discordrat | hxxps://www[.]mediafire[.]com/file/zi43s0v7eacciix/Custom+Theme[.]rar/file

Analysis

max time kernel
57s
max time network
92s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
20-07-2024 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/zi43s0v7eacciix/Custom+Theme.rar/file

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1ODA5NjQzNzA2MjAwOTA2NQ.GhJzhd.kk9R2GDudIgunSijVjaWQD6sIwY3-Lvdx3K_jA
server_id
1258096259378577508

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Loads dropped DLL 7 IoCs

pid	Process
3600	MsiExec.exe
3600	MsiExec.exe
3600	MsiExec.exe
3600	MsiExec.exe
3600	MsiExec.exe
3600	MsiExec.exe
3600	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Custom Theme.rar:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	firefox.exe
Token: SeDebugPrivilege	4400	firefox.exe
Token: SeDebugPrivilege	4400	firefox.exe
Token: SeRestorePrivilege	2076	7zG.exe
Token: 35	2076	7zG.exe
Token: SeSecurityPrivilege	2076	7zG.exe
Token: SeSecurityPrivilege	2076	7zG.exe
Token: SeShutdownPrivilege	2944	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2944	msiexec.exe
Token: SeSecurityPrivilege	556	msiexec.exe
Token: SeCreateTokenPrivilege	2944	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2944	msiexec.exe
Token: SeLockMemoryPrivilege	2944	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2944	msiexec.exe
Token: SeMachineAccountPrivilege	2944	msiexec.exe
Token: SeTcbPrivilege	2944	msiexec.exe
Token: SeSecurityPrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeLoadDriverPrivilege	2944	msiexec.exe
Token: SeSystemProfilePrivilege	2944	msiexec.exe
Token: SeSystemtimePrivilege	2944	msiexec.exe
Token: SeProfSingleProcessPrivilege	2944	msiexec.exe
Token: SeIncBasePriorityPrivilege	2944	msiexec.exe
Token: SeCreatePagefilePrivilege	2944	msiexec.exe
Token: SeCreatePermanentPrivilege	2944	msiexec.exe
Token: SeBackupPrivilege	2944	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeShutdownPrivilege	2944	msiexec.exe
Token: SeDebugPrivilege	2944	msiexec.exe
Token: SeAuditPrivilege	2944	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2944	msiexec.exe
Token: SeChangeNotifyPrivilege	2944	msiexec.exe
Token: SeRemoteShutdownPrivilege	2944	msiexec.exe
Token: SeUndockPrivilege	2944	msiexec.exe
Token: SeSyncAgentPrivilege	2944	msiexec.exe
Token: SeEnableDelegationPrivilege	2944	msiexec.exe
Token: SeManageVolumePrivilege	2944	msiexec.exe
Token: SeImpersonatePrivilege	2944	msiexec.exe
Token: SeCreateGlobalPrivilege	2944	msiexec.exe
Token: SeCreateTokenPrivilege	2944	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2944	msiexec.exe
Token: SeLockMemoryPrivilege	2944	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2944	msiexec.exe
Token: SeMachineAccountPrivilege	2944	msiexec.exe
Token: SeTcbPrivilege	2944	msiexec.exe
Token: SeSecurityPrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeLoadDriverPrivilege	2944	msiexec.exe
Token: SeSystemProfilePrivilege	2944	msiexec.exe
Token: SeSystemtimePrivilege	2944	msiexec.exe
Token: SeProfSingleProcessPrivilege	2944	msiexec.exe
Token: SeIncBasePriorityPrivilege	2944	msiexec.exe
Token: SeCreatePagefilePrivilege	2944	msiexec.exe
Token: SeCreatePermanentPrivilege	2944	msiexec.exe
Token: SeBackupPrivilege	2944	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeShutdownPrivilege	2944	msiexec.exe
Token: SeDebugPrivilege	2944	msiexec.exe
Token: SeAuditPrivilege	2944	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2944	msiexec.exe
Token: SeChangeNotifyPrivilege	2944	msiexec.exe
Token: SeRemoteShutdownPrivilege	2944	msiexec.exe
Token: SeUndockPrivilege	2944	msiexec.exe
Token: SeSyncAgentPrivilege	2944	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
2076	7zG.exe
2944	msiexec.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 4400	3340	firefox.exe	71
PID 3340 wrote to memory of 4400	3340	firefox.exe	71
PID 3340 wrote to memory of 4400	3340	firefox.exe	71
PID 3340 wrote to memory of 4400	3340	firefox.exe	71
PID 3340 wrote to memory of 4400	3340	firefox.exe	71
PID 3340 wrote to memory of 4400	3340	firefox.exe	71
PID 3340 wrote to memory of 4400	3340	firefox.exe	71
PID 3340 wrote to memory of 4400	3340	firefox.exe	71
PID 3340 wrote to memory of 4400	3340	firefox.exe	71
PID 3340 wrote to memory of 4400	3340	firefox.exe	71
PID 3340 wrote to memory of 4400	3340	firefox.exe	71
PID 4400 wrote to memory of 2668	4400	firefox.exe	72
PID 4400 wrote to memory of 2668	4400	firefox.exe	72
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 4336	4400	firefox.exe	73
PID 4400 wrote to memory of 2616	4400	firefox.exe	74
PID 4400 wrote to memory of 2616	4400	firefox.exe	74
PID 4400 wrote to memory of 2616	4400	firefox.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.mediafire.com/file/zi43s0v7eacciix/Custom+Theme.rar/file"
1⤵
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.mediafire.com/file/zi43s0v7eacciix/Custom+Theme.rar/file
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.0.2022573165\1035041079" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1688 -prefsLen 20767 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95d02fad-1b9b-4c41-af36-e20098812e02} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 1780 1f821ad8e58 gpu
    3⤵
    PID:2668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.1.755422154\1278974256" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21628 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46830828-f537-488d-9c14-89d17f859266} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 2156 1f8219fb358 socket
    3⤵
    PID:4336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.2.1358023705\1285778400" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 2916 -prefsLen 21731 -prefMapSize 233414 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e49ab47e-4aac-4c2b-b362-27505b5bbe34} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 2892 1f8257f5f58 tab
    3⤵
    PID:2616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.3.1397797081\1597326287" -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3516 -prefsLen 26136 -prefMapSize 233414 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6128a443-e28b-4f04-8031-9970ae71af34} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 2680 1f8243b9358 tab
    3⤵
    PID:2192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.4.67986900\1796636821" -childID 3 -isForBrowser -prefsHandle 4844 -prefMapHandle 4840 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed1a6866-1f0a-40a7-9009-976b2fc044b0} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 4876 1f8281a0b58 tab
    3⤵
    PID:4572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.5.1573305052\1370933065" -childID 4 -isForBrowser -prefsHandle 5016 -prefMapHandle 5020 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c4299bf-e11d-4547-aa81-70d9d5c3d5de} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 5000 1f828342b58 tab
    3⤵
    PID:4948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.6.2105036822\1335588767" -childID 5 -isForBrowser -prefsHandle 4760 -prefMapHandle 5320 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbc3da6f-a381-4c17-860b-2d7e914f69fa} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 4832 1f828351958 tab
    3⤵
    PID:4124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.7.1314779915\1753770745" -parentBuildID 20221007134813 -prefsHandle 4360 -prefMapHandle 4356 -prefsLen 26410 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f254a4bf-c5af-42b4-b347-bb20134b45e3} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9692 1f824029358 rdd
    3⤵
    PID:2976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2620

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Custom Theme\" -ad -an -ai#7zMap7744:86:7zEvent18098
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2076

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Custom Theme\Custom Theme.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4C7093BED3E794A8DA9AEF46D1FB47AA C
  2⤵
  - Loads dropped DLL
  PID:3600
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3796
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 601695011439E08B63EFE1C2A8122039
  2⤵
  PID:4496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:4732

C:\Program Files (x86)\Custom Theme Group\Custom Theme\MSI Setup.exe
"C:\Program Files (x86)\Custom Theme Group\Custom Theme\MSI Setup.exe"
1⤵
PID:5136

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58eae9.rbs

Filesize
8KB

MD5
2991c555229f00e43fae3641dbf37019

SHA1
9be30d18b6b8caca2027273548e7e40d7cbe6bd6

SHA256
94003e64b7dfb8c50a5f04a0c6a12aaf915dd5c4336be4ae4c504c06cd543249

SHA512
9fb326a7e5e5ef6e8ad10d0ab41ac881328a920234e9c673d9941169b2f13e3ca04961676570f787988adb1a2a0b31c0c8853e55c0a8de97b92251a302704f49

Download Submit
C:\Program Files (x86)\Custom Theme Group\Custom Theme\MSI Setup.exe

Filesize
78KB

MD5
a5d78ceca0d1cf4f7c01570f52c87eba

SHA1
79a51625c12e3dc18f0df104e4b69c390780642a

SHA256
9bcaf3dbe98611f6cda0aa2e225777401746a802e53bd4b48f3d11637ed19c1a

SHA512
ce2fa48229eae4ee7ea6e707de5c244b9a645735731d2c9174bb65e272380b109ea709eac1c20fc5b5e004af0e340c44827a488b217ac14787ef4cc33a3cbc3f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
b658f40f7f4e3a4d1e0fc78a861e6758

SHA1
946bbe46a25294acb380e8a7ef21c7030880dada

SHA256
deecdabde7212dda95d103e8a28cc60444ab7066bba48e035f1cb9f19d801be5

SHA512
c45a0a1c38cd836e487012afe0fe49abed63ba7792afd636047dc331d498ceb7abac412a8f6304c2266f0c104b996ad0870c70d18ea088b0772dc44609bdaae4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7124.tmp

Filesize
904KB

MD5
421643ee7bb89e6df092bc4b18a40ff8

SHA1
e801582a6dd358060a699c9c5cde31cd07ee49ab

SHA256
d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da

SHA512
d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
00a50ae625fa884bd8f1058b4f55d271

SHA1
cec1020c6d47589802438b4add54fbf15ab760a0

SHA256
7b7d94c6ebc1839efdd5175826ff7a4607311ecf1c52fe3b0e845fbadd01ef7f

SHA512
f0462b24bab8ed46c6a24bdc4b6486d1507a9c86c71cb6a36f6cfb42efca6c5c7f73c6e3353ef1e2aa7649558fa40fd8ea0286588b5e8d2fa48228cc06333e9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\b8266670-2bff-4003-ba1d-b77402940bf3

Filesize
11KB

MD5
33ebc45d82a23ab9f8fd55b629515d2f

SHA1
26fbfe08212ab888d065a4610960deb0657f82cb

SHA256
81254bd417a52e4e2cdf0f3dd2a061bc3270d04270da83175066495967572d82

SHA512
233dfc29b8057052fb286ed2891dcdbcf4ebbeea7499923f64ed2192b1bcdbb51792e5ef26467a509625fd08774934f1cf90d23a6b71b5ad9d8fe493b90ec592

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\f5d2cba1-266b-4810-a1c8-8f911f07eff2

Filesize
746B

MD5
ead9fb1483f4e800607eb9474ee82f9f

SHA1
640eb25a6890427d46e5d5719602dc651952904f

SHA256
6fa23eacc9c67b6009d67bd89d31bc1393fa9d41d7ad31079b18fb274321bcd6

SHA512
0e6a604f30682d582123d637550ed290a4ec570dc812ee328bfd0a5ec9cc82852b919c22de2bff8c1a8d215c04ee04d21e55a0d1d5b93ff1bd51c2b6aea116a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
dd8159022e0027ccd1c8acf8dddef2dd

SHA1
f86469979042ffed1fc0653ddab65a5b6f0743e0

SHA256
2afd09b4064e19376a772653245e9f3dcb45a143c4a72d6cd51196a78686eb2e

SHA512
d7be3c3af9709b41ae2c752b23183448ad4b50f8fb50060ee14fb35c106118420ab61e3d0311547766caa4f2bafa8d82757bc63fdb8681bc2e06603fcc9fd79c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
24bf10b7a52ad613e81753cbd066e093

SHA1
6acb0731a829a58403d60637ab8dab58f19852ec

SHA256
0ae2b90ae49cb2da69e782cf82324d3203c9d06934eadb251e030889cdf31fb7

SHA512
cb02362203f77b67a8bed8788c12725805377d36f9099fa77ec7585f61009dd6085341d9accfd6a17c415a2da6a86f0ebde77ee8e22263aca11a33ae42b769f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
36ec90c7478629016a48326ad657df50

SHA1
b651349254d2cc4b61c7d9809ed50e854c6357f5

SHA256
ec7ded2a547fb6ff7601d6a031bd7dbbddea7e1f01a6ff1a3fbcebba585c7d76

SHA512
0aab50f2f6d3a3a737136870c6d9dc162e70069c517082392a4a07a65d4cf6e0998e0db41aba9a7fe3173fcf177e2d6f5d2bd452cbe50970e714b01123f00d40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
94afb9a0b8cf69c80d65300c8d9e6dfa

SHA1
b81a06a7e6471555dbb9d86217dc0b206b5b8fef

SHA256
0f67620c0ff78e767f81fda15dbcd5b4676b9737abc6352c41d5f9fbea3d5b2b

SHA512
714319179aa2c5631c3e816485372e9345caafc26e0ac174ec9d2a81a3a2b7f4e0c663b7c1cb0815cccc58cb7f6709da4b5a76cc79cca993b8ca9bb0df707924

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
0778a44f571aff2c2b20a48560ca9d1a

SHA1
48fdfcf24bd83a6f8176f40d4cb977c27aa41e59

SHA256
bb04ee760a2524496e8ca25d7d55e07ef569bfd0ed0bded72f6c6be4ba62ffbb

SHA512
a04479c381b4d5205486d7a59b94b8d36581f0faffcbfa3fb3d59e25bb592aa6b9f1537d7f3986bd088dc92aa69ac544be6b874f97c4468069ffbb605b8d7979

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
83995d2213142a5146e8f7f18c10ffcf

SHA1
1981ee19951b7e54f904b6a28e63245336a08e83

SHA256
c76f3d94c966cbf8f5246b4029d639fa4e256c9c7c1991e293dde5c6e26a2cb1

SHA512
5d50e9d63c4d1700b0e70433993400430eeabe8ccc6d287f4eb99ce16a5fe7d697a2bcec74adbf7d935eebecc61e46b62cba09b54020c31bb1a6db6be23020b9

Download Submit
C:\Users\Admin\Downloads\Custom Theme.eKFREjy2.rar.part

Filesize
561KB

MD5
b4105bbe8c0855e7062f231a5ebab3b7

SHA1
d815e28ec0e12df5903724f5c9114bc7943b2948

SHA256
144ce56abbd5e2377f3c3218763cb2f27cb334515838be32ca0514995fd5f706

SHA512
a91ceeb7d691f707c9fba9ac15f0269ed6b6f3da214beb5d7a66985ec5b37d1ca990a27c65d3f44260a96b5c2c2928f4528e6a9296e3849c43722bae390b1230

Download Submit
C:\Users\Admin\Downloads\Custom Theme\Custom Theme.msi

Filesize
1.9MB

MD5
3a6d228f64408b62459124daf05bb83f

SHA1
a0c43230ae4eb0611052b78053214a5e8898a9a4

SHA256
90673e8a84408b0bf7c029cf6b3c1394a52bb32f318770a0328d7904256e7643

SHA512
1cfc629d234cb97a40c154a3beeef2f822bbf86c6d90c8df026cf249afd6b7b062ce7a0f6f1b8e787a3972848b42b5320c1ed7ff99c91e00c1d494d412c52c13

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
26.0MB

MD5
7cbc37fff226d689e8b70298f74f826f

SHA1
218b5b6e7c3b6dd9be13dabbd29899e79e91793c

SHA256
9227377a15af100038abc8dfae53b2ca1afc4d2c53f084ba79b0bf6b126a1852

SHA512
b150824e3850fa901347f15d03f52a64da167706c9e7a877df7f94d4cfd0a24088794df4a6e909b5f56d7e87bc3660664c8aa6d340dcccb53bc09cf223ecc4bf

Download Submit
\??\Volume{4f38e779-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9bd18b63-8c75-4f44-a50d-4ffe66255ac6}_OnDiskSnapshotProp

Filesize
5KB

MD5
daf3db9823b60f7df24c7b1ad5718cce

SHA1
d6884bd1e05c116578f9413a091f2eae49aa1bab

SHA256
1c5e1afafe3b64719459dd5d1c01e1dc121a2c3498d6f331d32c0c89db7932f4

SHA512
db88f873dd87e7b4ae31568803f06100f05b01571b17baefd481a889f8203d724063c2306a40843e65688a29e02100a0a4a67b183b894de34935e5f19d46c27b

Download Submit
memory/5136-496-0x000001D766870000-0x000001D766A32000-memory.dmp

Filesize
1.8MB

Download
memory/5136-495-0x000001D74C0A0000-0x000001D74C0B8000-memory.dmp

Filesize
96KB

Download
memory/5136-497-0x000001D7679C0000-0x000001D767EE6000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads