369ec6bb92f59c1907ddfac380c6df356d1682f4722d1b6bd5ba7e8f275341a9

Analysis

max time kernel
41s
max time network
43s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
11/04/2024, 15:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

none-external_protected_1.exe
Size

3.7MB
MD5

7510637f5f3aad717b92c8d8db32e6cc
SHA1

8f23d98fbe42b7ea014efddb028366612de28b49
SHA256

369ec6bb92f59c1907ddfac380c6df356d1682f4722d1b6bd5ba7e8f275341a9
SHA512

ea30307cab3be56a388232990a8fdc1523b418dd7a503d97ae44f113049c7ecb45dea7f29e53499fbc85a1698b131dc4fd350112a55ca7f26a86841f7de04ea7
SSDEEP

98304:JQJJHrXufDhVC/zmbrCgwhfl93PdBkNzEDuER1y1j3BmoC:GefDhVCKbugOlJPdv56DBy

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	none-external_protected_1.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv"	none-external_protected_1.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	none-external_protected_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	none-external_protected_1.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/380-0-0x00007FF611C30000-0x00007FF612606000-memory.dmp	themida
behavioral1/memory/380-2-0x00007FF611C30000-0x00007FF612606000-memory.dmp	themida
behavioral1/memory/380-3-0x00007FF611C30000-0x00007FF612606000-memory.dmp	themida
behavioral1/memory/380-4-0x00007FF611C30000-0x00007FF612606000-memory.dmp	themida
behavioral1/memory/380-5-0x00007FF611C30000-0x00007FF612606000-memory.dmp	themida
behavioral1/memory/380-6-0x00007FF611C30000-0x00007FF612606000-memory.dmp	themida
behavioral1/memory/380-8-0x00007FF611C30000-0x00007FF612606000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	none-external_protected_1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
380	none-external_protected_1.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
380	none-external_protected_1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	380	none-external_protected_1.exe
Token: SeDebugPrivilege	2516	firefox.exe
Token: SeDebugPrivilege	2516	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2516	firefox.exe
2516	firefox.exe
2516	firefox.exe
2516	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2516	firefox.exe
2516	firefox.exe
2516	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1372	MiniSearchHost.exe
2516	firefox.exe
2516	firefox.exe
2516	firefox.exe
2516	firefox.exe
2516	firefox.exe
2516	firefox.exe
2516	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 3212	380	none-external_protected_1.exe	77
PID 380 wrote to memory of 3212	380	none-external_protected_1.exe	77
PID 3076 wrote to memory of 2516	3076	firefox.exe	88
PID 3076 wrote to memory of 2516	3076	firefox.exe	88
PID 3076 wrote to memory of 2516	3076	firefox.exe	88
PID 3076 wrote to memory of 2516	3076	firefox.exe	88
PID 3076 wrote to memory of 2516	3076	firefox.exe	88
PID 3076 wrote to memory of 2516	3076	firefox.exe	88
PID 3076 wrote to memory of 2516	3076	firefox.exe	88
PID 3076 wrote to memory of 2516	3076	firefox.exe	88
PID 3076 wrote to memory of 2516	3076	firefox.exe	88
PID 3076 wrote to memory of 2516	3076	firefox.exe	88
PID 3076 wrote to memory of 2516	3076	firefox.exe	88
PID 2516 wrote to memory of 4616	2516	firefox.exe	89
PID 2516 wrote to memory of 4616	2516	firefox.exe	89
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 1316	2516	firefox.exe	90
PID 2516 wrote to memory of 2088	2516	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\none-external_protected_1.exe
"C:\Users\Admin\AppData\Local\Temp\none-external_protected_1.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Sets service image path in registry
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color B
  2⤵
  PID:3212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:640

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.0.897716114\1926429976" -parentBuildID 20221007134813 -prefsHandle 1816 -prefMapHandle 1544 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bd79398-0e8f-4b36-acfb-1115a0b1530f} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 1888 296fdbd8858 gpu
    3⤵
    PID:4616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.1.663073868\1184260611" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2248 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3161c36a-099c-4bd4-a6e3-38616c66c127} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 2264 296fdb03258 socket
    3⤵
    - Checks processor information in registry
    PID:1316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.2.709186103\1074547296" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2940 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f57ac35c-8b93-4c3d-98f5-3226855c7b9c} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 2936 296fdb5d758 tab
    3⤵
    PID:2088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.3.1117671846\252703312" -childID 2 -isForBrowser -prefsHandle 3360 -prefMapHandle 3356 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {581b605d-0d74-4287-be52-7f4aace1cab5} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 3460 29684263558 tab
    3⤵
    PID:3344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.4.316509041\1593347203" -childID 3 -isForBrowser -prefsHandle 4428 -prefMapHandle 4424 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b09d407c-c697-4a67-9b98-94b78d5f3367} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 4440 296850db758 tab
    3⤵
    PID:3400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.5.1042969721\917268647" -childID 4 -isForBrowser -prefsHandle 1572 -prefMapHandle 5176 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba5b5c9c-e355-48a8-b30d-8bffa76b4626} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 5184 296843fde58 tab
    3⤵
    PID:4492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.6.1724868955\1465191440" -childID 5 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16bb73c6-505b-4c8f-b875-74584ceddc4e} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 5292 29685643e58 tab
    3⤵
    PID:2332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.7.160170593\193354282" -childID 6 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1188f4d-19e8-4eed-be32-0993de05b3f2} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 5480 296843fd558 tab
    3⤵
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
7a4466bae7aad5bf0c7614c27c1c762f

SHA1
641b97cf44744099e55c2bb62298dcf51f49d8bf

SHA256
786e91395d0c8b7d38dc5031255622d15e3e430492b3ab9a988969052253348b

SHA512
492c20017b0e4f1d6dbfbca7dcd4a91a37de1b2b5425c029e282386a0f6826e21e706be993158956a7fc40c1d1d0328257441f5db0788671eca7f3b042fd66c8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b1f935cbd0a4e7baeb4cfa73725bb226

SHA1
e5a5f4e788f95ccf950f745d01b8956dd14cb66c

SHA256
d7f24ca6d10c289d45cce23f5a19cebc0ea2b9c6b867f6b4b23c4effb08180a9

SHA512
8891f8904cf16da4ea8ccfc8bb993b6c0ad3beb7c146765d22e82388d2c4f4f01d84c2979b05b6c4bf11e1e93430454cc83dda012010ebf3369d94153327592d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b050fcfa60a2cc1b38d244ba43407290

SHA1
4b882959a371d38348cc08b98ba4f66967580fa8

SHA256
5117e346fb15a12da2df12bdbc4ceb71f4c697ce705e92b0aeb135dd7a7d4de3

SHA512
701ff7b46f4e44a65aaec099fc1de24f2e20ac21910d13623ed521a914d13c85e897bbaa6db049b1e224df06834ea34f2501da86d393ad50af6b09a351e9744e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\datareporting\glean\pending_pings\13ad6c0c-93b0-43e9-a90f-de6ebe97dd54

Filesize
746B

MD5
b144d414f83aaa1c81500c271b036354

SHA1
e24f29f606bdff97fce0a0fc4c20d732825bab30

SHA256
645d872ac210c18daa31b8254af03942136fe492283e3834684423c88b7427e7

SHA512
2c9edf976dd4d069c466e8d3b602c6d1ba427b561d5dcaa7dc23b065e7c0d6addde359eb04a0b0a816b7c97c0f8b8da067fef648a9e941dd77dae58f82e0cca9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\datareporting\glean\pending_pings\6de5b2e1-f8de-417f-917d-b236f978caf2

Filesize
11KB

MD5
af6b7a1195fb89b58d595f0411e9365f

SHA1
4c0342400e60da7fb9e69b6d71e780bc7f848c32

SHA256
cca471238674b0acb984c819ae4187df8606f255e35e45235aa181ca3c539831

SHA512
28a5c46644afaf5b91b3c2edd07df0735b67ef794b672b6ff4ee8cbf2449abd510be45eefff21b1622033743c646ea2b4811028af6b9f5b5b4e64e6a3a22b394

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\prefs-1.js

Filesize
6KB

MD5
e15d5e250aa07f38622411abf9b32eb9

SHA1
fbb73baf3f9602f30dc2c31271da8469c26a4dd0

SHA256
96262d0f4e251294aa846bb0fa7bbafb3ac19e9abf678b7c97b15ac4b23a0c0c

SHA512
cad438fe45186e1bd1272ed2d28971575992ea55aacb1d9e8c33883878cb102b89105503ca633e20613c7fb05d1e915bef6ea244875ca3e77c2c93e5588caddc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\prefs.js

Filesize
6KB

MD5
f48de912ca98c7e53e10f939fcb2709c

SHA1
6349675c7d429984643fc2a1e937f04b6b8aa256

SHA256
9f182c56bfc027dc58b116bacac62cbc0c6b7a49c745253de0735762307738c4

SHA512
c58a83a44c5cda46d408e3ecd3c1b3b07226ca3968c209145735c7d11405db35f8bf3956566e9aa80bdfae5d3db132b556abac2e4fc4eecdfff9444437db3ec0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
dbb65b04f254ae2afcb057915aaffb0f

SHA1
c9a1e407e0597faf3bc7a5d6bed3b45322d4e6d0

SHA256
86d1f6772b9054e54655e27ac27e230ac3ea422d58a0e37e17986814338a2be2

SHA512
4726ae23ca23986448276a2fdf19ab36a2747fd893039a8a9a4b3c1a837d133b64223ac8768028fb1e1553d3c43f86e8f1793164fd91d3550e82c69feaf056d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\sessionstore.jsonlz4

Filesize
889B

MD5
87292d3904fc73b9af2d49329f2c5226

SHA1
0e8c42addfd71d51d0082a7b6c0346fe02ba1a89

SHA256
75c098dfc4e01b8106827ab96bd9abc2f5f49fd75f2c21d10e5203785233f232

SHA512
2236e2d91d13bcd154e0c9e03e06560747cb98873fbc3b2d4a6d7dda008b1a0e3b409db1b369791dabea35c33cc84298e16c88b32d113740681864e5d2bacca0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
b5b136d3bb26cf07e644db277a4cf1cd

SHA1
88c7c3b7a6e8e42ca8ce086de2e01679e2b5a8f6

SHA256
8b280539bf927a5b45875eb5bf322e92590a23b6063dd7fb692b27ee5fa10c59

SHA512
62c261a50ef4800b54e22289d77f8c4a9d642dfd2ceaf08def52d7ce9a08cfff3f2d8f30f1acc6d668e57bcb72f85f56f1134039eb29978bfaecb1a89fba8816

Download Submit
memory/380-4-0x00007FF611C30000-0x00007FF612606000-memory.dmp

Filesize
9.8MB

Download
memory/380-9-0x00007FF9599C0000-0x00007FF959BC9000-memory.dmp

Filesize
2.0MB

Download
memory/380-8-0x00007FF611C30000-0x00007FF612606000-memory.dmp

Filesize
9.8MB

Download
memory/380-6-0x00007FF611C30000-0x00007FF612606000-memory.dmp

Filesize
9.8MB

Download
memory/380-5-0x00007FF611C30000-0x00007FF612606000-memory.dmp

Filesize
9.8MB

Download
memory/380-0-0x00007FF611C30000-0x00007FF612606000-memory.dmp

Filesize
9.8MB

Download
memory/380-3-0x00007FF611C30000-0x00007FF612606000-memory.dmp

Filesize
9.8MB

Download
memory/380-2-0x00007FF611C30000-0x00007FF612606000-memory.dmp

Filesize
9.8MB

Download
memory/380-1-0x00007FF9599C0000-0x00007FF959BC9000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads