discordrat | 9ddd3757585f55bea693a536e7ec6c4de0fd46f7df565f9cf6d10e339af2e845

Resubmissions

13-07-2024 19:37

240713-ybwfxavapr 10

13-07-2024 19:36

13-07-2024 19:36

13-07-2024 19:34

13-07-2024 19:29

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 19:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

rostrap.exe
Size

78KB
MD5

c806f00fa32f343f9849c77003bb4cc1
SHA1

4a80c5b110f93d9dbcc85885bbf231de5ac8ace6
SHA256

9ddd3757585f55bea693a536e7ec6c4de0fd46f7df565f9cf6d10e339af2e845
SHA512

bac500e08913263bcabab7622eb7d00443d3d426cee9000edcd7b6089cf6e42be2a6b8f93fa60ef703b5400016febf8fb4c922ff17f2c80024a39450440deeb4
SSDEEP

1536:Q0QhcOUX0RU1uB3Yec0OIwbJNrfxCXhRoKV6+V+ttD:Qojj03wbJNrmAE+DD

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2MTcwMjM0NDQ4ODUyMTgwOQ.GyJxES.iPPznz14IbFotKTZ3KViTwuS9T3PzEb13fnomo
server_id
1261715255004762132

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

Processes:

flow	ioc
5	discord.com
24	discord.com
142	discord.com
152	discord.com
153	discord.com
154	discord.com
21	discord.com
86	discord.com
101	discord.com
149	discord.com
6	discord.com
141	discord.com
151	discord.com
23	discord.com
95	discord.com
150	discord.com

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

rostrap.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	4852	rostrap.exe
Token: SeDebugPrivilege	3264	firefox.exe
Token: SeDebugPrivilege	3264	firefox.exe
Token: SeDebugPrivilege	3264	firefox.exe
Token: SeDebugPrivilege	3264	firefox.exe
Token: SeDebugPrivilege	3264	firefox.exe
Token: SeShutdownPrivilege	4852	rostrap.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

firefox.exe

pid	process
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

firefox.exe

pid	process
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3264 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2316 wrote to memory of 3264	2316	firefox.exe	firefox.exe
PID 2316 wrote to memory of 3264	2316	firefox.exe	firefox.exe
PID 2316 wrote to memory of 3264	2316	firefox.exe	firefox.exe
PID 2316 wrote to memory of 3264	2316	firefox.exe	firefox.exe
PID 2316 wrote to memory of 3264	2316	firefox.exe	firefox.exe
PID 2316 wrote to memory of 3264	2316	firefox.exe	firefox.exe
PID 2316 wrote to memory of 3264	2316	firefox.exe	firefox.exe
PID 2316 wrote to memory of 3264	2316	firefox.exe	firefox.exe
PID 2316 wrote to memory of 3264	2316	firefox.exe	firefox.exe
PID 2316 wrote to memory of 3264	2316	firefox.exe	firefox.exe
PID 2316 wrote to memory of 3264	2316	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 2620	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 1656	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 1656	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 1656	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 1656	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 1656	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 1656	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 1656	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 1656	3264	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\rostrap.exe
"C:\Users\Admin\AppData\Local\Temp\rostrap.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
2⤵
PID:3944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2040 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {acadceef-b600-4543-a8d8-6e6bdc2bb191} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" gpu
3⤵
PID:2620

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 25789 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2684574a-fa36-4fc7-8dda-81e6b1f728a2} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" socket
3⤵
PID:1656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 3304 -prefMapHandle 3036 -prefsLen 25930 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e09a20d8-396c-4b3c-a94c-e3f9e4311ad0} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" tab
3⤵
PID:3800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2756 -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 1404 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {896b7977-95cd-4605-b0d5-6544c2ac90a7} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" tab
3⤵
PID:4616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4776 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4620 -prefMapHandle 4604 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {714be6d3-8f6b-4e4a-ba60-047545dbaf62} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" utility
3⤵
- Checks processor information in registry
PID:4748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 3 -isForBrowser -prefsHandle 5368 -prefMapHandle 5332 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9140b48b-cfae-43a1-84fc-09062de77722} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" tab
3⤵
PID:4948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 4 -isForBrowser -prefsHandle 5516 -prefMapHandle 5520 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {219445b4-fc28-460f-bae2-010f49f8d2cc} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" tab
3⤵
PID:1544

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5700 -childID 5 -isForBrowser -prefsHandle 5708 -prefMapHandle 5712 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb624284-f72e-4525-b1fc-09bd4dbdc719} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" tab
3⤵
PID:3760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6148 -childID 6 -isForBrowser -prefsHandle 6140 -prefMapHandle 6112 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9bc85f7-2d95-469d-be52-a2ade22db70b} 3264 "\\.\pipe\gecko-crash-server-pipe.3264" tab
3⤵
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
f2020bc6f3bbcc3c7e5245043a13109b

SHA1
73eefdcd8ac9721b5356d0309d339f2730760a9a

SHA256
dcfa2216e13f069c4bdff3533a2e30dcdab81a8652c1a681895242e931583cab

SHA512
ee243ec59362ce22a03814adc6802c3e821421b15e67877fd204bb6f47546f1b43a54bd56a3d49ad7f1dee424ef4d26e4ebc64dbe160d5165c8cb5dff0b55f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\AlternateServices.bin

Filesize
7KB

MD5
cf19ebf0f7a4ea8e651a4695ae94abd1

SHA1
2b0e3542d680fe6c8cbd546d6b3afa3ad703a391

SHA256
5f2d33d596fd910c8a9dcaffc14f8504f72fbae5f0712b4fbb5c541207deefed

SHA512
145b056687a97535fa9aee8cd966181d92c21a79f5f74f39af21a7b2c43a4dbfa9007f65183874aea3288e0784dbe9b0aacb92ed9486b80a6e234f5198624bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\AlternateServices.bin

Filesize
12KB

MD5
462939ecb4e0c044cf5f5664cf1161fe

SHA1
0d9e3c9b1c172cbd7a917e64695d8208a9e8dcba

SHA256
7e0cfde5e1bfc83516144a61801edb3b43216793047431d0bcf1a612bd80f2d2

SHA512
39600d9512f3cce3eadeb78f5cebfa15ce20aa5f8b7a9fcc35425e0f2328bd46d271a345869b9327e27a14285629aecefa679b2bb87885d142c1f8c7a2bbe6bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d4cd2f321e00cf79878ddd9e8883444b

SHA1
1211bbf5964772fd34f7e98c099d8a2555abf070

SHA256
dda2da879482ac6487a2957c2a88f834e3e148e26a5dc5a39f614423b8a207c2

SHA512
7ca5ab702c38f6673c7074bb37bee54c2612cc6c8e3c9f136bbe92058870edb86b0f05c5139cbaff76d4709025e1eea6aa9ed795d9712b5845dcd212aecd2e55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
50c7ab6430329929fc5ed2752ca5e479

SHA1
cda2a6234a3af31d46ed5b6c5a4dd748e299f12a

SHA256
57c2985cfb0f0086f2a467faded5f5fefbe7eb0dfb0d7484ed40e39d69deccc7

SHA512
885858de14e534468c7f5b41efb9bead34173064c79a5f03e8fdd25a5fc7719e298c616d418b4fbe8e42a853dbbb6da4a5630da4241e00afd50b2acf911a05a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\29f0d218-3359-49c2-a895-97a36911643c

Filesize
23KB

MD5
de2ba37830d88b36b7e152049f73b697

SHA1
0deaaf164282a126b7d477e5611994824679dbd0

SHA256
1d3bd501938b605457a9d68700fb2e1bdd3d620c9baa9d8b00f85a8588e88c44

SHA512
db6481638d6538b4ddfa61442108568139883dfcf2d02f428fc3b7beb6cd0c6f427013eb392ce8caa34fd517ef9573f414c9b74969594a117d5c9106275eec64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\86f621b7-d619-4bbe-b5c6-3629d852ba60

Filesize
671B

MD5
ba9b930281689d8a2d72dc49d1c1caa0

SHA1
e38bafadbda4eaf34a65945a66fd78eff8e2bcc4

SHA256
221e8494d3026e957640d6a07bf2cddcd632d1a034f7031dd18c44d4805b09a8

SHA512
a3636aec00d7cfc0a62742cf5b99d984e70c2c6cbc177393a35ecb7c7f38fdb5e7cd7ec3b2e6bcad0864db63feb596372387e595b23748ae34a863344a6a784f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\e5260d1e-16e6-4737-870d-ffac4af4c34a

Filesize
982B

MD5
10b6bfbedca6f33fc0b8dc6ccf9e529e

SHA1
1639992d0c52998b601444c0709a6b9c40f4a423

SHA256
75448a4cdefff0f9299381b5e3ad8076f5a90b8075cb7e7e5237463dd46acddc

SHA512
4ad69af20cee8b45490ebf321f60bb51f4341abe07d907e10d30164e503596599d28729387631d3326342860b502af8085e82aa02af8840c537daca89ece2dfb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

Filesize
11KB

MD5
0ceee1b8f4188674bce50722e27a8036

SHA1
a5f378d3d32c5740057269aa127c3e0b6937352c

SHA256
7482af9eb0d8432ddf1b4ae915e50f97535484e2fecfd9ca7912856ef381dff5

SHA512
5a349ec615980695ade168dcc16e706b91240dd5a575b3844f08c81524e1d9cfe9176c2d9cd64c3a07cb98e84ed99bd31e67fcc5ab7fd8d7ffbd8c0a1bb62520

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

Filesize
12KB

MD5
9b61ac3137c12212ac354c3eae225746

SHA1
6fc2503f6b72ca48bff6096c04104c58341c4e85

SHA256
a576d4d636dd72f97db2a401682029c775280ad23f895907fc896a8acaf72ce9

SHA512
e1c7d1cbdca9d590d8177aa12ae54ee82f4127c9851d870af59a31a05e41faeb90bcb9bb8656fc7a1498e255dc453ad52441860ce4756c4d6547225d16cfe87d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs.js

Filesize
8KB

MD5
3fbd80dbc60304266c44aec7dae8d29b

SHA1
4e6bf0453eece7a82fcf9323905bc36528029370

SHA256
f187a8378d3c7e72efca982135786e264056246faaed755f4f91024a93e0b4e9

SHA512
f00505c0c1a07c405c21e9bd9936abd9aec51b2867e50d5afd0b0fa432f93a23230c8c634277b7bf93be0ee8673bb778b828503f39558ce520156d7203eb2192

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
8271de264dcdeb3a9505fef3a437c477

SHA1
44a448a39c6bfae248b1de4ab723c5860ef37ec0

SHA256
27cb044546ab4b67c2c2c533ec05dee415f0332fe5da41be308463cfe8af3869

SHA512
26ef2c39ca51fc51630217843e9c06ab1e9b668aaab32c00ce0c64374101901a860e60ca193a624ea052c8f7fc8c8c87101d2a9a6247502263e57b4b42875957

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
eccf0c7fba7a337ffd9ea80a5920e2d8

SHA1
2558d288e31f4a761df22690f346aeb02a3ba2bc

SHA256
a70dc9415a853adf77dcaec0540445771be1d90b152253ee16047f7a43db1fe7

SHA512
c0cbf67c0ad77bb31c62cc106eb6001c0d81c8e272be020db8a3d73f35e023947a0291a0039b2cac54f17c18ebb81b1948af1b9b281d4cb74bbef823f11d8f34

Download Submit
memory/4852-4-0x000001FEB8330000-0x000001FEB8858000-memory.dmp

Filesize
5.2MB

Download
memory/4852-2-0x000001FEB79F0000-0x000001FEB7BB2000-memory.dmp

Filesize
1.8MB

Download
memory/4852-1-0x00007FFBF2473000-0x00007FFBF2475000-memory.dmp

Filesize
8KB

Download
memory/4852-0-0x000001FE9D3B0000-0x000001FE9D3C8000-memory.dmp

Filesize
96KB

Download
memory/4852-3-0x00007FFBF2470000-0x00007FFBF2F31000-memory.dmp

Filesize
10.8MB

Download
memory/4852-354-0x00007FFBF2470000-0x00007FFBF2F31000-memory.dmp

Filesize
10.8MB

Download
memory/4852-301-0x00007FFBF2473000-0x00007FFBF2475000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads