ec601c36feeee576997eef1353981acd1f1f33506fb997afee602f1d90b2e3df

Analysis

max time kernel
946s
max time network
959s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-08-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader_fn_hack.exe
Size

494KB
MD5

1b11a579205b36e3fa3329d55ef443b2
SHA1

12d26104afcc17dd36bddf8f3943ea8ec71bc15e
SHA256

2e5be386b1b5ae75d64c467ff361c0c1c8a694d920e270af70860f3d1b7d20b2
SHA512

4645864fea6c7e33214ccc73fee314968f880af7e24886ee9c5c15bca625a2b8a54608b5754b4b7d634a423983b90db1fce82e70a6fd318431fd24d92da85536
SSDEEP

6144:lK2VfGFeQ0yf1va8qwba/DN26nUEHSRurs6ZU18HvrDR6encr3U/OUDDXaRNEv7B:tUfURlnzyRqXHHUeniADvXaMvU5o

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\Mapper.exe	loader_fn_hack.exe
File created	C:\Windows\System32\drivers\CheatDriver.sys	loader_fn_hack.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rgIZRrTvfAz\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\rgIZRrTvfAz"	Mapper.exe

Executes dropped EXE 1 IoCs

pid	Process
512	Mapper.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
96	cmd.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3000	taskkill.exe
4536	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
512	Mapper.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeLoadDriverPrivilege	512	Mapper.exe
Token: SeDebugPrivilege	4484	firefox.exe
Token: SeDebugPrivilege	4484	firefox.exe
Token: SeDebugPrivilege	4484	firefox.exe
Token: SeDebugPrivilege	4484	firefox.exe
Token: SeDebugPrivilege	4484	firefox.exe
Token: SeDebugPrivilege	4484	firefox.exe
Token: SeDebugPrivilege	4484	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4484	firefox.exe
4484	firefox.exe
4484	firefox.exe
4484	firefox.exe
4484	firefox.exe
4484	firefox.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4484	firefox.exe
4484	firefox.exe
4484	firefox.exe
4484	firefox.exe
4484	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4484	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 3476	1768	loader_fn_hack.exe	74
PID 1768 wrote to memory of 3476	1768	loader_fn_hack.exe	74
PID 1768 wrote to memory of 3624	1768	loader_fn_hack.exe	75
PID 1768 wrote to memory of 3624	1768	loader_fn_hack.exe	75
PID 1768 wrote to memory of 96	1768	loader_fn_hack.exe	76
PID 1768 wrote to memory of 96	1768	loader_fn_hack.exe	76
PID 96 wrote to memory of 4536	96	cmd.exe	77
PID 96 wrote to memory of 4536	96	cmd.exe	77
PID 1768 wrote to memory of 2204	1768	loader_fn_hack.exe	79
PID 1768 wrote to memory of 2204	1768	loader_fn_hack.exe	79
PID 2204 wrote to memory of 3000	2204	cmd.exe	80
PID 2204 wrote to memory of 3000	2204	cmd.exe	80
PID 1768 wrote to memory of 5100	1768	loader_fn_hack.exe	81
PID 1768 wrote to memory of 5100	1768	loader_fn_hack.exe	81
PID 5100 wrote to memory of 512	5100	cmd.exe	82
PID 5100 wrote to memory of 512	5100	cmd.exe	82
PID 1768 wrote to memory of 2040	1768	loader_fn_hack.exe	83
PID 1768 wrote to memory of 2040	1768	loader_fn_hack.exe	83
PID 1768 wrote to memory of 2836	1768	loader_fn_hack.exe	84
PID 1768 wrote to memory of 2836	1768	loader_fn_hack.exe	84
PID 4552 wrote to memory of 4484	4552	firefox.exe	89
PID 4552 wrote to memory of 4484	4552	firefox.exe	89
PID 4552 wrote to memory of 4484	4552	firefox.exe	89
PID 4552 wrote to memory of 4484	4552	firefox.exe	89
PID 4552 wrote to memory of 4484	4552	firefox.exe	89
PID 4552 wrote to memory of 4484	4552	firefox.exe	89
PID 4552 wrote to memory of 4484	4552	firefox.exe	89
PID 4552 wrote to memory of 4484	4552	firefox.exe	89
PID 4552 wrote to memory of 4484	4552	firefox.exe	89
PID 4552 wrote to memory of 4484	4552	firefox.exe	89
PID 4552 wrote to memory of 4484	4552	firefox.exe	89
PID 4484 wrote to memory of 596	4484	firefox.exe	90
PID 4484 wrote to memory of 596	4484	firefox.exe	90
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91
PID 4484 wrote to memory of 1724	4484	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\loader_fn_hack.exe
"C:\Users\Admin\AppData\Local\Temp\loader_fn_hack.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill -f -im FortniteClient-Win64-Shipping.exe >nul 2>&1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:96
- - C:\Windows\system32\taskkill.exe
    taskkill -f -im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill -f -im FortniteLauncher.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\system32\taskkill.exe
    taskkill -f -im FortniteLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\drivers\Mapper.exe C:\Windows\System32\drivers\CheatDriver.sys >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\System32\drivers\Mapper.exe
    C:\Windows\System32\drivers\Mapper.exe C:\Windows\System32\drivers\CheatDriver.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.0.1445571937\1927326433" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81d10908-db1e-4fde-b933-fbf6c28c947a} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 1812 2ac979f9458 gpu
    3⤵
    PID:596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.1.1856208304\1993784014" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc825a2e-2150-4ec2-b35d-27a77c4b341b} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 2168 2ac978e4858 socket
    3⤵
    PID:1724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.2.1935855470\1625673122" -childID 1 -isForBrowser -prefsHandle 2760 -prefMapHandle 2832 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21b9920b-a6e9-41f4-8c82-f5402d894000} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 3064 2ac9ba9c158 tab
    3⤵
    PID:820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.3.1219880096\1315207904" -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 3484 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d10d205-906f-44ae-8618-5fd9630f31c9} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 3500 2ac9b0cf258 tab
    3⤵
    PID:1588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.4.1612066818\75440977" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3728 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28ea17be-36fc-470c-bf07-b35cf07ee228} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 3744 2ac98c89f58 tab
    3⤵
    PID:1404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.5.1360384522\1829467903" -childID 4 -isForBrowser -prefsHandle 4800 -prefMapHandle 4736 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc06b143-e2ad-4836-b12b-1be8ac84d60a} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 4784 2ac9e050358 tab
    3⤵
    PID:4524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.6.1228199782\1660160987" -childID 5 -isForBrowser -prefsHandle 4968 -prefMapHandle 4972 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7911e751-02a9-41eb-b548-4c2fd1744406} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 4960 2ac9e051b58 tab
    3⤵
    PID:3308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.7.1574972945\1361586715" -childID 6 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92cabb73-ac9a-45a0-bf9b-c3e57f72bf9a} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 5248 2ac9e4c6258 tab
    3⤵
    PID:372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.8.2133516424\2129187976" -childID 7 -isForBrowser -prefsHandle 5660 -prefMapHandle 5664 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e585480b-bb41-466a-a09f-b2b3a4f82330} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 5652 2ac9e40b558 tab
    3⤵
    PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\14709

Filesize
15KB

MD5
face6e8390aeb1b64de110fc5f32eaef

SHA1
1ee19d4d913ce0f35bb6d8b47c7af483e803b94e

SHA256
d9e31f5ab85bac64e67a9841e2cb963a49f1d546c418d1dbc751fc4d54bf4501

SHA512
f379687afb0f7a87d6650a24663115cb5ffd628d8052f53ccc3f5e1557d8e4f700085f73bd0552020a2c92cade075bddeb929c55e3123f68e6470a46bdaca7bb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\8009AA7615959742DB0E2C888BACB228D61FBA60

Filesize
60KB

MD5
7ffd3c7b3bbf5f3da2704c02211fda5b

SHA1
6b96b4972b441e0c9f4a2712b46865bedb726038

SHA256
0a22a0d8422635aa12a9ea4918cbc6139b8c1aad9186b6b76a4af624d71ce8f1

SHA512
8a1f7603df07619984d14a98fc868b39003418bea46779b138bb2fe904e2c19a8cb7759ca7a9e8d17aeea7deb8f4058a251b13628ccafa0454dfb3e9b6b4689e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
1aef76b87c2954abc69600e016078694

SHA1
7de90d129e1958b262876437e313336920911027

SHA256
242eeea85d103cc045cd525d75375bf986bb0840e2ff8e65be6bcc281dd771d2

SHA512
b2698b5e428a0288360a0ccde7eef760b542bf623b52269dc503e0ad048e30736aac44bdde0d36c4d58dde10cc061553516c31e014976ff81abcf237842756bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\bookmarkbackups\bookmarks-2024-08-11_11_ScpUM-Ibb5LR1l4-7-Og+g==.jsonlz4

Filesize
950B

MD5
708d579bb783ed9e58c4e87173aa5028

SHA1
54dcdeb367c15a06aa620df1559de185668992a5

SHA256
3f7fa0f3a61236b17951ef95bd63347281c40abbbcce937e8fc787d31c8faa28

SHA512
1c7f8b921e5f32d67b1150e24092ab800ca4939993832cc46f43638bdcce380da1e74b44aa2f368a74e5ae29b76ca1e3a20b837517a4f0464b7af53098772e95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
4d1743ed2a627b946242751a5118a62d

SHA1
0a2c96c2dbc2b41c92b70b7da21fde89c7a0119b

SHA256
a166e5d07da8656b264d018933b2b5fe90fe897435fc8d29e8465972172fea2b

SHA512
ade0b31a813c143aa432135db457ad2eecc96d7b851144a0d82ad2751bdcdc6f0c974240ddf265e5ff3de2240ac5f548c0993f02d7bd1a30d1865f64cb1b6307

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\d9e8006b-ad91-45ce-90c1-ad8922f39b6a

Filesize
746B

MD5
3b57d0fc4c8e96972b9c7e9da5c910a8

SHA1
5e60ddbeed2a58505c7d946cfd8fcad28697eadf

SHA256
4c1381848e44b1a4edd166ef4021858eb626a63140926daf794b695ea419e9f9

SHA512
d5908a5da856e780b16fc8fae34cd691b4785e763fb3c2943dd38fc88f67b3f2cd2bd4373fc97a2e11039471e4d267e811c68f8d2ac0758246b19072a542903b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\edc7a3f2-5cc6-4016-91e4-4280defe2ed6

Filesize
10KB

MD5
bc40da5b084717182ee9844f7fa7f1b3

SHA1
c642ec110bbdaff1f4f44886ecb2d599d04b4202

SHA256
2f783d89f0d932b3194dace683667e09625baca0029e061b7ca8bd7b2a96eb8e

SHA512
521b03bc5e67b55eadcce7b31f23aa3c08d1452ba44b643857f6faae2b2313a9d915d9cd2ac7b38460fb50180534ee02dfc89af17e32812e2f68fdc094e052d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
7KB

MD5
8654b1b8fc5f254d19c1db68d9e68b10

SHA1
6c1864a08028b4bc61d66df735fd6507bcb6f65b

SHA256
117b944a6588750a005d50879cf32cbcc26af0cd501c309ccebdc78259cff39b

SHA512
8ded0c2d3e4d43c1583b917b42a67f3f79477a70758ccd4a5eb69610f90befc24b454c2c031962a29e7226580a5ec0e618d25acc366f737c160d0b7a8bd84eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
8615cd08543e60baeb3ba2d11c713657

SHA1
27affb915e1df1c78d6025d00e0613afcfcbda38

SHA256
420763302c37f9b801c8b819b264c2d8a15f70d3b806c39027ad757ea1b5b2d9

SHA512
f9faeff38490e8b096bf7e347fe8f8afbaf61769ff2121557f8ddf1d976270634776ce303d84d41e5c6c12a4d246ae120b4bc7a5986155503f132c1921437b32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
7KB

MD5
1ee0feee46e10f9cebb6aa4bb1d11a17

SHA1
fc1dda77ba105c58a3ddeb5592a53e5901cc538a

SHA256
7931ef1746f698298df7a5245e8081d154e1a1bdc47a062fcb6257aba245b34d

SHA512
e26b56e36bcd43779287601ee03aa1aef069078b122d03fb7779dbe3c33485a43d69f9038bfec80f94890c7880238a345218da8bb1f472bdd07d3a28b1940fdb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
891b48db34c290b24d0265fa972bb295

SHA1
a6b62d5f873d879a39f47f424b016dd20372eecf

SHA256
5fb46b23dc11cfc7c829dd520e3bb55d32e89aa20d3b777c34fd52b36f6130a1

SHA512
ac31ae4a9dde0d492636dc31bfdaabbdc00fe6f99c76741029e239cfa5e27ab814a82fd8266b8089f4f28a9036194a83ef78391b3b18f538898fba8d42704174

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
e33222a526fb6e8e084a97e63b1e4302

SHA1
c90a9e627a23f6f3b9422119089026da0bc10b74

SHA256
45aa7783960763dacb6249b9a8fc8ecdc74d3d03eef3d1472fff6ced88c1d0c9

SHA512
6a61b8d3c83e30d917ca943532299e8eb39cb0e8931493e5a7e17f199ecfd3c2a8441374ba7f81c4cf9281d1c551a347811094fd7f71a33b59485acb5daf5597

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
a5c518a3e3ba18fce62c004d189486ce

SHA1
423d7ec45cec0e10f91e2aaf646baff6d28df638

SHA256
adbd708d201e4b0a6580cd9e1ba0cff8e15538d8a6aaac7b2ccd981c1befa5c8

SHA512
6196ed6240c6377470060b7ec6f6e0b519cd027e26ef03121739cce9762d9f2c455150e02b1450b8d8e9b9e7b5b00712e773749e44019e3d0b5887aa9b328dfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
a79f86b20767769f375bf12350dd43aa

SHA1
1cc4d3e60d845848b15f67fb619699aacc6659dc

SHA256
1134a52ab243027adaf7bc1cf45f9912fdb8c3c27fe0bb4146f7ce80726a3e61

SHA512
48a232ed28ac634051125f35d3a73ac7df9964398895d895b3daaa0da3467b43a6b8ac6ed84e950cc6741b283e0483b9b2e3c6e5cf9e3df36e12d1bfa990f6a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
2c9d01009492a7550b9c54f10bc10cc0

SHA1
f7cb8f922afb9f0b386336d156eaf6c44aa3b028

SHA256
712b32b62ec9aa07e12518fe47c27cce8dc922baff204ba23a90587dd2b47b3c

SHA512
2c47df5b727f0aae109c253ead356acdd171e7c43f113efe057aefc3e137d82df0f03bb8f75b38574fac7c15770e7d472129e7ccedf0840c6aef53af456c868e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
95d0a053301d69fe5f8cd629ecc5528b

SHA1
dcd3848e2d3d2dc27727b6672665e75584d3d16b

SHA256
51c42892aab620c7fe3f34358c499dcaa00a1e334d3af912193dade3fca1b41f

SHA512
1490b73543f87cb0d5be552cf12fd13d2a0b8a3c716c3f71236d0c60bb881b0da68098f99cb5f6b96ad646f87d8edc4a03e5d93b7c799c1b0914a4101c1f56ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
0ed2663971e8051b2bcb574926400fa8

SHA1
467756bf41c377bdb07c8be10d5391f1df1d80a7

SHA256
0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c

SHA512
e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\targeting.snapshot.json

Filesize
3KB

MD5
40be2d03143886d78dc58826c73b0c53

SHA1
03dd7b7a8dd26404998d9a829eab93e99df511fe

SHA256
3db18d4838949f2dd5a5a08e05bcd80abbce234e2d88a9a842e98e4f1ec85f54

SHA512
7617d838860348c337705741429a8e7634acc731f441bcbb4cb2a208e83533f4fb24e0dfb6c531379845d25cb2d61d9dec55dfb291f9a27c58dd6b1c4644e7f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\xulstore.json

Filesize
141B

MD5
1995825c748914809df775643764920f

SHA1
55c55d77bb712d2d831996344f0a1b3e0b7ff98a

SHA256
87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776

SHA512
c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c

Download Submit
C:\Windows\System32\drivers\Mapper.exe

Filesize
134KB

MD5
7903f9ab941b9119361c687f6b824f8e

SHA1
cb1f9e0041bbb8fae69fb62942bbd13591ef6a0e

SHA256
0634938aad749fbda6692d0ee249d78c7ed731e49fac69989d9423fd0d676b46

SHA512
88d3c71785eaf917327ad8f753934187eb21950de473bc28b77c2fbd58ba51144232259535f38fcc19783058bc943b24bab1f55fb65ab0c62255dd4bf9f9280d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads