88f28ccb15fd5c8e688f19bffd92be4be0e60b96876b2b6ca19ff5e56bc6cd16

Analysis

max time kernel
148s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-06-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

structorizer.exe
Size

8.3MB
MD5

2e17832ca5e8a88a6c20fa8fe9204ded
SHA1

355e063226f0412db56999a47855ad2978611563
SHA256

88f28ccb15fd5c8e688f19bffd92be4be0e60b96876b2b6ca19ff5e56bc6cd16
SHA512

2b6bef95af9a28fff1afcc069052a38785567e552d572d5832c13d6518349dd877ba455cd40d6aab5e366a6c32b427c2b580126b9692133bd255ee5b3caf2f4d
SSDEEP

196608:EPygQH4NfYIdkW+pDwAsDlXHXXWwdVkgOghf9wv+zsuc:IyToYIqW+pDNuXHXmGWM9wv+zC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1792	structorizer.tmp
2256	structorizer.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2520	icacls.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\.nsd\OpenWithProgids	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arr\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Structorizer\\structorizer.exe\" \"%1\""	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arrz\ = "Structorizer PRoject"	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arrz\shell\open	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.nsd\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Structorizer\\structorizer.exe,0"	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.nsd\shell\open\command	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.nsd\shell\open	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arrz\shell	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arrz\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Structorizer\\structorizer.exe\" \"%1\""	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\.arr	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arr\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Structorizer\\structorizer.exe,0"	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arr\shell\open\command	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arrz\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Structorizer\\structorizer.exe,0"	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.nsd\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Structorizer\\structorizer.exe\" \"%1\""	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Applications\structorizer.exe\SupportedTypes	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\.arr\OpenWithProgids	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arr\shell	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\.arrz\OpenWithProgids	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.nsd\DefaultIcon	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Applications\structorizer.exe\SupportedTypes\.nsd	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arr\ = "Structorizer PRoject"	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arr\DefaultIcon	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arr\shell\open	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arrz\shell\open\command	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\.nsd	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.nsd\ = "Structorizer PRoject"	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Applications	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Applications\structorizer.exe	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\.arr\OpenWithProgids\Structorizer.pck	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Applications\structorizer.exe\SupportedTypes\.arr	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\.arrz\OpenWithProgids\Structorizer.pck	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arrz	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arrz\DefaultIcon	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\.nsd\OpenWithProgids\Structorizer.pck	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.nsd\shell	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\.arrz	structorizer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Applications\structorizer.exe\SupportedTypes\.arrz	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.nsd	structorizer.tmp
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Structorizer.arr	structorizer.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1792	structorizer.tmp
1792	structorizer.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	960	firefox.exe
Token: SeDebugPrivilege	960	firefox.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1792	structorizer.tmp
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2516	javaw.exe
2516	javaw.exe
1588	javaw.exe
1588	javaw.exe
1588	javaw.exe
1588	javaw.exe
960	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 1792	3192	structorizer.exe	74
PID 3192 wrote to memory of 1792	3192	structorizer.exe	74
PID 3192 wrote to memory of 1792	3192	structorizer.exe	74
PID 1792 wrote to memory of 2256	1792	structorizer.tmp	76
PID 1792 wrote to memory of 2256	1792	structorizer.tmp	76
PID 1792 wrote to memory of 2256	1792	structorizer.tmp	76
PID 2256 wrote to memory of 2516	2256	structorizer.exe	77
PID 2256 wrote to memory of 2516	2256	structorizer.exe	77
PID 2516 wrote to memory of 2520	2516	javaw.exe	78
PID 2516 wrote to memory of 2520	2516	javaw.exe	78
PID 2516 wrote to memory of 1588	2516	javaw.exe	80
PID 2516 wrote to memory of 1588	2516	javaw.exe	80
PID 1140 wrote to memory of 960	1140	firefox.exe	83
PID 1140 wrote to memory of 960	1140	firefox.exe	83
PID 1140 wrote to memory of 960	1140	firefox.exe	83
PID 1140 wrote to memory of 960	1140	firefox.exe	83
PID 1140 wrote to memory of 960	1140	firefox.exe	83
PID 1140 wrote to memory of 960	1140	firefox.exe	83
PID 1140 wrote to memory of 960	1140	firefox.exe	83
PID 1140 wrote to memory of 960	1140	firefox.exe	83
PID 1140 wrote to memory of 960	1140	firefox.exe	83
PID 1140 wrote to memory of 960	1140	firefox.exe	83
PID 1140 wrote to memory of 960	1140	firefox.exe	83
PID 960 wrote to memory of 2760	960	firefox.exe	84
PID 960 wrote to memory of 2760	960	firefox.exe	84
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85
PID 960 wrote to memory of 4448	960	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\structorizer.exe
"C:\Users\Admin\AppData\Local\Temp\structorizer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\is-3TVKG.tmp\structorizer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3TVKG.tmp\structorizer.tmp" /SL5="$50206,7895888,780288,C:\Users\Admin\AppData\Local\Temp\structorizer.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Programs\Structorizer\structorizer.exe
    "C:\Users\Admin\AppData\Local\Programs\Structorizer\structorizer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Programs\Structorizer\Upla.jar"
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        5⤵
        Modifies file permissions
        
        PID:2520
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Programs/Structorizer/Structorizer.jar
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1588

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.0.1574065030\1026016586" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6f9a103-c754-4503-8120-9798db0ab438} 960 "\\.\pipe\gecko-crash-server-pipe.960" 1780 204956f0a58 gpu
    3⤵
    PID:2760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.1.428846597\1985331853" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71be28e5-5c8b-4c7b-8be5-3e0fc87dda2c} 960 "\\.\pipe\gecko-crash-server-pipe.960" 2136 20483272558 socket
    3⤵
    PID:4448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.2.1081399814\1501446974" -childID 1 -isForBrowser -prefsHandle 2872 -prefMapHandle 2644 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92c10723-ac41-4e4c-859d-f8aa395bb37a} 960 "\\.\pipe\gecko-crash-server-pipe.960" 3012 20499696e58 tab
    3⤵
    PID:1344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.3.1142097229\473973580" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3408 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85c35764-2a29-42b2-9af8-4c33c268ecfa} 960 "\\.\pipe\gecko-crash-server-pipe.960" 3436 20483262858 tab
    3⤵
    PID:1592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.4.170572890\1692915988" -childID 3 -isForBrowser -prefsHandle 4440 -prefMapHandle 4436 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a6f2192-6252-4d6c-94d2-d4b6dc835e40} 960 "\\.\pipe\gecko-crash-server-pipe.960" 4452 2049a799258 tab
    3⤵
    PID:2656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.5.79418689\1538541003" -childID 4 -isForBrowser -prefsHandle 5088 -prefMapHandle 3660 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8e51d9c-ac37-4777-991a-bed0143cc6fa} 960 "\\.\pipe\gecko-crash-server-pipe.960" 5112 20499ed7458 tab
    3⤵
    PID:1652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.6.2129426675\428292863" -childID 5 -isForBrowser -prefsHandle 4224 -prefMapHandle 1536 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ab0b818-ca31-4cf3-a3f3-36d08f6aca56} 960 "\\.\pipe\gecko-crash-server-pipe.960" 4700 2049bfdeb58 tab
    3⤵
    PID:3864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.7.176870410\1976728997" -childID 6 -isForBrowser -prefsHandle 5292 -prefMapHandle 5296 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ac321cf-ad2e-43a0-ab52-94c024150894} 960 "\\.\pipe\gecko-crash-server-pipe.960" 5280 20483266258 tab
    3⤵
    PID:1452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.8.1861555907\2054596778" -childID 7 -isForBrowser -prefsHandle 5712 -prefMapHandle 5708 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00a21f8a-e8fb-48ec-96c7-7e20ec7743c5} 960 "\\.\pipe\gecko-crash-server-pipe.960" 5720 2049d6c0658 tab
    3⤵
    PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
8072878909eb571ee799f041f12d306f

SHA1
3003832253aa1349d71cc11e98650503bceaf5b2

SHA256
c0c3efb736035ec4586fb9caab1759226b64789f53f1128193cb07fbda301f0d

SHA512
ef4a4af6dfb0bda3fd4fdc5d3e5a3758fc6700cc7c691c127f920f070d90d2e48c226053b6849b489e395298c042334f474d1b7d7c0142405392a70ad0cb0e01

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\C6A6389A9162CEB2E1F41436B370871FECA58F75

Filesize
60KB

MD5
8edefd78ad666826cf1a537f4853d945

SHA1
f4238388f94fa7f7549e9b5e0abea09877945bf3

SHA256
5cee8b3345dfb1851f3c078d70ff05cf6d15889f6ae72091a4d7bfc441c11ae3

SHA512
1554783fe05122522997216250be7d243b2c4c777e7eabaecec7e8d1ccf4f89932e1a46f3f825138b2f1adce56a92b40f7b2383736073ea53a65f49e9851503c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Structorizer\Structorizer.jar

Filesize
7.5MB

MD5
d5502720a5a39d24d5cfdd032ab14245

SHA1
4072643e2570aecf1c15c6fdc34ec67f285b41cc

SHA256
f325b5cf9907264f8164d2eb53778be55c6dd9d0374624d7ea460d3c518617c0

SHA512
63343459c8811c8cc64f720241c7f371ccb5bea64abcd8b58e6b69a5e1c4cf4f97d209ed23659127ac01428bcb01f99f16e2bf4c85fa8e1f4354acf65b49c46f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Structorizer\Upla.jar

Filesize
88KB

MD5
4d8facc7ba48d79133b170bfda257c30

SHA1
3b8919c8b2b91b99a7ced87290df0f181b186486

SHA256
c87451c90396e9772e563b18491396134620025553ba9d2369c02931486345e5

SHA512
391e792982d6038b7ce080117cfe9de7761a63d983677c59bf9ebd583becad7eeafad828e2f7cef93c5d3ca5152962d6c54effeb1b1eed85619f2e03df2d1460

Download Submit
C:\Users\Admin\AppData\Local\Programs\Structorizer\structorizer.exe

Filesize
31KB

MD5
731559701a98785f49ee5f1c3cecfec4

SHA1
7d9e690db2e28b5ded482bdc6e91edf2c83df195

SHA256
8b245a205731c041624d1c4f52ceb7c10d735772a250574cdabfc749c88b27d3

SHA512
1c19b34703827254d1499a16dd88dc13de87c78b0cde53f8b48ef593c1f9b25b57f35f0d329dfc821d9d9d064950588e999cee362ca1347bddee53c121a96cce

Download Submit
C:\Users\Admin\AppData\Local\Programs\Structorizer\upla.ini

Filesize
288B

MD5
2880977941cf6c0114298a2766eb16ef

SHA1
a0a69dc162f101de3f829ba4192caa4d80f43b54

SHA256
f39e952830ac998518d745cd398bcd2338641dec2045c192dcd8e8cb74dff3ae

SHA512
013f09bdfc45b779fd7dc9dff54e8ae855a9e6672061bd6f605828b445e6584e6a30905f4e9419233e20af4500edce17c810d3dd00f8de6942393b18fcd81822

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3TVKG.tmp\structorizer.tmp

Filesize
3.0MB

MD5
b504e376bcbc84c43aecff21549dae08

SHA1
0f8aab26d732364400477795a8fc31ade4aacfe0

SHA256
f0733357232c9341613e1a7328ccab89888fdde1344f8bbc6d49b24857e72b73

SHA512
1a543ff3522346284720d9fc33cd04a32cf935f57b1a68cbe991b63c9a1910873f628a8eaf9018872c7c51341b451fdf009729c8a33296211da135a929da9524

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
07883c07380d1bae478192dba8e0caad

SHA1
89d0e49ca275daea4a63fde44fd1092e000c9ad0

SHA256
8e8b620e9629b23eec4445cd6e9f1b663041ba918f2abb45168f1b9151720d5f

SHA512
2099ac4a3dfb659356c3e62518cc5548c0ae77c9be831957c7c5c9d69090e8896fca9a7e3db3b07e769bbec24250a368b9d83ff8f66abdc330e99b2a35fb6ea4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\35e6d591-c27b-4d3c-8e87-8ae81d54fb3c

Filesize
746B

MD5
6920a2c1dfe38a2b63e60224c134d0e6

SHA1
b342bd158c025fe9481a459c9e1cb5ca533034f2

SHA256
78bb373944d49e24e4e8f23649b16cbdb3955b50a20f4a61945b08186d555cc4

SHA512
761d54a6ce099d4d76deea94c3e3d73d58c3b2efaac6ae4a541f2fcff33d0c59c112ec11dd522f6a5bb610e61927b02b4c8c520dab4c33f0c4de4d268070d5ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\d2db3701-0efa-4de9-a5b6-f0ad0b537edb

Filesize
12KB

MD5
9ef805ee35eca31a67080ca9e5a643d3

SHA1
f99da7e9b597ce492904a5915b43e791eb8ecaf5

SHA256
4da51b74ce7990c42a3b3664d7f368eeef5669bc66aff86ac0ffe91b884b236f

SHA512
7c02232742f20981c601fb95108c1732f6faa6d57f0323b6c86767f470785d99937cf5cd1a3928b1f05f6952175c4ce16e6b8669ee6b2111d7b0472b7262c50a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

Filesize
6KB

MD5
e20d664416d98c57ca42c2ddb1b7a832

SHA1
a2b36114d31da5f708cbb2f00bf2de572aa30140

SHA256
15e8ca662dc7b3408989cbe57a0efe50217b8aea275de7369f46b4ebc188f6e6

SHA512
79f174d7fa6246c82d6690a558242ccda29a8e0c03892d7aeb835afaeaa0848d56d4cc7e98ef414327b142b64be6157ce82e5c20e4584b388fe3c02eabacfa05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
a83010730b821e9f110f48309bd97b06

SHA1
c63945105a46ebe9cff4d89870b5f8214fd94a1f

SHA256
d13cca326a0d734a3c516eed01ab96ccb0502447740a3463db509de6bdd5027f

SHA512
4097afef90e7e7f4bb06c307cb7f1c0021fb61cd49677fd06d7e009e35d80e5bc980bb885fedc6a1091eb8cd19845214df1acae049f15995bf248113c3855a58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
dc2cdbf72014b0e059420c67053b03c1

SHA1
97f2238815e1061c4d5dd474ee6b8be2627e1a1f

SHA256
d6e6ccf5257a142c50573e1bd291791d122b2190d05802fbb651ad93a1f43048

SHA512
46df265eb2877187d211b29bd0c1632b50e4f506f5082689fcdd2d7a7d1f2bb498e0a6fa289741a1b4dbd2a124400157ce33b71a5ff3887c812dd65b38adaf94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
17dd1001e01a36e8fe779c1892193106

SHA1
a8c26f21145e0dafa9e5a5ce4aac0bf1aa31b0dc

SHA256
e1c2adf18f649184bc587b8b75dc84af2aed3dc5bc6ea118b1d0d161ebdccd59

SHA512
dd076509b8b477de2ee66d6ac8f863adbe0f7e6a83102be7357780020a956134a5125b4480ab791be234bae0f2fbb6990236dd1caed303169256ad0b1c1231d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
b71684ebb72957fb6de5ccd7176d0281

SHA1
b4366f2349b212bbc42cd40938ec384c9b516993

SHA256
b4104f924bba6bfb45f9814e3f3de4fce97fa71400481ac47ca33b0e138eb921

SHA512
62c751d2c8ca4afe173e23006dad8353777fd9df9638d16b1e7580cd64911057782dc2eebefc484e26bcb1d67fae5e3d2759006eb4c60d5724fd3fb3559c0a23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
731c0e733fe1e3123d366af7c8e578ae

SHA1
9756304ea773dd9cd96e5996dc79de2ed6a9ae9c

SHA256
8f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359

SHA512
d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427

Download Submit
memory/1588-119-0x0000025F9E170000-0x0000025F9E171000-memory.dmp

Filesize
4KB

Download
memory/1588-134-0x0000025F9E170000-0x0000025F9E171000-memory.dmp

Filesize
4KB

Download
memory/1588-141-0x0000025F9E170000-0x0000025F9E171000-memory.dmp

Filesize
4KB

Download
memory/1588-153-0x0000025F9E170000-0x0000025F9E171000-memory.dmp

Filesize
4KB

Download
memory/1792-9-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/1792-70-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/1792-6-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/1792-36-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/2256-41-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2516-146-0x0000021C3A800000-0x0000021C3A801000-memory.dmp

Filesize
4KB

Download
memory/2516-108-0x0000021C3A800000-0x0000021C3A801000-memory.dmp

Filesize
4KB

Download
memory/2516-60-0x0000021C3A800000-0x0000021C3A801000-memory.dmp

Filesize
4KB

Download
memory/3192-71-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3192-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3192-8-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3192-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download