cc745d334b563aebf3cf1c866df885fdf1cd05864ce61c706b5209b79a03f03f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 17:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

3.1MB
MD5

24710bb2afdf72850a921abbfc35e065
SHA1

28adba2c9a6fcd63c651dc1bb0b2c623190077c9
SHA256

cc745d334b563aebf3cf1c866df885fdf1cd05864ce61c706b5209b79a03f03f
SHA512

3b4300ad1add38ff9aab78753b0b25a7c2bf0febbf6eb53dc7fdafdac8b9128313265dc8f3f199efa012c2059eb7f117c79168d803cc8ae8b13a03efb4778bf8
SSDEEP

49152:J7uqUqIgAldFgcTbF1PwVE8ydA1nHdj5gR0CZ7ntviq1DNGv2FwwM:1uqrIpBgcXFVvzW9jDcRiq1RGuawM

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	random.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3152-358-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-369-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-370-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-454-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-1499-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-2455-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-2458-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-2465-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-2466-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-2467-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-2468-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-2469-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-2470-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-2476-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe
behavioral2/memory/3152-2477-0x0000000000970000-0x000000000145A000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	firefox.exe
Token: SeDebugPrivilege	5056	firefox.exe
Token: SeDebugPrivilege	5056	firefox.exe
Token: SeDebugPrivilege	5056	firefox.exe
Token: SeDebugPrivilege	5056	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe
3152	random.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3152	random.exe
5056	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 4224	3152	random.exe	86
PID 3152 wrote to memory of 4224	3152	random.exe	86
PID 4224 wrote to memory of 5056	4224	firefox.exe	88
PID 4224 wrote to memory of 5056	4224	firefox.exe	88
PID 4224 wrote to memory of 5056	4224	firefox.exe	88
PID 4224 wrote to memory of 5056	4224	firefox.exe	88
PID 4224 wrote to memory of 5056	4224	firefox.exe	88
PID 4224 wrote to memory of 5056	4224	firefox.exe	88
PID 4224 wrote to memory of 5056	4224	firefox.exe	88
PID 4224 wrote to memory of 5056	4224	firefox.exe	88
PID 4224 wrote to memory of 5056	4224	firefox.exe	88
PID 4224 wrote to memory of 5056	4224	firefox.exe	88
PID 4224 wrote to memory of 5056	4224	firefox.exe	88
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 1584	5056	firefox.exe	89
PID 5056 wrote to memory of 3584	5056	firefox.exe	90
PID 5056 wrote to memory of 3584	5056	firefox.exe	90
PID 5056 wrote to memory of 3584	5056	firefox.exe	90
PID 5056 wrote to memory of 3584	5056	firefox.exe	90
PID 5056 wrote to memory of 3584	5056	firefox.exe	90
PID 5056 wrote to memory of 3584	5056	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10657fbc-bec9-4ad1-9652-ce3acfe70ae8} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" gpu
      4⤵
      PID:1584
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {196058f6-8d48-40c7-9760-009b7d791f16} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" socket
      4⤵
      PID:3584
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3264 -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3296 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eaa638e-f07d-498f-bafa-7ca004a14688} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" tab
      4⤵
      PID:540
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2772 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93b1659f-adef-4197-8698-084df7894f5a} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" tab
      4⤵
      PID:412
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4596 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4572 -prefMapHandle 4568 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfdfb7b5-7e24-4401-8f99-899093f074b7} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" utility
      4⤵
      Checks processor information in registry
      PID:4992
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5420 -prefMapHandle 5292 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc5e49d0-f848-4812-ac37-9adc0ad9d639} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" tab
      4⤵
      PID:1604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2caea2a6-4b15-4a80-86ff-652d30736ab0} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" tab
      4⤵
      PID:1736
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5780 -prefMapHandle 5784 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bfec680-9865-4817-b548-dc8420f4bfb8} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" tab
      4⤵
      PID:3168
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6204 -childID 6 -isForBrowser -prefsHandle 6196 -prefMapHandle 6192 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ef67f0c-2355-4c42-a984-c2e7545cab74} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" tab
      4⤵
      PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
c116e5da67f8f74b006adecb4973f5b6

SHA1
d7ee957f86c413bbf65885fe077aba00f467cad7

SHA256
8036171f7341e581389f93cd04c6d2598866eb7cae7803ea26c4cb0059f33a64

SHA512
005ef0f573758c67f7173b65b25ce303047a696106d5c80b559cc314749dbe3409ce922205996c9a67c518755130ba1d3fe7bb568e54ff77b37be6bafc5ee691

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
d4abaccf3d854fb6d5fc79a5b0d1e8d9

SHA1
181bf7aec93c0e799a10976309ef8c5c70a665e6

SHA256
125ec0eb5812ce55b47948c0ffb755e90bcf0f3261c5bc7e3790256b2d85018f

SHA512
d2fe257744fc32458351c49f0063c6d6f10a86921d1cbe0c78e99489f128de29afb2606f47040d2fb59a02593a4938ca10ff122a4e9ae516ecad43ad68ee74b7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
39812235aeca3b85a61e9d1b7f0fa922

SHA1
f0606004e5b1af9446cef3ebad37a141896cbf78

SHA256
a740875dd567f169ee9ce6d88e2dac47b083b54e9db2c818e6acb9b3bfe910b0

SHA512
9a2a368f221a595afd407862fe7e1c3d16cdec0785f3e9e665bfd258f1c91d552a21e8e5e9c3d9a844e129627641f4658d7f8ba3791a82a14182ca23ae6e4b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
16KB

MD5
6eb235dcf02a9a9408f33d594caa18cd

SHA1
d10711d10e5c7826dcfbeb908f055500e80b1332

SHA256
d9bdec7b52e4aa7fb1960a97fae796f0ea384ffb883148449c60796509156f0e

SHA512
dc3fc110170c051a69f5abd248d26c95f518d20385fc957dc1812422e3aef8e2f85cfbceedd83aaa19e3e385749aa352893ba51f32d014a1b25e7e37f382ac14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
10KB

MD5
24103e370ee494c6de6febce2851c6af

SHA1
f6c06975acc7306739197ea93f096f3c4cc0debd

SHA256
9cbd50d9e706c22b650585815aa601271837b3c2e5cf0310df14468983ca4995

SHA512
2dd77bcee7297c6f51b6ff1f28bcba16a523b80d5edf4ae04f24261a7ce00e46a9caaff95bd8fb967892ad80e13fcdebd147a2e29c83e064c9bb8d454ea71c3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9d986bc076a6d4225789fee4d850cf85

SHA1
653da6461ec87cfcd548df8587eed65be4f7ab2c

SHA256
3bf20ac94dd482efaefb9f2fb86a99e51ab961a7d9441a0c57a05f0439e735b0

SHA512
3c37e9f6c6766ce40860b8f47f3922d96c90fe6124bb0c002dd667cec542f89d7273b114cb3eaf621879793f9c8a63f0d20996c33700b458471724fb23fc47fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
976dbef5035c5f248ea9c14619da9397

SHA1
b9f5d01cae404d737f76bc822bbd517816e17f4c

SHA256
c30580550d05f5c6cda0bc7d827f0a1cf3bc665692dd1526c0c6380a90ee9826

SHA512
a135ac2b66ce31f2954ad48846d6bcf5248929b37ca437d3a63c3259918fe1fca0f98d36dab183d5b7f52de92ab38ee2792845a1802809f52c96f1893352781e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
1c89871d8fce23fc1fc790de124de62c

SHA1
2018e0fb7fe39113b2ea0dcc6492e97c7d089bb4

SHA256
5b7a17aac254a7eb8acc2a27320a15cf5689f7feb36a9eabffaeba0a073031e7

SHA512
4ccbc694023357be5b3256d4e886f369ecc3296a5ec1da721eb681ac7b406b3add502d47dcbaa36f9dce5822cdaa56981a21661c1f02d9625332efc44c900dd0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
6fbfe1c1c3a3be60f2b3bb9bc25f7280

SHA1
228f18b3d45d73de2374a31059f60beca2c5e2d6

SHA256
35dbac95e7adf2421dd5408fbf6a0f345bf6e3687b2f92f8442db7b6604ed9f8

SHA512
e49efbce63a27c60b7794bea5730fdcb7ab96dea1e449549c2111a5f5cf9d757b18a039ce56a9f1885592b591a2fd49ac1e31fac0645a47516c9af334916a90a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\54e6e9bc-9103-4ae3-8bcb-72616feaa319

Filesize
982B

MD5
3e27ce4622c9a5bd59c0151a7765b160

SHA1
47d04bac62c48f3be6460676d204dace19dcf8e1

SHA256
5a3888632e2d66babdb7e9ee0d172aa88964b75a49220508278e3ee41fcc2d36

SHA512
79acd9ebdfebbe99da5f5d01d060f2586e1335bf64746378f1925606379e7911de6ce31586c84b4f0e4f88128f7efa01c84846f330d02443cb9bf7983dc98c5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\5e5fec2c-f4c1-431d-b0ee-803357b3376b

Filesize
27KB

MD5
b2d5d713b79f2a498a3a443c84c7675f

SHA1
41db37eba67bb7b5882bcde2f598200aff583468

SHA256
bf52442ea2a2585bb590f4bfe11d433885e16d34f9cb59cb225b89459fb77436

SHA512
4b2e9a8448ce3ac964de979755e9380a979c37997a627b5bfc6c3359875fc8201ebcc69242145458b36b13700bbd2074cb26e38027d792c52c88e4a9ad282b37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\e380c0d1-cf65-42bd-adcb-627d4f4fe014

Filesize
671B

MD5
bcd96c6d53c300ba4a25acb73e60d702

SHA1
7caaba182386f279470aa13d2ab39a1bdeff4a07

SHA256
1b7c560d47b4663c6a8f03bf2c145b22a199d06bd31b4121b3334ba4bebc14ef

SHA512
062458bb35f52d45a3a0073a9c551a8664f60c89d4beb08d8adec2284e19010b3a428c2af44dedb1b0318178228968df88c84d5837d7d1a4845079a3cf6313f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
13KB

MD5
c9ae0f5b2db0e891a6ba1a729774bb39

SHA1
3a17837683117a40f152f7e286e6c26f77184e5c

SHA256
f946db657dcd37e3a6c75f92b36037dcb4dc3ba987c9ae7b62b9edc99648ac06

SHA512
08212ab8b391c7d023e03b10e7ba053cf26442bec06ea3c8f688944406023aa561f741f91812a6710dad2ea2c2bf256dbe068ccac18fbe5a8798e712cc6a6faf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
16KB

MD5
4d80fb6c2410dda3cb5971feb9fad41c

SHA1
040123d74d0033a96f43db488e02d6386c6b749f

SHA256
87c2c1553f94475dadcee8c236614c0dcf690a332eda3c83836a41598f61afa9

SHA512
4f96b5e21c2a51423f7b2ce35a02e5da198df78d10e41a817b377d336e16d3320a03e9be3f822c5d17df89a05a3bf2cbd42af452293c5cefec7687ca21f1d183

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
11KB

MD5
633f8dc5ddea1ab0d8965a0d2513bf15

SHA1
bc26b094e684c825932e75d8942361bcec7f5b22

SHA256
41919dd5749b0e16e775ce8afb19a8e7d77511c45bf119dd2e8ac8950b9630f1

SHA512
fe0a142113d169d309592b6eb2c311ddb5c5a790c4b316a09c11e9d279bb3e0ea2852d84213454774f6ad11ad488ac3b486049a04960927f676f4018fcbc28f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.6MB

MD5
fda53d78da26b39e2bc86fc1ff8d4d2c

SHA1
fa502172a3aa95170ea77bd34d825256f015ac03

SHA256
fac2d4104a31ffe3c3c9c1d79dd0ec017c220b9f369b7de81065ccbe57e321e6

SHA512
101d2fe3915433bd37aa251e4402ff5323275cbc6c051e1ab753bf2fdd2b515407c2019746859795f69749d95e9406c9b9abaa541db8978ce700946f20b5ff30

Download Submit
memory/3152-2458-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-1-0x00000000FF940000-0x00000000FFD11000-memory.dmp

Filesize
3.8MB

Download
memory/3152-454-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-370-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-358-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-0-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-2-0x0000000077C72000-0x0000000077C73000-memory.dmp

Filesize
4KB

Download
memory/3152-1499-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-371-0x00000000FF940000-0x00000000FFD11000-memory.dmp

Filesize
3.8MB

Download
memory/3152-2455-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-369-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-2465-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-2466-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-2467-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-2468-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-2469-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-2470-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-2476-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download
memory/3152-2477-0x0000000000970000-0x000000000145A000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads