bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

Analysis

max time kernel
380s
max time network
392s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 00:44

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

the pass for this is 42 it's a zip bomb.zip
Size

41KB
MD5

1df9a18b18332f153918030b7b516615
SHA1

6c42c62696616b72bbfc88a4be4ead57aa7bc503
SHA256

bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa
SHA512

6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80
SSDEEP

768:hzyVr8GSKL6O3QOXk/0u3wqOghrFCezL1VFJdbq2QTJTw02Q:hGx8DKXE//ZhhCirFi2cwK

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 6 IoCs

pid	Process
4956	MEMZ.exe
4084	MEMZ.exe
5472	MEMZ.exe
5928	MEMZ.exe
4608	MEMZ.exe
4800	MEMZ.exe

Loads dropped DLL 3 IoCs

pid	Process
3356	plugin-container.exe
6020	plugin-container.exe
3364	plugin-container.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 24 IoCs

Web Service

T1102

flow	ioc
479	discord.com
180	discord.com
182	discord.com
242	discord.com
287	discord.com
414	discord.com
478	discord.com
256	discord.com
405	discord.com
410	discord.com
475	raw.githubusercontent.com
419	discord.com
473	raw.githubusercontent.com
179	discord.com
334	discord.com
335	discord.com
407	discord.com
412	discord.com
413	discord.com
474	raw.githubusercontent.com
178	discord.com
181	discord.com
286	discord.com
472	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
3356	plugin-container.exe
3356	plugin-container.exe
6020	plugin-container.exe
6020	plugin-container.exe
6020	plugin-container.exe
6020	plugin-container.exe
3364	plugin-container.exe
3364	plugin-container.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	firefox.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\42.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\the_pass_for_this_is_42_its_a_zip_bomb.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe
4084	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4064	firefox.exe
Token: SeDebugPrivilege	4064	firefox.exe
Token: SeDebugPrivilege	4064	firefox.exe
Token: SeDebugPrivilege	4064	firefox.exe
Token: SeDebugPrivilege	4064	firefox.exe
Token: SeDebugPrivilege	4064	firefox.exe
Token: 33	4048	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4048	AUDIODG.EXE
Token: SeDebugPrivilege	4064	firefox.exe
Token: SeDebugPrivilege	4064	firefox.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4064	firefox.exe
4608	MEMZ.exe
5928	MEMZ.exe
4084	MEMZ.exe
5472	MEMZ.exe
4800	MEMZ.exe
4608	MEMZ.exe
5928	MEMZ.exe
4084	MEMZ.exe
5472	MEMZ.exe
4800	MEMZ.exe
5928	MEMZ.exe
4608	MEMZ.exe
4084	MEMZ.exe
5472	MEMZ.exe
4800	MEMZ.exe
5928	MEMZ.exe
4084	MEMZ.exe
4608	MEMZ.exe
5472	MEMZ.exe
4800	MEMZ.exe
5928	MEMZ.exe
4084	MEMZ.exe
4608	MEMZ.exe
5472	MEMZ.exe
4800	MEMZ.exe
4084	MEMZ.exe
4608	MEMZ.exe
5928	MEMZ.exe
5472	MEMZ.exe
4800	MEMZ.exe
4608	MEMZ.exe
4084	MEMZ.exe
5928	MEMZ.exe
5472	MEMZ.exe
4800	MEMZ.exe
4608	MEMZ.exe
4084	MEMZ.exe
5928	MEMZ.exe
5472	MEMZ.exe
4800	MEMZ.exe
4084	MEMZ.exe
5928	MEMZ.exe
4608	MEMZ.exe
5472	MEMZ.exe
4800	MEMZ.exe
5928	MEMZ.exe
4084	MEMZ.exe
4608	MEMZ.exe
5472	MEMZ.exe
4800	MEMZ.exe
5928	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 4064	1708	firefox.exe	108
PID 1708 wrote to memory of 4064	1708	firefox.exe	108
PID 1708 wrote to memory of 4064	1708	firefox.exe	108
PID 1708 wrote to memory of 4064	1708	firefox.exe	108
PID 1708 wrote to memory of 4064	1708	firefox.exe	108
PID 1708 wrote to memory of 4064	1708	firefox.exe	108
PID 1708 wrote to memory of 4064	1708	firefox.exe	108
PID 1708 wrote to memory of 4064	1708	firefox.exe	108
PID 1708 wrote to memory of 4064	1708	firefox.exe	108
PID 1708 wrote to memory of 4064	1708	firefox.exe	108
PID 1708 wrote to memory of 4064	1708	firefox.exe	108
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 1124	4064	firefox.exe	109
PID 4064 wrote to memory of 712	4064	firefox.exe	110
PID 4064 wrote to memory of 712	4064	firefox.exe	110
PID 4064 wrote to memory of 712	4064	firefox.exe	110
PID 4064 wrote to memory of 712	4064	firefox.exe	110
PID 4064 wrote to memory of 712	4064	firefox.exe	110
PID 4064 wrote to memory of 712	4064	firefox.exe	110
PID 4064 wrote to memory of 712	4064	firefox.exe	110
PID 4064 wrote to memory of 712	4064	firefox.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\the pass for this is 42 it's a zip bomb.zip"
1⤵
PID:2064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5214a7db-bf9a-43de-9fa7-dcb1052f683b} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" gpu
    3⤵
    PID:1124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2356 -prefsLen 25493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bc791dc-42c9-427f-83db-f245ca9168d7} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" socket
    3⤵
    PID:712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2968 -childID 1 -isForBrowser -prefsHandle 2816 -prefMapHandle 2644 -prefsLen 25634 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6325a00-7967-4db2-9425-b3ecc5e09431} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:4704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4248 -childID 2 -isForBrowser -prefsHandle 4340 -prefMapHandle 4336 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d3debd1-9fd1-490d-aabb-bc6403ddfbfd} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4920 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4912 -prefMapHandle 4900 -prefsLen 31168 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {344a7957-7570-4265-816d-3d0174bdba78} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" utility
    3⤵
    - Checks processor information in registry
    PID:5272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5176 -childID 3 -isForBrowser -prefsHandle 5144 -prefMapHandle 4196 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e20c3ce-af7e-47bd-8cdc-d8253a4f4bc9} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:5508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5420 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49cadaac-8739-4fb8-9af0-c3ba5cc55645} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:5520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 5 -isForBrowser -prefsHandle 5532 -prefMapHandle 5540 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bc66fb7-7cff-4568-bd81-890c9f9362ff} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:5532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6060 -childID 6 -isForBrowser -prefsHandle 6048 -prefMapHandle 6032 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d58a8e20-5801-410e-a4d5-f5220948c80a} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:1856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5076 -childID 7 -isForBrowser -prefsHandle 6444 -prefMapHandle 6424 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {635e36c5-d532-456c-a1b6-5dff3608b900} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:4580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 8 -isForBrowser -prefsHandle 5196 -prefMapHandle 5444 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {834a1d40-16cf-44d4-ba7b-980769a9c232} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:4692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7200 -parentBuildID 20240401114208 -prefsHandle 7420 -prefMapHandle 7416 -prefsLen 32593 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0a1c225-e3f6-4719-9695-e775d85b6879} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" rdd
    3⤵
    PID:6028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7232 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 7432 -prefMapHandle 7428 -prefsLen 32593 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e4ee6fa-ebc4-43bc-b6f2-0142dddd39b1} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" utility
    3⤵
    - Checks processor information in registry
    PID:6036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7576 -childID 9 -isForBrowser -prefsHandle 7580 -prefMapHandle 7544 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46fbabdc-aa4f-43ed-825b-165e11f8a4c5} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:5992
- - C:\Program Files\Mozilla Firefox\plugin-container.exe
    "C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel=7780 -parentBuildID 20240401114208 -prefsHandle 7960 -prefMapHandle 7968 -prefsLen 32593 -prefMapSize 244658 -pluginNativeEvent -pluginPath "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\gmp-widevinecdm\4.10.2710.0" -appDir "C:\Program Files\Mozilla Firefox\browser" - {3882d9ca-4922-442e-908e-922ca017ffeb} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" gmplugin
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8140 -childID 10 -isForBrowser -prefsHandle 8128 -prefMapHandle 8136 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26947bb9-aad7-4e20-adfb-faea2a4574d9} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:1516
- - C:\Program Files\Mozilla Firefox\plugin-container.exe
    "C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel=6044 -parentBuildID 20240401114208 -prefsHandle 5492 -prefMapHandle 5716 -prefsLen 32636 -prefMapSize 244658 -pluginNativeEvent -pluginPath "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\gmp-widevinecdm\4.10.2710.0" -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0ef0378-df9a-4cbf-bfe6-5f00fe9c1e7b} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" gmplugin
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:6020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 11 -isForBrowser -prefsHandle 6368 -prefMapHandle 6076 -prefsLen 28177 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cea845f-2407-4ec0-9c69-7b9dca8cbf84} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:3360
- - C:\Program Files\Mozilla Firefox\plugin-container.exe
    "C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel=6344 -parentBuildID 20240401114208 -prefsHandle 6340 -prefMapHandle 6384 -prefsLen 32636 -prefMapSize 244658 -pluginNativeEvent -pluginPath "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\gmp-widevinecdm\4.10.2710.0" -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c112e3b-67ba-4236-b64d-a7c82514eb45} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" gmplugin
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6076 -childID 12 -isForBrowser -prefsHandle 6364 -prefMapHandle 7972 -prefsLen 28177 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adef3c3f-65f4-4698-8b98-670520f4bbe2} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:5408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 13 -isForBrowser -prefsHandle 6916 -prefMapHandle 6904 -prefsLen 28177 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61b78bd2-016e-416a-a916-d2c7323c3727} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:6020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6916 -childID 14 -isForBrowser -prefsHandle 5292 -prefMapHandle 7624 -prefsLen 28177 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f325eb2c-5531-4fcf-9464-b7df6b50fd47} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:3868
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4956
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4084
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5472
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5928
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4608
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7944 -childID 15 -isForBrowser -prefsHandle 4760 -prefMapHandle 6296 -prefsLen 28177 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82f6c98c-1e7e-4392-aa17-3c034f4a463d} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:5488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7600 -childID 16 -isForBrowser -prefsHandle 5528 -prefMapHandle 6284 -prefsLen 28177 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa3f0c6a-84f2-41a2-85f5-7932e64dd4e9} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:4280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8364 -childID 17 -isForBrowser -prefsHandle 5300 -prefMapHandle 5216 -prefsLen 28177 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b74f6c8-df9c-44f6-93e6-c34503bafe3b} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" tab
    3⤵
    PID:4308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\doomed\22115

Filesize
256KB

MD5
1dabc96da2d0b57648eeceb324cbedb1

SHA1
678af94ffea07b0362df53e6aa31ef7f56531aab

SHA256
f13b0e29d07227f83c4abe74b8143d302d6d0eedf65e045968f2e290ea404602

SHA512
a15af5296612506639f59f308800bf2ae095e2c8f6777a0bf0cf102a35b6032c4723a637960155b45d6a14216d262b9e4b4f1eed75814067b7c71a5b3cd63995

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\0AAC130CB8B98A3DAAFCA9F322D537BE418B75FE

Filesize
1.7MB

MD5
9431f25fed9c7b0932d04773d1ceeb05

SHA1
184f656d51a3037acd3878da34ea1719f29bd5a3

SHA256
759e6756662464678b2b79c2caefe275e71d42b96d59e0a1bf096be538bbca9b

SHA512
be005c2453e987833bddce127317c4ac5aee7e9114720ca08168eaa8fc530e1f11452b39e1afaaa173315d241f64958b772262ee437879609195274b63b72fe3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\0F6E48FC2FE3BA07CF39A943382347AA9FC8C2FC

Filesize
60KB

MD5
6b37d1fbfbb5d86d13e3a81fec7f8829

SHA1
ba0ff7cef389686604c8b637e0eb85086579e797

SHA256
83b2fada318ae091850aa4c288c7f212aaeba4284c95bafbaa9d76d12651b270

SHA512
5d28a4fa695be8ac51b4e424683e33bf15763a5da5384c87a7e7d51c4e3134dd3dc139ee8a406cb431f9dfdd4e6d76a9f45539c9bbe83b0074864e8d55747071

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\2469FBBC9E707AF634AA2781474D02239F8E27E0

Filesize
714KB

MD5
2d07e3eb8735bc4844706964fdb52e6f

SHA1
65481bab59b77a09470d1772d2d937fc75aa7dae

SHA256
d964b017b7f27303176ebf972da0cd2b3f1c394505469274881637ba7b8554f5

SHA512
3cb2c06a37f11eb3f31fbd1589263a2ecd7123bca4008e2fde35f5679fc1a8a1d59e19f8d3efef7ea0fe232e16dd39a09a157bed30bc25c6a5833fb7162fcb94

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\2ED05A07C7569CE65C5B99EC261642EB57785067

Filesize
639KB

MD5
8873affc2f34a1709d7121a63e541b7f

SHA1
9939d2accdb79f87028e25693b359514b0611bb2

SHA256
de42427163deb7f5fb8fc978a1fbc5dedfdd5c9fca1707e18c23244c0c73707b

SHA512
f224b5639c8a5902a6ff211c1ad9ea45fcdcbea75680e82309da12cd6e22b9fe37a84a446b3b43a757943e0e56bdb29656de43dc149afc4d42faec6ba4c67222

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\2EF9511A5789411B3B63C98EBEAE6C59FF5EA4CB

Filesize
1.3MB

MD5
8fbe4824e2ac212be081a7203939e4d6

SHA1
acb9df69d8f93fa15bcd3187392991e24970be63

SHA256
d173cf18a1fc8b7011da2332a5f3b557c3de01aa3d5a0a8b714c6a447ecd5244

SHA512
fba8a0bab6f3b3ae469331542ee83d8f3ad5e96c922a08808af8d3fe1a667dd832747b7eadd8c5954e8aa96058b175d56d8e28c9417382b441c7051cd7173596

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\37D8A518730D8ADBE4EDE9763B77E6D3225A4FF7

Filesize
85KB

MD5
2d7b2a5eb3c22a55208336982e1466d4

SHA1
b4156290d4d1580d4a9babd6db19823d93b04ce5

SHA256
16be40e0eefa674a02caa0288c6a29484f50637641d83ca2fbccbeea9aa805ab

SHA512
9c2fced65d90bf69729d75f8108a85d8d9135efb6d0088f8b571782cea25dccbc71ca9d4fe2a7f67034c070dd6f9577cb826c141a5297972cbbbafa9eaa52752

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\3A4025C83F8A29D2C44BA8DFF499D87174ADD237

Filesize
436KB

MD5
cde1a6fa66e3108bf25f2aec2a2890a1

SHA1
1f0b058f838e1181ad9e6e4afbbe29e0ad5d0f13

SHA256
28d741ba5d1468e2d63abe428e4288f3a46f1e198224fb9d6b624f65c4b4f4d7

SHA512
826f7f08eefff17e04f8e77041ed267601d513374160b914c03a96594d66f590ffd2d845d29791cc709135fb29c28f0da0f9ca119cee262e6546d4e16dabad71

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\42663357FEDB6E57C454E8E9C3A9A23A8CC45389

Filesize
105KB

MD5
b061f849076fa3a02c8d8f330fe71747

SHA1
b0917fe5d29aaadeacb86ac2d54eab0c99cb3a58

SHA256
ba6ca2c6e74595d8eacd94a9d2cafd4cee6c2d5f3bf238545ea5f08a49471234

SHA512
fa9eca7901e84ccc37c6737e67a5ed070dc0bfb13acc71d7310a6942884c559cc308981ef01cb49bedc7e38c5a015a635ce77d7508be2e677abb8e2393e8bbca

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\5486536FCF5B14CDFB7A6291D0863118AB3F278F

Filesize
176KB

MD5
4eac2abe62697818835ae86d30fd471d

SHA1
882d3c04702898d042b5e20d75d4f645cc914f62

SHA256
9288236acb966c2bfa4eb156b623a1126836a5ee3af1ffb07f9462bf10de6c4d

SHA512
a08f9313a4ec1069d2116813c9733d47acd014eb461cdc208c6a0d700b51bc80c1f9fad74d77b64b50bf81d26b78110ddac719151c69c2787b37c0ab6474a6a8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\57796BF0893F16D1C5BA281843FF49DF35F86CA3

Filesize
53KB

MD5
94885b5178bd2bea970f27e8b1ece1b2

SHA1
c7152d23a007238ecef02b3da73b0a94f7de446f

SHA256
0f31bf46f164f41f33e8aaba83ff66227860933d115f2af71d784b93367ea13d

SHA512
3030ba1d744b4fbcc06f23213cecbaa8b888f70323481f2d42d352eef559b8216dc03c8151eb455f3a201531c98acbbdbe71bdcc4ef0282cbc60748e786c5cbc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\689366435B49653FDE18A18FE8D87E0B398E75AC

Filesize
457KB

MD5
2f16f565f94b9089f9bf2b1afe8f0ab0

SHA1
a8e137da83a23fc90e263f1a555f721c71d8178e

SHA256
d9871b52b7cc4b8627d81b5e36699cca49e2ad8ddccca84ce55094f1fc5c223c

SHA512
246790fb405e7b0061f984854e3e4470e44b685a3b511c19bc5f06b63206c3ba0c63f17c193c344511fd699da16afba362e1c85311f432076c929cff0d853d6b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\6A7E687573DFF9F86F6D223318F5B7DC3D0AA378

Filesize
110KB

MD5
7303791674840d75e71c613223173625

SHA1
61dbd95ea39870d7f7f6a5e93f0f030857634841

SHA256
5e9f95cf499e4982d67ffa513bc3440e1a643c2774819f9932fa2524cce743b0

SHA512
0bbbd10579440257e11364117349fcf9eb5bcf9bbcaa0cb0c92785edc1aba406cd1facd5c045fef983a491398b755167e6a56c3f58d6240bff96b2deae31f4b5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\6E3D8940D64CA83850554C9A84791C72D7AE464E

Filesize
1.8MB

MD5
21b3d928b1927981156e366b8a2aa851

SHA1
acc535f49fa81d13eedb8e946bd800db833955f1

SHA256
35b7282545bc07c430bded78e08d99404589b76b8b8cee26925180df1dffb019

SHA512
ef839edbba610d3143b914ee68a7de4b3f23ae30b33a2c0a675c3c6d8badd51c2f81db10ac6e56814755eac1d35f8aafa71236a949da607d2b4644e4c50511a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\cache2\entries\AF2DF3BDC931EDCB023BFD3F1961B3F992F0029C

Filesize
834KB

MD5
f2efdb7c4720372173bc3e2216b80b28

SHA1
eae3657a5a1c31164ba686eab09bbc893de10e7e

SHA256
72f34fd9ade6797c539a7dd392173c041a479822294cf0d16232d46eb0476705

SHA512
7174b39d571a2bde71f6b0dad511669fc1ba953257ad3b7f889ce151eb7fd6199f717c4b0683e55e284b85234ea1ec8ef291ce337c0532bd1fff3be556c485cb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\jumpListCache\UGp07D36SeQOMtjW6+Hil6nGpXk8HnpmPFoLVKm_Ga4=.ico

Filesize
609B

MD5
6e62ae713951b6193d202ddc3d2152cf

SHA1
abf75bd80bd84ed39792adf69dddb5a8b3b84bb4

SHA256
e5dc5320473de19e5255f32d0f9f352fcc23a03c254e82511999deac249d91cd

SHA512
8dff4541bb496449c0c0e93a1c60108dff8e8f7cea437b8027ce51bc22881a687597c511df4c32cabdd1c165aeb46b89c410e58563e18c449e84eddbbfa8725b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
7fb9561e4be7f23437ad1d1cc2a785a6

SHA1
44fffa946ecaf725a7fe7e7c42c8b218dc9c370a

SHA256
cd9047aa3f61ca0a2d7724344be06eddb5ebe3025a0a83d6902657312989d727

SHA512
e7b007cd868ddc96788d851b6a9fdaa7d04aaf5294fc6a231d2093a1f7ad90fe4c977836c8110295371cc259cd1ca8f139740c8a6972e7da098c4779e2ca2234

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
14KB

MD5
a2c902addfa2f2a495a95fd8a89cec0d

SHA1
e1cbd1860915cbedac7cea8cc6bc350e58f6c252

SHA256
357760fa2a5eb6d809a81bd2c08ca12085a72ae3582730150c60b2271d804046

SHA512
fb1e487d90352cc654ad51e7ef03009a0fd38518a128a0876a628b4983aeaa7636489d85c73b74973ef15b99bc321d8978471609622d1b20d54ae5d2353e8b1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\AlternateServices.bin

Filesize
7KB

MD5
0f48485049eea7397642b26b839997f0

SHA1
205a636094512822d087368bf66d1528e91df7b1

SHA256
b3d5a8c784d1aedc31e774b0a539b7182957e6c167f79f93700de246a50b6d99

SHA512
1a56d3ce81b52eb975a2c18bba3d7b1ce09e7fae686d623da684dd301e1d69dd789eff20f009153023f8ab109a6b6044e87a0b39f742bfd7038f18a4e63d2baa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\db\data.safe.bin

Filesize
23KB

MD5
d0e3d65068b559d47d6121c0c7d20121

SHA1
63a9bb33f4b62f3079317ebc85d5937ae51db8e9

SHA256
c9d705cf1fab555d77717cd307c8c3a1085cf4ae0b1e900f64b637e7a5c9fcbf

SHA512
d79eeef95e7b1a0e331be3d4cb22eac3829e2fdc1d909660365dc4b7095b25d2708b60f38ebb254a3d9447b1f984a96554c538a68f254cfdc331ed008eb68495

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
410b467870c249dbf1afd3988821de60

SHA1
cab9113d51ecd326c86f3ff942f181e4f2e3c0ca

SHA256
8afffc8debbba53509ac35fe2167345dac5d03c7b4f5aaad0d9363303bae4d4d

SHA512
17e983a76c0052416508187c582b5c9095d68e2e1d6bc377898536a42c981b91730ed341709cf3f6df11b178d5d83ef94c47f8d5690073f324adea3a687c5396

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
81KB

MD5
76eb3f486fdfeefe3bab88382e29b41e

SHA1
441aa3502640129a5f7aa302a01380970198abaa

SHA256
472634fdbbe9a87b8f9ea0ee9c34b1a20e76a4b1ec3725977acf8cc21de7509e

SHA512
84feaa330481dee0ad058d01996376551e7a84f8459a0cdcb79a95c0bac9bd24f4959eaa0ed67ea5c68b7d40a1094f7cf1119cbf02f43ef98f6770d35b243bbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
81KB

MD5
4350a184b13fda68bd5bd12e1aef3e1c

SHA1
cb0f6814ceb9b2725884a31dab29c8c2f78fb0dc

SHA256
3a178fd4ac9008701e92781fc782a825f032464e911f19c631e6bd9bbe83939d

SHA512
bffeebdc6b8aac83f6d4531531cf442994ee384ec64f0064bce1edbfb548643ccc184a19dcb820c85e5233072c5ad10db2f043e4c7a3100ab53977fb8549a491

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
589fe04a269b9db435736606c3aa075e

SHA1
8e88f8d5ec9f1fe5eab09ad8d57021267e47712b

SHA256
41c777f97877ead049cd63ada147724cdb9551bea7490ec3b04848823aba9c33

SHA512
e2a654d63fb435714ac56c67ef078e33ec9caa6b6604261e37348e4c0f481848b0564cd0735fc947aef7f0ad741d4951ffb60053f3090f825b457583125f9c42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\pending_pings\2f88fe16-408d-4154-bab2-907517f266ed

Filesize
982B

MD5
33475ba5975bed9ae7055585a3395495

SHA1
ec7cf8f3cc8fb82c0d40f595eb12d16a77642fff

SHA256
d792467bb7cd209bb2eb0ce5c1f6ea3011c71cf51b18bb7fe9c57e4caa94048b

SHA512
47f36a4e0c2747dbd963a4d54d1e55b6d2b3c1c3d488f1271518f9b94e1a60f26bf7df2837909d3014c814f7d1aae82ea0d301b637448a59931e024a6756e9f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\pending_pings\32bb2dbf-319e-42ba-a66a-bc42502417f8

Filesize
659B

MD5
20ced56826110b2cf6bf692f8f9acd44

SHA1
1eb4d0b0006e7f68eff8c7d02c024ef571ae2c70

SHA256
6d5262933f07c461e2ede62c9dafedc9a11bf7e95ffd3703f41d86521f76401e

SHA512
9829195719c44695c2cee8f76b00d579ca516fa80f0cb1c2b5d72f421fdd07ddc4b23f541d9bb250f5937e9a20c37b784006780ff2f4c7d0f26df863c9196154

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\gmp\WINNT_x86_64-msvc\gmp-widevinecdm\id\75306118\salt

Filesize
32B

MD5
911b30582da3fbbe46d8285016d61131

SHA1
872a26441661dd61d1d9ecc082c20ef467d40bc8

SHA256
5761473f51d91da34f8a68366525f21796ee2551672c9c81b345160471d11323

SHA512
13169ef9dedbe67222305e975064ac7e3bc2673573b94d3405b429ed6e821ec8ef51572aabafe61c06ecdb32089b0afc4b20e4af65b7f878e2ca893243d99009

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\prefs-1.js

Filesize
8KB

MD5
1c4daf039a271e5badf8eefa59491964

SHA1
c21e565ce21490bd9a5dd0c074021a856d31c775

SHA256
c66f7202dde01340779854140cc1faa4a41584d6dfad0099cbc27569dca11ebb

SHA512
d4e24ab8cec839e5f39d92ee42dc7ddbc7ab4ea08fc2915246fd376187e6b137818b50ed8d3f6e2334fc7b9e9c6b910dad96f31c9ae55ed52a351323e8567c7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\prefs-1.js

Filesize
9KB

MD5
41508b6e336a00ba13eb01c857bd6f67

SHA1
b207b031df79cb1eb753c96bd9275e361aa7b7eb

SHA256
89b42af063402feaaf756c0c6447a074813fb71db52c5006806a671be1314c42

SHA512
0b7c605d3dec71dbbcf74806175fa68a1cd91e5cc672ccc69803a24f01431a3a6026f540e5a7d6381b406f8085cd3faf94bc9d41285937b4a2430f105b280957

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\prefs.js

Filesize
8KB

MD5
d4a8c157e8a4834867bb244678740426

SHA1
1573044e527433a08598ed1ca1353004dcd2c129

SHA256
a74f5e439662f22d48052783dc9a89b743374f6bccd789e5ff1c9d26834e9e69

SHA512
d81e1a3dbfe0cb8bd343fc2987a4e9be607d33ca06c25e2723b71d1c20305e948c212a97818b9eed43a07b2e6a994878fae044a6ea5c4553a287b194e5a8c042

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\prefs.js

Filesize
9KB

MD5
5bc3183882b4f911cc4ff82ff9b5a489

SHA1
f086c087a36926cb8793f7e678afa6b413d58d48

SHA256
254e6d0eb5be2a759d102d532b6153b0d895cedd5165faefb7632f0428021dda

SHA512
72e85b9e1a0d55c7cdf645f45ca93df0fd69f26bdf7e0dfecf7b2c6496cee3a9bb3364fc1b5b3d340db096ca0147361c337b929bd1b15014698f1a1f26c9cd1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\prefs.js

Filesize
8KB

MD5
18090b8a8c81c57ce0c4c158b14b28c1

SHA1
0f26e0ff8cabb7e1f17241a24ed792201efffae6

SHA256
c11298205f1dd13c804151c4c1471ff0be55dc088767f6afc65f9292a1768530

SHA512
68f9d522d59b1b66bb2f81f207bc93d99b2254070477c6e3dda313411df120d8cc4af2f36c3c480774ebd7a99b164249dfaffc4f617fbd13f25c70a8934e89a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
d337f66b6c42909b6fab359c062ede28

SHA1
f670d4c1e570ca9fb27e66ad1b8e2e679f831c3b

SHA256
fa10fdf96652558beeab83e24f64b1f6c29672684940a01d4163aa87d52f3d4d

SHA512
fdf93d2e720a8d8258f045be62495fc2ea1bfc19574d9d0a07d8b9539ed8edd0eb141e322d32cfe502909fb7984d32df4fab0f65fb90ea2ce127a2796f1e2d30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
3fc66ec30e9f8a677678303ca8708705

SHA1
23ce97f6390741258f52ea160d11241ae44936d1

SHA256
4e1b59a49a9a442bfefc2a76caf467b3b8c684112b1989cdec27efd73ac08982

SHA512
60a84a75abdb45f0f3658cf000a701480ac60dfa328c5e9b7eb4df66007b1365c5053b1316aa2523eb7de6ce0959a01449eab7012e506f1db6f512b231228d1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionstore-backups\recovery.baklz4

Filesize
28KB

MD5
63f0069c6fbe809f64489f99fa0a2511

SHA1
1318edf6b296b37047044ce4f1a0914cf1c43469

SHA256
0547b05969ea2658f3ad3e826868628f543b0888f66dcafc5d38ae3361a2d40b

SHA512
574ee2f4ce32f7e5f1432334427985d59c44c7838d28a5db0c529802728c3ab8cdf22867f8cc333030f7d1b241dcea10a9528d5e2f0e9ca177eb64b607dac1d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionstore-backups\recovery.baklz4

Filesize
29KB

MD5
5511f69099c153ed1c30b0e16b9215f1

SHA1
4fc1dc0740b5e37cb25ab58a01133a05fcc2b74c

SHA256
03656c9922d52e3447ffc25cfe9de24cf58fa7b8cc6ad6db3da687e92a2c38a3

SHA512
437c6d68c2c1994f5bd65df82ff424b78c92f2466f49208151ffe6069499be09cb89c87332180a03ba6a4246783dbca6c566e917d678faa789333a3b7a43eb6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionstore-backups\recovery.baklz4

Filesize
29KB

MD5
06bbee3fd3c427c5ed80e1b381d8f2cb

SHA1
521b8064f80385d4fec0b919f225f6a79894391e

SHA256
90b4253c349986e29d3a2148c7e3578762b2f4fe230441b920403194b4487618

SHA512
50987fcb4d251dae67e09c9503893c3bdfa1d70e775b80f5df3b514c749b0f2a76861d30ae6207adea0cca6f7c69669196537a8e750457a968eaae23ccc8bae4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionstore-backups\recovery.baklz4

Filesize
15KB

MD5
75caf9c2a32de6ea320a0d3e43e1f655

SHA1
4449edf26976d1804e2876cc83afb02aa22cb770

SHA256
c6f2aafe33adf6520044089d2939160e246a534bc967dfe389bd3a880d30b95c

SHA512
6e21c20627cb33bbf59a7334d50cd836be6b846e4a9bb654b310dc2e2db5ac025ff3d25d28e5dcb6db60aecfeafd8c82b8726cb1f4a0124c026b1c801b320d83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
823b25d1aa981576e189ef123b981aa3

SHA1
605eb4dee3c211352e5701cad761ae7aac0da72b

SHA256
47df988ca9216f03c3735b10243ac4f03a255bd63cec87cc09b0c66d1504f30f

SHA512
8b3b5b6c32fb727a4bca0ee78d1eb5594fc28057690ca22ab80adf66664e56dfb134cb75cdf267bb3f50ae7f678f049eb93608d75b61c608ec7cd35966e0f1e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionstore-backups\recovery.baklz4

Filesize
27KB

MD5
19033b0b04a53286e0aa6b041772bbb8

SHA1
b62c3719685030cf00a07c833369681af0da8619

SHA256
4368b6a3adc42407574416150e307a73dc97e07789f044232fe4ae8e347bfa41

SHA512
d7ec58758f40c22a217c33d41c885cb0e477bb6bc0663625bea7ed02e098d4a896729b59577795dc2ec800a9de140f7ad992f2d6e56c6426fa1c7a50580391cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionstore-backups\recovery.baklz4

Filesize
29KB

MD5
5c1bbe34dbd272977df7e2f76c90b781

SHA1
83401f02f8c790728c302ddbda351a4e435e0188

SHA256
7a4f87151b8ae5edd83ed0e691fc9f5cd7e5a1f1fd2e7cd98cd45e8b2edaa722

SHA512
412ec916885286eaf14987e0a6991d1a7f93cd4f5e4108c6fb1c8797655d2f4660d6dc669ca4b2ed1498d988f25951fdf7d886d118ed3dcd61d654073efba376

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
a919e03fc5d12c117bb1a732864b093a

SHA1
d6966cd35c6dbc6c6069b6ed50dbbbbdc6121265

SHA256
0017bd7a7ba6a30dc33ed03d82d4da463d1ced81c65c7463174de013176521a9

SHA512
2111784061bea9fafb9df29b7ba81643621c89c07392ff4925798bec6f8646cc09bcf07da5d0a0bce7f90de3f1bca1528e12b3cf86b07d853fb72a2627c5d7ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionstore-backups\recovery.baklz4

Filesize
15KB

MD5
fd7a1bc27ce7c287c250014bf33bbccf

SHA1
b75e23848a433e922475222797f04b6e384439b0

SHA256
0b15808c096f348fbbbd7be4633cfffea04d3324647cdf847d88eab89eb08e19

SHA512
584744c1a1aeb1385e2599846c16cd66e0bf2f9aa7b516f6b9c7ffcbeaa5267b0f8ecd4c4b506e674c692533ba6006f4d438ea3befdadd532cecae9357db66b9

Download Submit
C:\Users\Admin\Downloads\42.kjwM61zi.zip.part

Filesize
41KB

MD5
1df9a18b18332f153918030b7b516615

SHA1
6c42c62696616b72bbfc88a4be4ead57aa7bc503

SHA256
bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

SHA512
6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
memory/3356-1199-0x00007FFD73FE0000-0x00007FFD74FE0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads