8c892da6ff496b2ff80d3722c33bdb2d4141169c5b501d03d69528356f4db0b7

Analysis

max time kernel
164s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 18:49

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

beautiful-fantasy-wallpaper-ultra-hd-wallpaper-4k-sr10012418-1706506236698-cover.png
Size

295KB
MD5

4555d00284f879169308118fb368a70c
SHA1

22c04eab1b1ddbcd17ff7f1edc8e58aa7d8f2270
SHA256

8c892da6ff496b2ff80d3722c33bdb2d4141169c5b501d03d69528356f4db0b7
SHA512

ed723244e211b64a1b38fb8a8a47323c4ca4e04b52330b7c301c1b9c1d28a4d90a1eefb59410f1ee689b6fc4b7bcc0353550c81e1de27a754ad6ac0a12a241af
SSDEEP

6144:LCXFR/CyHaw54M1gU0oCp7IZmFE6YPGj0cAPV4ZLyOTFjuwz:LCXFlCyHZ4MSU0oCiZsTYOTAPUGOluwz

Score

8^/10

bootkit defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	winrar-x64-701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	geometry dash auto speedhack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	geometry dash auto speedhack.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

pid	Process
400	winrar-x64-701.exe
5672	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
1336	geometry dash auto speedhack.exe
3152	geometry dash auto speedhack.exe
852	geometry dash auto speedhack.exe
6100	geometry dash auto speedhack.exe
6092	geometry dash auto speedhack.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	geometry dash auto speedhack.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe:Zone.Identifier	WinRAR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geometry dash auto speedhack.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,1"	uninstall.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\Geometry dash auto speedhack.bat:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2348	WinRAR.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	firefox.exe
Token: SeDebugPrivilege	2640	firefox.exe
Token: SeDebugPrivilege	2640	firefox.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	5372	uninstall.exe
Token: SeDebugPrivilege	2640	firefox.exe
Token: SeShutdownPrivilege	3152	geometry dash auto speedhack.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
5428	WinRAR.exe
2348	WinRAR.exe
2348	WinRAR.exe
2348	WinRAR.exe
2348	WinRAR.exe
2348	WinRAR.exe
2348	WinRAR.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
5372	uninstall.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
5428	WinRAR.exe
5428	WinRAR.exe
1336	geometry dash auto speedhack.exe
852	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
3152	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
852	geometry dash auto speedhack.exe
1336	geometry dash auto speedhack.exe
3152	geometry dash auto speedhack.exe
3152	geometry dash auto speedhack.exe
1336	geometry dash auto speedhack.exe
852	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
1336	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
852	geometry dash auto speedhack.exe
3152	geometry dash auto speedhack.exe
3152	geometry dash auto speedhack.exe
1336	geometry dash auto speedhack.exe
852	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
852	geometry dash auto speedhack.exe
1336	geometry dash auto speedhack.exe
3152	geometry dash auto speedhack.exe
3152	geometry dash auto speedhack.exe
1336	geometry dash auto speedhack.exe
852	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
1336	geometry dash auto speedhack.exe
3152	geometry dash auto speedhack.exe
852	geometry dash auto speedhack.exe
1336	geometry dash auto speedhack.exe
3152	geometry dash auto speedhack.exe
852	geometry dash auto speedhack.exe
208	geometry dash auto speedhack.exe
852	geometry dash auto speedhack.exe
3152	geometry dash auto speedhack.exe
1336	geometry dash auto speedhack.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2640	2000	firefox.exe	90
PID 2000 wrote to memory of 2640	2000	firefox.exe	90
PID 2000 wrote to memory of 2640	2000	firefox.exe	90
PID 2000 wrote to memory of 2640	2000	firefox.exe	90
PID 2000 wrote to memory of 2640	2000	firefox.exe	90
PID 2000 wrote to memory of 2640	2000	firefox.exe	90
PID 2000 wrote to memory of 2640	2000	firefox.exe	90
PID 2000 wrote to memory of 2640	2000	firefox.exe	90
PID 2000 wrote to memory of 2640	2000	firefox.exe	90
PID 2000 wrote to memory of 2640	2000	firefox.exe	90
PID 2000 wrote to memory of 2640	2000	firefox.exe	90
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2848	2640	firefox.exe	91
PID 2640 wrote to memory of 2128	2640	firefox.exe	92
PID 2640 wrote to memory of 2128	2640	firefox.exe	92
PID 2640 wrote to memory of 2128	2640	firefox.exe	92
PID 2640 wrote to memory of 2128	2640	firefox.exe	92
PID 2640 wrote to memory of 2128	2640	firefox.exe	92
PID 2640 wrote to memory of 2128	2640	firefox.exe	92
PID 2640 wrote to memory of 2128	2640	firefox.exe	92
PID 2640 wrote to memory of 2128	2640	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\beautiful-fantasy-wallpaper-ultra-hd-wallpaper-4k-sr10012418-1706506236698-cover.png
1⤵
PID:468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f1a5ffc-b497-438e-91f9-41654a987254} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" gpu
    3⤵
    PID:2848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a98fb329-8200-47bf-a057-b300b97f97f2} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" socket
    3⤵
    - Checks processor information in registry
    PID:2128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2932 -childID 1 -isForBrowser -prefsHandle 1716 -prefMapHandle 1720 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fac3a15-6e55-41a6-8070-93695b6b68db} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
    3⤵
    PID:908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3956 -childID 2 -isForBrowser -prefsHandle 3952 -prefMapHandle 3948 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cce6b332-2a9e-438b-9af0-8edc4242f655} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
    3⤵
    PID:684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4968 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 4900 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2eab25df-c609-4040-91d2-ff2c5ccd5c9e} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" utility
    3⤵
    - Checks processor information in registry
    PID:1340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 5272 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {910c7c0c-098e-4c07-900d-436397a8e844} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
    3⤵
    PID:1752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5320 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b1e0b99-6cd3-4b2c-81b3-9471cf53c6c7} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
    3⤵
    PID:2340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 5 -isForBrowser -prefsHandle 5684 -prefMapHandle 5680 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fb3d488-99f3-458e-bcf7-b3c906d671cd} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
    3⤵
    PID:4368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3928 -childID 6 -isForBrowser -prefsHandle 6468 -prefMapHandle 6460 -prefsLen 27506 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2e24487-69e5-497b-8e51-44469bd662a3} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
    3⤵
    PID:1448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 7 -isForBrowser -prefsHandle 4568 -prefMapHandle 5540 -prefsLen 27506 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15467136-d546-4371-9ea9-f760a0a38994} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
    3⤵
    PID:4664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6832 -childID 8 -isForBrowser -prefsHandle 6812 -prefMapHandle 6816 -prefsLen 27506 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1426f5a-5d18-4294-8e80-178cc7defed0} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
    3⤵
    PID:2868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 9 -isForBrowser -prefsHandle 5580 -prefMapHandle 6792 -prefsLen 27506 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e66f9fd2-94c4-4fe7-a54e-80fa99cb551a} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
    3⤵
    PID:5112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6492 -childID 10 -isForBrowser -prefsHandle 1820 -prefMapHandle 5984 -prefsLen 28333 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34f56f2d-a2ac-4776-93cb-0c7ac0b7852c} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
    3⤵
    PID:4960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7188 -childID 11 -isForBrowser -prefsHandle 6500 -prefMapHandle 4720 -prefsLen 28333 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35831340-f148-481b-803a-79259683c51b} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
    3⤵
    PID:5412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5200 -childID 12 -isForBrowser -prefsHandle 7440 -prefMapHandle 7284 -prefsLen 28333 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e20e9fb-4e2b-4524-9291-fbda8e258ec8} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
    3⤵
    PID:5172
- - C:\Users\Admin\Downloads\winrar-x64-701.exe
    "C:\Users\Admin\Downloads\winrar-x64-701.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:400
  - - C:\Program Files\WinRAR\uninstall.exe
      "C:\Program Files\WinRAR\uninstall.exe" /setup
      4⤵
      Modifies system executable filetype association
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3996

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar" "?\"
1⤵
- Modifies registry class
PID:400

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" -iext "C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar"
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5428

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" -iext "C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar"
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Modifies registry class
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2348
- C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe
  "C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5672
- - C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe
    "C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe
    "C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1336
- - C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe
    "C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3152
- - C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe
    "C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:852
- - C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe
    "C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:6100
- - C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe
    "C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:6092
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
bc0c32f230014cf7fdb01924bf1b2a33

SHA1
40f750514e7c1094f6fe1c3ac54f77420b89b137

SHA256
d4e2f2952aacd7fecb9860f9e33d67a3ba1f93bfb993b261fca711e57ce7dd1c

SHA512
29fc19106173913e87ca5e6501bb05a9eef2bc0fab04a497661ab8dfdab8dbb0fd23b3937ac21d0622bce43e37c502fbf43ae4ba52a64947699eb4dcb821921d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\doomed\21694

Filesize
50KB

MD5
f3c7f01955bb54c9cf50561e2c1bd465

SHA1
393e3c9b8c240e591668289a55659c1d976f58de

SHA256
7fb0d641c51d0b3a5d4bcb2693aec5d4189608836a35be2872397e567cf3e9f1

SHA512
710932f85dbd23794637ae3a3dc070e3c826b7be42ddca148a5bc29f2856058eecd581c3e93aa83efb6d6b0f8ef3941bdaf077e8918c0347891dcbc20526706c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\01ABD05F24B7C929E9BBF7B620E2289C4EE00CD6

Filesize
13KB

MD5
6d6668509dd4b22dac1b2a6d3850b986

SHA1
701d08335c3778f5da4dd4e1f593533f230a1e2a

SHA256
efeb06af00197262f76ecd653e4364bf2e2b0a8fe65a64b0474f93905715f255

SHA512
96da811277ab9d0bebcb521df96baff50c9eecc3aa1350bf51c60e87bfeec76f386a39ba3d3c2a7ca2564ee7da0f9cc4de35102a715393edbbd60aa8431d1fb3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\04829417B698B01200BA3D1BCB51E49891C7BE09

Filesize
112KB

MD5
ad74e04c7895ef556675ee063aed1b07

SHA1
5d6b9cf9fa7845a12d91308e9bf92f0589373e72

SHA256
78ae0e868136e3e6e3fafd1e2f7492d65916816d1bdd74bad1c608b3ead28272

SHA512
7435e96cc7e91bc98ebbd19a072927acab9a81cca4160673949dd72f4b74aa77621751c6397b5c21c824facd8f8f3bfdc95dfbb41441e89319f74407b53e2432

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\1BFCF30C19190141EA70968C6D0386B3A55376D2

Filesize
20KB

MD5
4f43528aa9409d424cb6dae170cce192

SHA1
7a048989f2afe8f97f2aa61aae5115d519ad1538

SHA256
310e34e927c32374cca7abfbba0fa873b4327eeea38e49f504eddca486bcd38c

SHA512
0b8ab12a47d54d22b537a0e24a331dda040fcb27392b2aa2acb31dbeba819ced9bf9d73f8bd7c0e9c199460431be7f4ddc87502bf1aff194316b1d8bf8da03e5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\21816B0DB510050B0FACA059FFBCA789FAFF93A3

Filesize
123KB

MD5
e404d8566f69707f609dcd7981f1da16

SHA1
1b95ef7a68c023157db7967e2f6bbcd94845dcdc

SHA256
34368153111cf3fdeb46e30de6fb57033582230c5de77538de4026e150f7564b

SHA512
0f0817c3afddaf0cdda40aeffaf51cddc67f211d2f6b17e7c50630ca0c48350289e5668856cf29c1d7d797146a559f58e3399ea24c506ca0a5980d8f8f5e2b45

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\2587B8254FF29804EA8C313AE41DED8329BBA421

Filesize
86KB

MD5
bf9975c2af5c8d06ea2d334c14512458

SHA1
fc555eb15bfc875210165ab4f379a81fdcc47f7d

SHA256
da4729780cbb193523d3df3a9d311329fe7cac005b9e08d2f5482ee932a170ba

SHA512
901790901c7a4b372540d5ec3f91de69aafe72f052d934ec4bbd6ea650180380f4566b6ab4d78d5fa7ebe39ac1d78a7d9b5c7f08d44ab38a4b9be780cc63b2e8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\26C5D9858055F0D3E69990B155924D86E0637444

Filesize
72KB

MD5
17142ee8f9e08b5ca2837309fcb91c66

SHA1
a15d6b03edf2066a5bfcaa94fc7f20215cf42cdd

SHA256
84f2baec12f538898c512a8fc1a17f5ec9e0afcba4a8f2af48afc5575bbf1359

SHA512
efe735fb4dccf7a3b712a068efa923d5d81cd7a9a6f8b6cc6211435681a777e8c9a1e40e7a3044bd7548efda5b716c2cdb37c7ca2697cb27fbdca836a2dd4f01

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\34C769494F4DF69B9CDB4BE623920BFE21770EA9

Filesize
93KB

MD5
71c1e64fd0d1c1654e1db80f8bed3710

SHA1
ed237510f43fe814d0e0b1cb0b483a9234f22da5

SHA256
bb9c17c7fe463032fafbbdb5fd9b9f4dc0ea96b4152608cf3070b5892208fc7d

SHA512
3cc3277cc1e17f79ec01f2ac2cee1b9d6ab3fa23260262fbee5521a600a8d9508dbe6ab58cb37bcd9274859ce8c2b3f520372ea64b2878ff1ccac1e39d68947a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\3BBB7CA8DD414D65915B48B9B7996585CD0523E0

Filesize
414KB

MD5
e59d370b6b2cb79037448e845a60e7e8

SHA1
1d26b65df7949f98eb5a5de83b2dde8c2dc9856f

SHA256
60242516c0e2a43a62b4e8444138e9980138736523aee54f1bbed02a6e7b44d4

SHA512
b3ccab939165b7cbdda7abc8f4ee6befe0470904314b0f8e086a1f38b3f97783e79864a35be7820d23bfb0fd67086eabd1af58e1aa7869a226a4da325dbc172e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\45C13727B6DB444F70F2FAA20129C63BE433735D

Filesize
63KB

MD5
63d50bc7266aff36a02c9a3755f13a28

SHA1
ba8dda07a6ad98b06c9b599b8e436d1c0178d296

SHA256
75a501cdea952219b52e3fdcad00c35b5276596c5252885f199bdb72ea40fb2e

SHA512
76efe64c2e64fdea1b40121a552f6bff83dc22d4ea81d82f013bd3113cd0965ab6ad385f159e18c47f73557e7622b2a7bc3f4cc6b61fdc30cffb04eab5c3e749

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\4AF72ACA6BDD176CAF72BEDC6DA0DC7F1FE27FD0

Filesize
603KB

MD5
d179d0996c89ad6d9f4be63f6741a7d7

SHA1
619db9cb7a5ad0582e70228ea1e02e77872105b4

SHA256
3d6b2be3dc76da622a602bbfeeab88f37542fe5cd2a0768aab06f77a3a45a61d

SHA512
32d033615cfcbbb7bc8887556c6542eb6a8bd535607df1d24506c6f1e9e02a02140fdadd5744a6c5ed1d0f76ed81f9e54487631e628a5ba47ad31d4400e6e45f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\620F16825A5E0AF197A97B3F53DDC3975F800408

Filesize
17.7MB

MD5
d71a57cb3dd80647c95638feab369fc7

SHA1
0efb4ffaeeaeccd4e72e84bd74354e6fe5aa9668

SHA256
2a7b5b49be414ef6e40e81aa0cd695484306f2b2c4619331f0192e86403992e1

SHA512
7f32e15b171cd7eb96d0de39137587b7926b724790e451109ae748159d6f67278c718a29e92a9b61b001b32bb0ec4ff39a8cdeacdcf795fbaa05935e9b2b27dc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\80285EC16EDB2FCB53FE4D6500B0396AC776DCD0

Filesize
1.1MB

MD5
fbda382e4833d45be445495a93960861

SHA1
58832c91ee4587d185c65076323425def1c602fa

SHA256
49509efbe950ad2834794e45d8541ef1ff69b4936cd2e0b7732ef54f2ddac4af

SHA512
977407409523e19f93e4c22b8e0dea426f821a1b5d5bd250aa9bf35dd1c5031d71bb2b6d5e680274990f3871698f2a353e22fe018cfc8895bee3a312f3e00284

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\96B6E7B5152A18601B0E937E329DCDA0D7A5827C

Filesize
143KB

MD5
ce9a14bbec20dae1c90077695c408d92

SHA1
dc7ba97686ea174e3c0d2345345659551ae6250e

SHA256
4cc220bea61d84520b5541a06656d21fa57ab112dd1589c0d081321589ceb31b

SHA512
25a92d9462319ed298eae805bd5f12395577d317748ed68b2badcf903bdd0e1f9dc3b9ee64078db4d974fc32e744737b4a15edbae2aa512a345a04136d1e3bf7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\A2BD72A3227572715C6CBC7E489B8F9A87263541

Filesize
79KB

MD5
dd0498968d62079512d41f6a1a65915e

SHA1
9aa4b24cc50388df9b73f65f7eaa1be62bbb1816

SHA256
d5bf4060eab8e961c3b2b184dc0acf11d7dda0bce71499676a733916087c4083

SHA512
4b660e26848710e82146926fa97eea4e58597b990fe3d29fd0fb65998d1889797b99ffb0784c3e105d7eb2d119dd752a0959d54db21f1ec3ee8269f752ff5e3c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\ADB77CF89BB7C3EACBA0400910D8956D4F8A5D23

Filesize
2.0MB

MD5
0f84c05325c72551ed59b79f3ec14c89

SHA1
e33bf7584d3403df4a34258a1876f313816cacbf

SHA256
1d727e7c3b50a06c6d2062171ea218b630bb7999009548826e671e82aa6d0fae

SHA512
4d5f08ea9dc95445ce3489c48f6ec6861c9121b42a7752309e00ba031b2ecc3d59163402c458f0f4e6c9aad7d853581eaee2f2c22e632d7d7fe3396dfe920ced

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\AF6E7B7DB9908D7B867517AC33D094ABD56E38F7

Filesize
81KB

MD5
471fdaa6622866b724bd595a64fcd81c

SHA1
5dfd1a17aed6ff80ab4ecfcaec1afab1862ac586

SHA256
82387eefc013ba8ce23e73192e7807b9acf1f30919d04574c0e06c017d2688f5

SHA512
bcdd707d41dbf85246198e41e962efed90041ce9d1c771cf40c3d8a58d7a959380644a616e6f85ad29ffd92844ba4a3f5fd538981caa14da80e7fbf872189adc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\B47C2290387CA81094036091C984E8DF3E89AE1C

Filesize
79KB

MD5
9bfd439630e8a58c3359f7e7c75f365f

SHA1
1f9672465d70b7939b72257c0adbe6120a96af54

SHA256
f95a4513e2a954cb0704eacebfc5a0a78b6c73d19b5cec07a0f43e74e9a55b43

SHA512
809a9314614ccd84123dff419b10c8f0fc94bd0d785e8e5b4adf2e409d6b5d6bc6638b6722aa61f600b61c3733866296905655b9065e7a227d5ab85399ceffc9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\BD518506D48E5D9A2A1A812001B343D87149620C

Filesize
320KB

MD5
df7f62f3bc28da5cad2fc78fa06c929b

SHA1
393da48d3a927bc10f23292b6f25a649ac11fb9f

SHA256
90b85ad4f136750f204de522ed637336e0c2df8299aabac6eaa5a00bb9e193f1

SHA512
d08154b66c13c34144303040c474d68daa719c5096eb747869d80633c6f2f033c5fcb37c1735037824ffc1542c082da804379ef485bf076a0d5b5fa0b899fc7e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\BF0923D6C9AC3F4148AB74C98E937ACD57DCEAD3

Filesize
97KB

MD5
7dbd4d643d95a12dd9a2085f5b2ff0f8

SHA1
4b4b217a2c09f6ec86c399172797a27a12acca3a

SHA256
d02f64022387f65941a9772e62b0fecfca31eba0ef88e852b497ee9cc96064a2

SHA512
ec55eb2b5c06c3c1a257c161e861901a4f2795c140849cde62983bf9c03343d4386f44f9259cd8a3d3e30cae7a044f33599f472752621f66a7822a7e0f514be8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\D105AB5F954C0907C9073BF810F90A3C36C6D3E5

Filesize
1.3MB

MD5
3124ff1df0e0276c69a6c5738e571154

SHA1
5da75149f36d05e12e4789e184191a4d2b768d4c

SHA256
55df7575ef143cd1d2424f257c0c1b62b19435d70211ece0b129ffae4911a2f9

SHA512
f03a975f957cc441fda4b93dfd98d7e3406ad155cf966548dcf99561a7027c332bedc06aefa6c63919cf1a52ec82c3989eb508d46610dc0d86f75f5cb563c1f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\D2764A516583A378D0BA2325F933EF3C538EF129

Filesize
90KB

MD5
24fdfd715ab0c8da840a0cfa0a95ee13

SHA1
74d9ababbc3d0be127357753dadd954a7c085ce7

SHA256
3af55a99d1ccf186e9944278500b2e5fc9fbc0e87b3cebf526ccbdc5e74a9652

SHA512
623511a1e21f52d03feda6ad45b37b47b8530dbffc9667ae426d64c3ff4411212658ea8a792219d10fed04d2bb1502e44ce795ab0834145932fb86c813fd7e03

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\D730CA398E0FD308A82018862D156E21C6F32BB6

Filesize
97KB

MD5
af8eff4ceab94e10fc06d9902d8575db

SHA1
b8144e59648dcfb73c53078a0881d2693106e2c3

SHA256
451a8e32fc59c87db043ff2df4840f8487556d488652503047abd4cf5fac2e5c

SHA512
c46370c40e4092374817c548063a47c0df595c4c9ae4682867c5f51dbbdb43cdfe4cd654f732a5beaa1187c5b4f25af18c2ee0dd6a840c37e4735ae5b13e0efe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\DC6086EC8F3DCECB5FDAB23100B46388E4B264AA

Filesize
15KB

MD5
cb76521f73adc282ef7f347366545c90

SHA1
f2374f50a1d93b30201fd64e9b96e31334680834

SHA256
8833943fe9a2b05e3de125736cde0fef772920cb43050a81df492abec6e3ede7

SHA512
77eef513f8644d9a657bfba0886e58508d7863ebedfabd95bb050d75350757c5a1a06cfd47fe9d1cc927a40716df4299c20ca3079bfc835d279caac19305455b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\E44D8EA2BB95FA202605B58E615B3400B72A14D2

Filesize
72KB

MD5
c85ad74a3d5263bb1ab1204ee9809aef

SHA1
df74426885ae5b3c00536b08a4b098f8d9e44cc4

SHA256
aba1357043e68f313c5ff27d9ccbb3c11ae212ebded1b4135d135c21ccd2a7b5

SHA512
f2df66fcc2055d0992af00f92268cbb5030f4579fe1441257b1ab76e7a851eb83f5b2ded68567eabede35c23af16ebf16815bb3f16bcc055a2b778376eaa7baf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\F474D7E59E998C6F907BBC0D0E7E58F48498B13E

Filesize
14KB

MD5
e5a0b7bb22d28a6fff5494c107597264

SHA1
79b051b688878f078a11985426bc7fc3929f100a

SHA256
4a51c8aca20b70027ec22285754ae93fbdfa5275eeca95de4e1a3814f2de9a4c

SHA512
4a65677b41279f5cda241287a36f5406e8b1826ac395b4cb08f1734ecf69d849384065937630290397c5160e42db4f45d40888444953cebd22de6068990070f1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\F54E7030F181831909BFCE5EACACBD3D867BDC0E

Filesize
142KB

MD5
184fcc638f24fee258ff2a15300007be

SHA1
e4db189ce5d4b0023e7250d495071c43273781a1

SHA256
e6debf98e8180d2f8d94cd526a0fb3ed45959cf5c501f117f6522e2c08323982

SHA512
682573c1efc36729411694dffff9e5c51e76c1643eb519e88216be9ddea9ae19bffd6c6c639be319a78d6e01b8a2b85fdad2cb02059d5f399c08fcf54ac85afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXa2348.25383.rartemp\geometry dash auto speedhack.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
12KB

MD5
56abcecdaf379dd1ea4b75608aa58aa5

SHA1
a2523274f826fa206558ed0757d89fe4bd1e0feb

SHA256
4ee278eecd3cc59b811fcf231ee73414f2f38079091baa2ca6d68bdb2f946955

SHA512
ffdf4ad562bde145b74bf59ad0d97acb4cee0ba0a7d026555e8d365bdbc328d42238e3c20545d8fed704306c0dfee6a167e4cda921585bf9459c0e2fbe8dd717

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
7KB

MD5
a1b897445869bbdd643b14b4f5f7b7f4

SHA1
110171fd13ebdd079ef973e38542a8c112049045

SHA256
1a05868882445ffc7127cc65590789be5d6c877452e3f7f6e1f38deafc947363

SHA512
7777902ef6afd7c01638c30ddd5807e01810e085df15e59db95b9aa678db94c1cf329fbcd577683045a5335b5a04ebbdb59be01f53bb6cd00a4fd0b1b8755454

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ac964458e3e8f29dfc425c47b9942df0

SHA1
5719b7f90d25969ab107fc16673aebabfa6554d6

SHA256
b8d98763a9a1cc19c5cee89f2d3fec9592737dd39d0933a0ec86cf3a916674b3

SHA512
bb04f12a159ed949a1804d6389e71a19ba43c5ae64d493c7ed1b03c3825366c5b88a64321e5b065726e11c63aeeb3512b372f16aad40273cbc04e8b785acbcd7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9ef48d1ae7b51ca13331c06606dc8cfc

SHA1
fd1364508fa8815f1893a525609b2c2999682ba7

SHA256
6c046101a5f49ee2b797edd04b68b61a75db0215361a512a21aae4c9d78f0e86

SHA512
c2f2b5d4bb21814e866863cc14d3d63afe9e7f6dc9e0cacd6aa1df368c01a91656726ae7e1e1124f122bdc790a7f20cd9d628b84a3c01017d134ca3d00d300d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
88054a44f7a3ad3ba7b64d486acb6abe

SHA1
267bf203bd50b38b4140cd5c0128a359c3182ee8

SHA256
95ee4dd5a5bffbf3d64ec1b782afbcfa415644bf903b4c8f3415e5c17853f872

SHA512
1e982a07fdcdd092ecbfc642e86abdd705e558691a12864334ad098ee3c2a9b7a44cd3bab0af0f17981a704b254f30ba9f6f6d97bf6b1c788a7af3dd816580b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
af759bf01e1bb46ab1d44f3a79068b76

SHA1
b3e76f5882b5ca609ade3893802bffdf5d28e878

SHA256
33e736a06a8eb774476bc168d52ef1ae33d10c34caf2c231a3fdb92cfc8ded1c

SHA512
55477446f375370e6407ab1378a5a3d3d7080daba44c6b9e97c279f2344df1634a0b6e60c903629eb955604b8b18300614ee69a6c30ec88e9d62a769d2580dff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
05bd6142edf90b47c45e7aca6af35ce8

SHA1
3b3ad8c9d96732a2f29d6d104f141723dfa4d23d

SHA256
48fece322fd7e9d94f8d0524a3cb2e0c1ef615c8d0dfc3bbca3bd91c62ea9023

SHA512
f64da92961b83359bfb7229f1d8255b43833a45938783ae1e3a801c5ccc14a9317dcee48ea83746ef5f890d0dfc4e599871d1dabf5532d5558ebed0ccabeffa1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
96e838351adad50fefec432974b88a5a

SHA1
2c4d65c662d4cc73adfd434b599b9ad0de9c5de4

SHA256
439957d5e9f8d8ab22e84ae2829cdd8e18442bef1d3f1ad1fdad8d1a61005ea5

SHA512
7ce87fabeb139b3a8d2d1585dd38169c54fdcc4dba91c9587fafcfea885345a8cf898c3edc1b33189115a26382acde59d177e0b357dcb242393259f0e54b6ff2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\events\events

Filesize
2KB

MD5
2160981eff8b4e3707213a921dd56064

SHA1
0de0198837796063b48bfa26e4ee628c6b873e91

SHA256
3396bdcfc6923a84350abc9185b835c0299d550d006ba9572dbb7d96262eca44

SHA512
d8627ea46e6410e10d6aec9e119b43ae80e49fc5be10b663fef0600bfd26586d7417385837ca6351b3dcf0e0362950b489f8276b0c4d86f5b52d0cb5731b5ce4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\371833fa-c66a-4c38-a91c-7b1fd2153b16

Filesize
982B

MD5
a6611350e367b3f66ed96326968726f8

SHA1
04071b0890024c97ee4e69b0920055a4ac5a6bcb

SHA256
10bd46ffddfd459e68cc28964c3cbc60d73bc8a1a2ac657ad36ddee9b9294a36

SHA512
8375bee6ec39f6beb0f7d4fed72e2ae024a15341793f904e9f14d0d95b869222119b504cdf1c36628df55e5598fa0deabcd0356766d508f858e2745c4fa4eb6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\4179cbc3-27e7-4db6-8113-d55a4915b0c6

Filesize
25KB

MD5
a9e314c854a43a5cfff3168981399fc7

SHA1
ec6d1bf7a7c7f7a437896949a921295611a8478e

SHA256
8bffceeb6983862e193cd58a44acaf15a687890527a6bef06b9d5bfb6c035e78

SHA512
1ab16bdc5c1533c8a24b07f0f4854fbd23d50def7894115acf4001ddc0d29d2c48ea9ded9b38e6aadfdf467e6235ca7c7c68a1bea70e069ea0d3c388c773eb4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\68a741e6-1a9d-43c0-87ab-5e8d979657d4

Filesize
671B

MD5
342632977eccdf2b2ad2f8c25f1f348a

SHA1
2bac2b45d92969aef6f20d9ffd763b6907b289a1

SHA256
aff4ad8c0e8068ad70b1b2662a4cad8ee065343d1eb4faccd4d87a878e024320

SHA512
e7f237e6c24db839793f2ec9556bbf7033cf3c8b65607e3207e337fd314b686546a57383d13ce957aea34fc4c827f4ecb61deb2bf23389735f2522d6e6aad710

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\a0d69233-7fb7-4a0d-bcd8-a8fb58c60159

Filesize
23KB

MD5
69286fe4e7d7890f8c1e5959ce4cd5cb

SHA1
5264285a5163ad845b2a99555413933381329fe8

SHA256
0e50fa06dd87a2070672c3fa5e9501d9c3935fd0ab97821d691cb0b6e2d4a98d

SHA512
41f8704c7f4e8c7c6740edcc026b68ce26712e06552ff2594aa4d274078ac1ef595d62dd9d2581ad61fc42265e779e7372db34525c9c32134e7549bfdfe006b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

Filesize
10KB

MD5
1306e4148e1ca23bf23ec03d00ae1b92

SHA1
03492b7e0c11bf3d9ab20ec7858e42c6244bd8a3

SHA256
fc6ac97c9ceefc668f9d7120fff2307ea86c7a29734a16b4944c8e759f356e95

SHA512
739bb6f9bd3ebe8bb3a18987f1619a1754ff2d932619b2bc67e274083373785bd98e4e3d7f46bb5320fa13088f2f40e47cab33abfadccb94f1cba34a0d4b7463

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

Filesize
11KB

MD5
27c8b846faa9ad77fa5bf9b1d9ea4e22

SHA1
c244c322ba6eb94411fe1e298d016aa90b748800

SHA256
dd9916366c57c3177db10db5bfa03203e3c19a619d09bba3ce0c586f25222c29

SHA512
1b27100dfb8a805edc140608e27889a344f8abee34b3ab1b5c5087e1bc98e56aaaf2166259fe6bd44ce1a583a3c59f4c1b24180fc9475d3f1fbe83871f02684a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

Filesize
12KB

MD5
65fead84f617a3777261ad38236edb39

SHA1
e41f6c2d48f706359ca7e4cbcf60cd7c744f861c

SHA256
5a7b9a3a40faadbe1a008a6dfe512c84c5555793712ad968cd35a7eac82790d8

SHA512
d3a2a12234200fc97ef156d0ef82791a43ea9e844341b1b143814c3caa4190ac044a11ecbd2e5e1611028675d24b1a207f45e9fcf586188afd35177d83716355

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

Filesize
12KB

MD5
73c1ce2b210b0e0079925d8e6e5280e4

SHA1
909809f95aabdcb42da1e258b2d4f0ab59219ca5

SHA256
82b6a2cd9fbfa21598a05048000d57e8f14a2d89185e0dde8edb28abbedda9c2

SHA512
3820f5a85976755489426eef834685e39e659c2b119f0cdc0cb76baae747cb4b4639799dd2d76098c337bc71319ffbd275d12472f21b3467b972e1bccc1c4a9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

Filesize
11KB

MD5
1d51f57c7225ae9083e2bb2836bc3f8b

SHA1
117ef8eeb135355967911745585e06b9bb31d3db

SHA256
cf93dbd6dc24c9c0b12e700653766ac78095b39081dfffbcabedef1b38696698

SHA512
5131dbaea1bf04b8ff1c91c25e905368b7f85c092a5acc72c31d42a74cdb06c6f56f9c7940b937e99affa648dd4efd73c14ab035e941a062adbeeb533ca2ec5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

Filesize
11KB

MD5
604e656e6ecf720afd8c2df0656968a9

SHA1
a377726294026d74c838f2179113262fc1ff5779

SHA256
057253500ca03fcfa49be833e26875420b6d9801fbea950b6ad0c45df8aee170

SHA512
7710c2f2c0ca90a136aa78b8def5ca4e2b5272bbb55ad64e78e0f1e4a1ed1abc2fdf99a694cfe0e5d9c18cfe7e617628e56c24e61a624f1b28cfc45354fb5594

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
679aa8446a21f2f43a77221d8658c610

SHA1
a21500553df8445b03c9a20965e9cfb9cb48a308

SHA256
88d528cda91fa04bccd9b37eadc27609132546205daccdf4c8a66d78f55b0258

SHA512
f27684c6d731fe0e52ccd48b4ccd5a673e326b35360a8b685188f19a88b349e428b507ebdee62e547c54c10b8f79e839b63ce4f7da68a8e5af0cb6ee2ab42f17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
c8a7ae6d029e24f708cc55f8371663bc

SHA1
a5e16896f5d53fcf347dd80fce883c67a46b5c3a

SHA256
3271f0a13165f68f59cd038140b5bfe576ff6f04b41be0056cb0c641ed62e35e

SHA512
55d1fd9508d149c5e0462df688ef65a72077c405e80ad2ef3487ff2b5027459bb58741749e9db06c3f9209d447ce6b1044b513f418fe75d6e87750b715e783e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
61eea19a149c344eac74e7cc0d1d30ff

SHA1
c7fe758fdb1a4929c71726e97672dcea0ee08446

SHA256
d02d065425e0accad58c263a2096c1fb340819389fee490bfccdda58453dd04b

SHA512
2a67d36488f942f00829899b3b76887fb19d3a6825cf998af25bf3008faf1c0afde12bfb53b9274e96d34ed5f7b7cacdd6e0362c521ad0221ea398cbac951f8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
1fd653dede6d6c345d07774fefe3bc71

SHA1
fb048abcbe3fc55fe40f88c9220ccb11adcbff23

SHA256
306e7c5a1452d7dc96d4297737c3d3aba92239e39b3035df58bc472c15100094

SHA512
fdb027c01b978a89e35a383acf00d8d6ec419f1bf1ba0c11da0a80934e3d838d4b77580b603068fa4661d2f6a9481e0b4a44f11cb5406b60f7fccc4c1289b116

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
d6d72e12caafd74625f2b3f1d24d9f96

SHA1
a7d579d576318e238f13ce9b9384296946d30f35

SHA256
6c11e0dab29f9ae6ed1c31a763ec96353580a13c6964c757eb26412ddc0b4d18

SHA512
b61e448c8920f1e4521ac2a40871bd1939f4c7653615c9ca5cef4cbbf6021c6c3fe528b8976a3acf8b262894fa243582eeb363ae2364177abbb3313f880dbaa3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
560KB

MD5
5217ae738763a016bf0c76cde8f4ec34

SHA1
6a58a2d40663b6d60821a51f8feebdda2dff478e

SHA256
cd5e14c37b1fc16dbafd626b075e0d78f0289327922283e9f0986abcdffde223

SHA512
4f64786033a9dbedecebd41b4301584c080e37b717f28fdaa4fb7ab95a9d253b67311db78c3270113c43deda42110a5df2654c6a8adeeff61589bc1b19f5370f

Download Submit
C:\Users\Admin\Downloads\byaBPGe1.zip.part

Filesize
12KB

MD5
8ce8fc61248ec439225bdd3a71ad4be9

SHA1
881d4c3f400b74fdde172df440a2eddb22eb90f6

SHA256
15ef265d305f4a1eac11fc0e65515b94b115cf6cbb498597125fa3a8a1af44f5

SHA512
fe66db34bde67304091281872510354c8381f2d1cf053b91dcd2ff16839e6e58969b2c4cb8f70544f5ddef2e7898af18aaaacb074fb2d51883687034ec18cdd9

Download Submit
C:\Users\Admin\Downloads\memz.x2acQ3EA.by.iTzDrK_.rar.part

Filesize
17KB

MD5
352c9d71fa5ab9e8771ce9e1937d88e9

SHA1
7ef6ee09896dd5867cff056c58b889bb33706913

SHA256
3d5d9bc94be3d1b7566a652155b0b37006583868311f20ef00283c30314b5c61

SHA512
6c133aa0c0834bf3dbb3a4fb7ff163e3b17ae2500782d6bba72812b4e703fb3a4f939a799eeb17436ea24f225386479d3aa3b81fdf35975c4f104914f895ff23

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.PlV8pe6u.exe.part

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads