} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 5056 1ff3eaf3858 tab
    3⤵
    PID:5320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.6.833900020\148488178" -childID 5 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d69891b2-c90c-4f6d-b6f5-80561935602b} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 5176 1ff3ebf5158 tab
    3⤵
    PID:5328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.7.386968699\1311946522" -childID 6 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b10a32f-2e6a-4271-8dc5-b14b5ac3c51d} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 5368 1ff3ebf7858 tab
    3⤵
    PID:5336

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\doomed\12566

Filesize
9KB

MD5
ee1de253c158a82016d9670e0b002706

SHA1
1a21bae1720273f1d93aeaaf47d36151f7c4d4f7

SHA256
586b2d8b03331410525d58d1a321b408961bda65c60dc24df1f87024d7c54b8f

SHA512
c0de4221e50576ffff009257b2a5e846d5be98f605611dc6705b3cdcf40ebe42c171ca88097272128b0e0f8614bd3423896520010c49e0185579f3ec14fdb13a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\doomed\18800

Filesize
9KB

MD5
8c33144f874b02c85ac45c5b7b43da41

SHA1
041c2e8c03e61cff1743a804e45f574c08fbe82f

SHA256
4b68baf0d6d51084cd21c46453478e4fe074098f02c28e2b972c62620fe84dbd

SHA512
6bc339b0445dd30c4e6844491345722ac4502f39c1eddbd0cac0fbe65086bcd005a27726f5afa3dc6abd6df2eb013ccfb1cd8a399e2d25408a86500bcf890bfa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C

Filesize
13KB

MD5
4b2093e033d7961228431fa67d319df2

SHA1
99cd2e5d2ac11549f4dd04d93b2fd7ee995c2089

SHA256
0eaa804b4f17394f5344ed66e152f2623b61a3631e3d0cf2e60f63a425591028

SHA512
46754ce6b58bc570379c759911d76eb6e66db69d1f7d42fcf3563a17a7547b685b661a802d80ab3622c0adc66dc0e9d2bc26bcdcbc13ee0cff2caa173a22cda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rufus.ini

Filesize
41B

MD5
a236dfddc9227544066dd94ba5fb1e71

SHA1
f752986e39630894f2a14b83e2c1a145fadf9213

SHA256
ab3687f8f932afaff4421f2700b11121daff0c8eb186f91ea00f101cbbad6a86

SHA512
bda2bcd0f983ce7014a9ac8343e12b5bf44f7efe2790caadeda0c18fbcd5a5139a0e65804ef627ecc30a1ed5243c999173fd920dcad6b669f39739d2565b6563

Download Submit
C:\Users\Admin\AppData\Local\Temp\rufus.ini

Filesize
70B

MD5
1b335ecab9ab03ddd9a5b8cbb800588f

SHA1
f040f26110029d3fc906b155a2f347de7d5a3949

SHA256
b41a36232db2574b179bb38646c36c1da38899f499699a33fb642d7f56571ef5

SHA512
46472f97a25ce576c9562af994fb2c376b1f0a0387dd4121f2fc93aac8147684da6db40be9a5bc40b6abfa6830f614ab42bbcde8ccead6748b345fe8520b655f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
4a9323ed4f928298377870cd9c6cdfd4

SHA1
b8c69fc5292f328aa1fdbdb90112d5ef0aef5754

SHA256
750557eb5aa0d8337149ad0f3e6a550b7296905f83649845db95471550eda07b

SHA512
4f6c26e05f30ee0046def365e7c5a13bd97f54f8a6e4c47d1c3644502aa5be904703ee9d7d8cceffb9aff0d76cd73502e66b14d1607af8cabd5af62fc813a779

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\bookmarkbackups\bookmarks-2024-03-05_11_CCpZVMvoZkGDpI3NsstdiA==.jsonlz4

Filesize
945B

MD5
50a70a8bf59da6baf28287acbd719907

SHA1
613c5fb4908c603026a6d1089e2d3b10e48c728c

SHA256
9e785279d1028bde50501523b5da6ebe1dc70046dd1209fdbea49f4a0386185e

SHA512
df5177bed3498c2bad8a4645d3d4767344644156856599fcca4a777c753e4739dc669fe31eb281f0c3933c4b732455493e43b4ab110abde4774128b91ddab2b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\broadcast-listeners.json

Filesize
216B

MD5
7f61ff6f45b077dc2ab2fc8f273ffb26

SHA1
14af5fb8d2832a00c1314e045f028cb2944a1985

SHA256
873096d821743b148c10118dd8f98b428b89945ade6d4a0eb02546dfbb100469

SHA512
c08faafd6b9cfe76a642a3ca841e1bf75d7332719232bac91e5881e5941f0adc83e62e3e2c94edc348efb9622b6d61a9364f84d27642df86cce41d102873dcf0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
214f0783d793f4fe327934e441a132ea

SHA1
b9fc5a9a00943059955e29442db882622f5d5ca5

SHA256
aefac38b430590172192d9fdafd2494da1360230ea49ac3bfc89dc921a1965e4

SHA512
630ef64b7f56b0fc09fa9d608494bd447734cc052a5390fd2b5a99b609cfe7399ece60413afe354160671b4bb04aab88c39892cc255d6fc6363d3f4728bc3076

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\144cdce4-5d4c-4145-b56e-07ada2c0f00c

Filesize
10KB

MD5
f794653abad86851e14c9353c12d403d

SHA1
bf51b22059b38b3506a42dfa15e01a4b7dd3901c

SHA256
0ab054b205f30f84122d3fcdd4d7852d5fecdd14a5740cc1ec940724bb25b85e

SHA512
2c2b8d73546c15d43ecfedcae2e861ec49f6aeb9359adc57a573c372493927e1ef3b46b85d3b237caad5f2916373b5f35d6961f223a5d371a999e610eadf4c13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\a4e0c131-e64a-4939-b9ac-6c164af5f884

Filesize
746B

MD5
0c1c04c667d3d7a59295c80bbfe98ad5

SHA1
67389c2da7eb75660624520790c3a9c9d006c5fd

SHA256
c70542fa1b6f5e715af3ef419cc0c6c8ff4dad2df15361b7fe2cb5352e6164e0

SHA512
ee5127b5465630f8057906481e0dbb4fff1a3e02105ad5c217a2d7f54593f3e943fa7ed8c0ad6aa8121453070e2d1d92cb3b5a033157c3730938e3cf91c161e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\extensions.json.tmp

Filesize
34KB

MD5
425e2ad367a509cbb0ca15abca06a50a

SHA1
0453af38a985f8c2cbf81cdb2166a92a6713aa07

SHA256
fd2c0e35b41abdc129d98f7eaf4998a34e97ce9c5d6d5178e5aa4d508ceb5030

SHA512
1e927349e2d7656c247a53fe6b06322e7f0e9f5e0714bc4f7784f9859f64bc2f1ac6a35809f8f3f069f4dabf064f221dee2e8c90634ce3eb79aececa9dcac2c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js

Filesize
9KB

MD5
24a3c2ffdae99b9ee9f31683dfc12517

SHA1
fd4cd93c4cbb48ef48b2103e9e557a57dedcea77

SHA256
c0b75c924ab2ea315ba4dcb3525e73a126e29d2778930989ab059c1bd79c84f4

SHA512
f66aa08e8a1b1de38b78a158f38cee3fe2f82ebaf2670a52922e0686772f87908c283cb0b52ad9a414d931c85915d7f28447029ef0ca683d2f18b7eaf3bd771e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js

Filesize
9KB

MD5
ecf8b190ca31996fee6ea8faaa6a74a0

SHA1
c540ab17847b7621c8458fd12bc5f89d5d1bbc36

SHA256
4ee9d2df049d36c84ad826df77a4366fcb1127767ef772ddfe38c900bb423b78

SHA512
bafa5293886dcb29dddd032fdb1d073c0d7b2863c35bfd33853cd0c479da86434d776e1ea3147ec4209e9bdb5e5f055484ef4fa154ea17cfcc4bf588f49fb7a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js

Filesize
10KB

MD5
6f0d4a78bc2e8823257ec03bf23e1191

SHA1
cb2c2be5d527bfc029ab218ba664e58d6fe5e708

SHA256
8814fbe4063dcbae8b01dda6d93ef8a1a6616de5ab66cd40ded2a02360f0d46c

SHA512
3ae84dd564f36e99a594aea735abd2f2125dfdbb5840a6148421015e6839834e697d5e278aaadd3c29f0526c9db3c072ca87895df6aeb45ae55846a17010635d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js

Filesize
6KB

MD5
f4024178c8f892a5510b247339dba67e

SHA1
0b0ec98c506bfed42d4a22946dfaa7a642000445

SHA256
572f488d4848860f45a34d73d5574f2baf18507af8644c1ede271e2c5152971c

SHA512
bd5c22bbcb3f1fee819cf258a0f1edad973f21c7d9bc2b1b4de8b594ee9c19814b13c5fa2b669ce6b92cc553514137aa62547f98ff390c53e1970bc7b866630b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js

Filesize
6KB

MD5
15851eeff834439b466359a0047b531b

SHA1
7fd41c9bf70b1b68249c480c408f9647de06eac0

SHA256
bd959775839afd20ece13430144a84731ff4249b1472f0eeb73748e47efc9322

SHA512
9d80e3d0cbad80061224e05fe78d800430db2cea93010b6a5ed6243ddd684d0f17f502970302b0cb039445cee67203ade930767dfe3fa3ff933f32cb59f9d688

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js

Filesize
6KB

MD5
00974079f3dd60f6fa0a0b4470968ebd

SHA1
7c00139c7fc994df18cbbb5a43f0283fd7409f06

SHA256
8f6a1565b905e08e95454120ae4c286499bd8cec9e6dbafef1d500d395412698

SHA512
52bf5cbe85cb8d06caa84944d55a275a86c9d112157edfbf2244999b29cd8bdad12176eecc5affc057059b18b6e74da362581fc03900ee0e5dc28c1b659cadc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js

Filesize
10KB

MD5
6982af83d712fbde0764f667e11ffcf0

SHA1
4e2c8c0295336dc553dcc72a1297d4d0ae03cf58

SHA256
9cedc1c9168bcab2d0f9d01ad4a77e25ed405ab6b749570c19a7f234d00ad2c8

SHA512
1ab572ad7f11ca5963e64f9fbbde23e3fb78919b1436bf5a278514ee61aab00fba1b72b7187597bf0384b5217555e06c304da67e5d4f6da5f23eec971675ee21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b477a519c31d0a8de97f6472908866e7

SHA1
f45e9fd397d0ab19bcb39a6dfe44acf30aee2217

SHA256
a8576ea6c46a67a6afcc3c88054136fa654e0c2431acf056922c71da5753fc7d

SHA512
492ca4b9829553edec663137fbdd93cbba1325d594746d2e6f3e72fd1cce57f5dfd77482bbdfaf11c6a038327f8c8712b4f6a6b6f2047960810324d326195912

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\targeting.snapshot.json

Filesize
3KB

MD5
57df36fe87fb4a7993b4e76e75de0909

SHA1
0bb996b50e252eb656a2fef3a31f7515ff1eeb7c

SHA256
a1d21fc32fbe42fe679135eefdcceae976af44f7d347a2aa5f5738050f2f0612

SHA512
2004c017b99cc1416782226113e6a8b794fdcceaf0268d36ef7b4ee2c213cea5b1a9eb19ca27cfa634ef9a41f1256bf320fcb73a853fe0da689bb97eadbb6866

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
cead048a81341e7f91c31f96a82e98e3

SHA1
32f24dda3c3774957c623df11c1237c36ded44fd

SHA256
07956deed8284ce2dc1ff98f4a0fc3776df4b2299f53fac42962fe6f8de39836

SHA512
34c2887a34a65befe377822c93c662f26ace734b74628c77334d019f22633ecde948ceba29dad5d2b38685bfd90bbdc9817887f1f5a7bd4d3d68fbde38611a7a

Download Submit
memory/1720-2211-0x0000020C84D40000-0x0000020C84D50000-memory.dmp

Filesize
64KB

Download
memory/1720-2230-0x0000020C8D0B0000-0x0000020C8D0B1000-memory.dmp

Filesize
4KB

Download
memory/1720-2231-0x0000020C8D1C0000-0x0000020C8D1C1000-memory.dmp

Filesize
4KB

Download
memory/1720-2229-0x0000020C8D0B0000-0x0000020C8D0B1000-memory.dmp

Filesize
4KB

Download
memory/1720-2227-0x0000020C8D080000-0x0000020C8D081000-memory.dmp

Filesize
4KB

Download
memory/1720-2195-0x0000020C84C40000-0x0000020C84C50000-memory.dmp

Filesize
64KB

Download
memory/4804-86-0x00007FF79D4B0000-0x00007FF79D88F000-memory.dmp

Filesize
3.9MB

Download
memory/4804-67-0x00007FF79D4B0000-0x00007FF79D88F000-memory.dmp

Filesize
3.9MB

Download
memory/4804-53-0x00007FF79D4B0000-0x00007FF79D88F000-memory.dmp

Filesize
3.9MB

Download
memory/4804-0-0x00007FF79D4B0000-0x00007FF79D88F000-memory.dmp

Filesize
3.9MB

Download
memory/4804-43-0x00007FF79D4B0000-0x00007FF79D88F000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads