cc2a152497a5c741a54644cbe47bbd441c839e832a47b3e932fa4bc93fe8c316

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.2MB
MD5

ed97dd4ca80d8c2861b05ac6a3d62ea0
SHA1

faec25a43898b884f0a6efff6caa953e14ffbc17
SHA256

cc2a152497a5c741a54644cbe47bbd441c839e832a47b3e932fa4bc93fe8c316
SHA512

b91ab91a6acec2543dec29bc2c7f6c9bb11302405a1cf72fb34d8f0d66b7372c390ea8056233d4296a7fd2d410a5543f67c734954c251bc0d8ec7cf7b841b334
SSDEEP

24576:UlhFMRqJRzwa38TNycVagP1zg5TNsLfW7QbOvFRYoaKziT4Cu7Bb4Pt:mT38NyczIqLfWvvFR2mA45x4l

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RegAsm.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/5048-3-0x0000000000400000-0x000000000052D000-memory.dmp	autoit_exe
behavioral2/memory/5048-5-0x0000000000400000-0x000000000052D000-memory.dmp	autoit_exe
behavioral2/memory/5048-7-0x0000000000400000-0x000000000052D000-memory.dmp	autoit_exe
behavioral2/memory/5048-9-0x0000000000400000-0x000000000052D000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4160 set thread context of 5048	4160	file.exe	85

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2276	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 5040	4160	file.exe	84
PID 4160 wrote to memory of 5040	4160	file.exe	84
PID 4160 wrote to memory of 5040	4160	file.exe	84
PID 4160 wrote to memory of 5048	4160	file.exe	85
PID 4160 wrote to memory of 5048	4160	file.exe	85
PID 4160 wrote to memory of 5048	4160	file.exe	85
PID 4160 wrote to memory of 5048	4160	file.exe	85
PID 4160 wrote to memory of 5048	4160	file.exe	85
PID 4160 wrote to memory of 5048	4160	file.exe	85
PID 4160 wrote to memory of 5048	4160	file.exe	85
PID 4160 wrote to memory of 5048	4160	file.exe	85
PID 4160 wrote to memory of 5048	4160	file.exe	85
PID 4160 wrote to memory of 5048	4160	file.exe	85
PID 5048 wrote to memory of 1680	5048	RegAsm.exe	90
PID 5048 wrote to memory of 1680	5048	RegAsm.exe	90
PID 1680 wrote to memory of 2276	1680	firefox.exe	92
PID 1680 wrote to memory of 2276	1680	firefox.exe	92
PID 1680 wrote to memory of 2276	1680	firefox.exe	92
PID 1680 wrote to memory of 2276	1680	firefox.exe	92
PID 1680 wrote to memory of 2276	1680	firefox.exe	92
PID 1680 wrote to memory of 2276	1680	firefox.exe	92
PID 1680 wrote to memory of 2276	1680	firefox.exe	92
PID 1680 wrote to memory of 2276	1680	firefox.exe	92
PID 1680 wrote to memory of 2276	1680	firefox.exe	92
PID 1680 wrote to memory of 2276	1680	firefox.exe	92
PID 1680 wrote to memory of 2276	1680	firefox.exe	92
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93
PID 2276 wrote to memory of 4456	2276	firefox.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e897d7f0-3c35-4ecf-9bbc-13e2266634ab} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" gpu
        5⤵
        
        PID:4456
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44944a4f-2d4f-454a-8edb-d538584819a0} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" socket
        5⤵
        
        PID:1504
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3168 -childID 1 -isForBrowser -prefsHandle 3092 -prefMapHandle 3232 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {397ec005-e513-40a0-aa9d-7b84c690ba60} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" tab
        5⤵
        
        PID:4744
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2744 -childID 2 -isForBrowser -prefsHandle 4088 -prefMapHandle 4084 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eea2d986-f8dd-4ae1-9192-5db6c23bfb43} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" tab
        5⤵
        
        PID:1748
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 4828 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee2f46b2-ec07-4a0a-87ab-3d556e6d5012} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" utility
        5⤵
        Checks processor information in registry
        
        PID:5040
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 3 -isForBrowser -prefsHandle 5368 -prefMapHandle 5232 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86414a65-98d2-4a46-9a09-a68213cf922a} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" tab
        5⤵
        
        PID:5528
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5592 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c599bf4-6b73-41b8-bd32-3ad55d82c847} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" tab
        5⤵
        
        PID:5540
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7746729b-e786-4fd4-9809-742d01e28865} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" tab
        5⤵
        
        PID:5552
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6304 -childID 6 -isForBrowser -prefsHandle 6344 -prefMapHandle 6340 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac81918e-2667-4d30-b148-7d19da37607c} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" tab
        5⤵
        
        PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\activity-stream.discovery_stream.json

Filesize
36KB

MD5
491a5ecffdacb7e1bbad1f47459935c6

SHA1
097c8f89a14f42001dc50e46618ad738f6c2db41

SHA256
d4d7593510964e480a3b8ea4a990be79b47249547156d7ba07ee2d5521584e1d

SHA512
364ededfdee8419ba209e3e2985c1e5997f43218c80ab0192c3a49b017275b82a8e6af3df0cee7eab5f0180173d1b60b6fc9de020546ddf422f4d1a797f94d57

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
67bb9ba7872aafeb78e8e5d494ad311d

SHA1
3bfe254a85674deb4b7a6071c6a6236cb41961c0

SHA256
742ea405c0dc3bb4eecd235a1886315ded3fc21209636c2ce916b6f4e0d69133

SHA512
ef5caa177a97ede193b5824919ff94d6813484e3c87b63feddae46915cddc60595701080b9d06258bbda055a5d1fb57aca4c63e58c028223a4b32fcb4ee88d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin

Filesize
10KB

MD5
6573b2e9512a57c3f9839a7f8811649c

SHA1
37bb4298897c338ee51c679f165394db043dfd28

SHA256
f7c6e0b6a9f6d6354902224242d632b45c245feb253d595a53d7d56aeb00db96

SHA512
60e7a3119acbb01e9ce860566691689e209ceeb66d7e0a73b5a0c9f3bed7527fca7163bf42036c53c0c83f6e35bea2da6385722b6a7fc4b89731d92b201a7cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5e342a33a7d335cbf4ffc2c7e845212c

SHA1
617a0e75d4b205b09ad061b1585e24ef6101db2a

SHA256
0a44387e03ad5b5ad611568ca38be0f85d05735d8d849efd6fd55cdb8de32d50

SHA512
58bfdb37d1583582f7546865a81b2ff27ae579cbfd5a2f90785437b5bb6a1f8b992d7a165728ac9f8daff484b0ee6272c722cd1df21117165f65560332f18d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
8a4d804f59cb0a53fc5ab1023158ca17

SHA1
eaeb6bccef457c2919969d64ba814bffdb6b289f

SHA256
deff843a888b88bfc0f32a587dbf464c58fc4e942bd0bee9aa5e0ff0ce0743c5

SHA512
e5ce04902930134530472200b21ad42ae135ed178595d3661a8e256c9b72a83e0471341c7ce62f81f69814dd646b7a778bd8ae3b5d071f7b9939727d9526f4b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\5b770629-5c5f-44cb-8454-5ac0ffe0cb38

Filesize
28KB

MD5
847620a12654b0fd75250631fceadbe7

SHA1
7845376c3a612e7b28d8a7cfa11be38d59b176c0

SHA256
ea28be2f56e5972f821bfa8303700a131ea148d9311957c6931cfcb9e9a4c84b

SHA512
748aef8606fc6b351f19207a0609f6986de519ffaf9a5ef96b1147615a4fbe105b90fa2d49b4a36e8b5782f9d915976962e47db1d3227d061fcd7bc04fa552ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\9a29d841-857f-4ec4-b45b-6e028b08f2f3

Filesize
982B

MD5
41bef4371ad3382f72893d2f75911857

SHA1
6f3267523dfbcb2b371421c2fcc88d4b17d99475

SHA256
7c99aee25c29deed0566376a9008fb5156ec5604ffeb4d070377367d2c28588a

SHA512
140977d3145da14232bfc021a3d05ce73baa7f4d9b8ae18553c1aa9385697b593440e435176622747b0aabf23207be489e798f7afd69f1b7f352ebd8822f20c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\d3fc846f-a1ff-4916-84f8-0008b59afbda

Filesize
671B

MD5
9b95114ab1455a7ce18c4a69b5f0f0f8

SHA1
eb9e6eb738eb0db769ced428a044105fa974ca0f

SHA256
a09026cfd50d118425a0feeeca4a2c6284d0f1f9172947062e14bc392b6955ae

SHA512
909776c1446239b13f111ea3d606ff75618c09f54c00b5028fff6056ab950ae46ccce42a61897ee39ff6d90914a1818e4cfb175aa05bdca161d1d180ee5ea377

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

Filesize
11KB

MD5
fe2814196b9a50af8a05d2f98f21f35a

SHA1
d59ae3aa1e6e5cc07b83ade3f30b8bd53c7265fd

SHA256
36970f2700d48f1637448d0421660e516610f3bc389f6ef9274b324c6cc3f564

SHA512
0b1f2f453f5c65289c5ce9c1aaeae5203dd5669c2a39a8855c5739453c58e58f14c60e9eb117589c23b1206d0f2ab5e51367e1a9f18b066b18e4386051834835

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

Filesize
12KB

MD5
2cdff51d0facabb4288ad5b86c657bee

SHA1
fa05f1710f591a407d7de66bdfadb0922d3d7d1d

SHA256
3d2fbb8c28341a1151b03845811c7fa9248e8add56c1d3d6bd5c647ba63501cb

SHA512
76196bc3dbf995ef55d42618deb3f73dc2478feb0c42ef91001289529b9967ed8dda3d6d5d9ab812d9359e5e535bd9a670d7a3ab8429e9d42ed3527e49dfd5ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

Filesize
16KB

MD5
d3fab1a027288a1b50cd3845129278b5

SHA1
8b3c9f12a32c2249dc4be0e6199f48014f5112a9

SHA256
9ff09fbffa66aa9418acae7d85421ec71d2379b59a36f0ba7483eb91765d8cc1

SHA512
ee993e160186a215a4c275b9b99d8e6ce5dd83e84e99c8bf901ad3d337677a2d37f939acf4fb568da2081544ad0c8cb8df29597b550f0613507d68494b1b7e87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs.js

Filesize
11KB

MD5
4f45d4070a844ba36c57246500ecef89

SHA1
a2fcd23a54cc98fb6041b7b2d0cb8574e24b33f2

SHA256
561fb4298097b80832e2b4b972180da213d85ed2a576bb742093b157dfe0d23c

SHA512
e63a032f691f61a034972d4871192ccc5ae937fce791684c9bcbc61786a0287632f6dfb7737bed3809771d851998c929c1326ef6562d717511195cb837e54e10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
cf74d2e42a950f07a05d875c66442012

SHA1
a857b6898e8deb4702aa6bc925f3d9c4ceebcd69

SHA256
4eb8d9b33ee0d741845292416b2fb620237635ef80ece308f2cba45d052d338c

SHA512
12c6e5ed69b878b5fecba2aa4c927a47822367cab72194139b38387538d1e988d765d0ace5b56648d49ddb06c364c4a355f2d2f7e308a01b9de98b35e218a17c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.2MB

MD5
edc22d442098c0b0071dde712e88a0b7

SHA1
72f42b8742c6e8a47135024fe0f9200e5e1c9268

SHA256
f2a91eeeb1f709bf5b60c3971203e030e74f0dbb7527742fb4e31238ccafc80b

SHA512
e776ae1907f75e6c2f481ea2bde4fe605e4a6e58d54bffc3c8c2ec806f967c6218ca6871674ab87b43f9136e20f9ebdf6b0cedab9a63902722ff6937cc7b832d

Download Submit
memory/4160-6-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/4160-358-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/4160-0-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/4160-1-0x0000000000220000-0x0000000000350000-memory.dmp

Filesize
1.2MB

Download
memory/5048-7-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/5048-3-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/5048-5-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/5048-9-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads