hxxps://www[.]blast[.]hk/attachments/22425/

Analysis

max time kernel
122s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.blast.hk/attachments/22425/

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133702156437905479"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "66"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{B377019E-4978-4238-BB01-81E5E0182398}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\camhack.lua:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1612	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3768	msedge.exe
3768	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	firefox.exe
Token: SeDebugPrivilege	2364	firefox.exe
Token: SeDebugPrivilege	2364	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
4480	OpenWith.exe
4480	OpenWith.exe
4480	OpenWith.exe
4480	OpenWith.exe
4480	OpenWith.exe
4480	OpenWith.exe
4480	OpenWith.exe
4480	OpenWith.exe
4480	OpenWith.exe
5708	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 4832	3768	msedge.exe	108
PID 3768 wrote to memory of 4832	3768	msedge.exe	108
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 4704	3768	msedge.exe	109
PID 3768 wrote to memory of 5096	3768	msedge.exe	110
PID 3768 wrote to memory of 5096	3768	msedge.exe	110
PID 3768 wrote to memory of 1884	3768	msedge.exe	112
PID 3768 wrote to memory of 1884	3768	msedge.exe	112
PID 3768 wrote to memory of 1884	3768	msedge.exe	112
PID 3768 wrote to memory of 1884	3768	msedge.exe	112
PID 3768 wrote to memory of 1884	3768	msedge.exe	112
PID 3768 wrote to memory of 1884	3768	msedge.exe	112
PID 3768 wrote to memory of 1884	3768	msedge.exe	112
PID 3768 wrote to memory of 1884	3768	msedge.exe	112
PID 3768 wrote to memory of 1884	3768	msedge.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.blast.hk/attachments/22425/
1⤵
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4588,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:1
1⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4680,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=3832 /prefetch:1
1⤵
PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5460,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5380 /prefetch:8
1⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5464,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:8
1⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5960,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5968 /prefetch:8
1⤵
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5880,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5988 /prefetch:1
1⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffbb653d198,0x7ffbb653d1a4,0x7ffbb653d1b0
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2312,i,3123367467416430829,9033255034485698876,262144 --variations-seed-version --mojo-platform-channel-handle=2308 /prefetch:2
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1940,i,3123367467416430829,9033255034485698876,262144 --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:3
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2540,i,3123367467416430829,9033255034485698876,262144 --variations-seed-version --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=3976,i,3123367467416430829,9033255034485698876,262144 --variations-seed-version --mojo-platform-channel-handle=4480 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=3976,i,3123367467416430829,9033255034485698876,262144 --variations-seed-version --mojo-platform-channel-handle=4480 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4632,i,3123367467416430829,9033255034485698876,262144 --variations-seed-version --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4848,i,3123367467416430829,9033255034485698876,262144 --variations-seed-version --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4780,i,3123367467416430829,9033255034485698876,262144 --variations-seed-version --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
PID:1972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:456
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fe9d6e2-90ff-449c-94e2-e7de7c8649f9} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" gpu
    3⤵
    PID:4780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e283862-5962-410a-b80d-040bf7eb45ff} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" socket
    3⤵
    - Checks processor information in registry
    PID:728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3136 -childID 1 -isForBrowser -prefsHandle 3128 -prefMapHandle 3124 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8dde07e-029c-43dd-9190-3680e044d5d3} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" tab
    3⤵
    PID:4172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4260 -childID 2 -isForBrowser -prefsHandle 3656 -prefMapHandle 2548 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f6b7ce7-f719-4fbc-afc2-c6c4820b1e76} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" tab
    3⤵
    PID:1968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4984 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4976 -prefMapHandle 4972 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a28dce6-ad64-4875-a75f-22200829d492} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" utility
    3⤵
    - Checks processor information in registry
    PID:6056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5252 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a31c1e29-e56c-466b-bda8-c022bb994aef} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" tab
    3⤵
    PID:5232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5496 -prefMapHandle 5492 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1016fbdc-711f-482a-ad08-5ea8d0ab5486} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" tab
    3⤵
    PID:5260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 5 -isForBrowser -prefsHandle 5396 -prefMapHandle 5392 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3683c48a-b3da-4aee-a937-fdffb9d947b9} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" tab
    3⤵
    PID:5272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6160 -childID 6 -isForBrowser -prefsHandle 6168 -prefMapHandle 2312 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9eb1a298-3300-4f97-8c72-f65c789e3d0c} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" tab
    3⤵
    PID:5332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4236 -childID 7 -isForBrowser -prefsHandle 2676 -prefMapHandle 4224 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5b8ab24-86fc-4930-8e57-26957202420b} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" tab
    3⤵
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6564 -childID 8 -isForBrowser -prefsHandle 6500 -prefMapHandle 6504 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07d7ab6d-605a-40cc-a3e0-fcf8c717777d} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" tab
    3⤵
    PID:5208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6748 -childID 9 -isForBrowser -prefsHandle 3700 -prefMapHandle 3696 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3524256a-fa08-4fa0-bd21-41c3d151d040} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" tab
    3⤵
    PID:5888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4480
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\camhack.lua
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1612

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa392b055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
416e0a077a62d292a75ab868e8969507

SHA1
10f481b18d5be9590e3634c0b9a508d04574394b

SHA256
35cfba27adf87d8ec6c45a4a398c895b90f4a80500f894ca6e3d9f811dcbad66

SHA512
94d36f529a14334710f25f5305d152a691ec4d0948b10a4094079dd8a5138490574b283623c264021871715b17d0f4e02602a8a24cd9c44dca71072a6033055f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
dccf4b509f52aefa41591ae270bb2585

SHA1
d6e52575ceaa1b050301017bce85b8bd9092448c

SHA256
5be8328e2aec879b8299f14082106f5fa1d9e9232cad5ffee28cbaa0469b73a1

SHA512
1d952206289201980e312e0308cddad0804f8b349a4c352c9188c4a76b8e6c44652eb34d7436fc243d6124c9e25ae11c37aee303041d11e9a274063fc6acbe2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
7f477149cb8978b3918cdc2a70233fe6

SHA1
e38c535529737a0166c604a0f587087ef6c37826

SHA256
f85a9c3cc4cc95469902a6c36fbd911830e58ecfd408eff66fcca910fa5bce7e

SHA512
be8f2207ec35a179d4e0a2b0747055d2b6e7cc4bdae46a6d75048365ee75e37d03776dd643d91647e808af61f71df6327016d36a3a1fcc432d71a4aa19854533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
64KB

MD5
bd71d5476ab3bd955d4befed6ca6cb76

SHA1
2d42a8f6d207b48ffdd5f4466f2e6a3ffd105095

SHA256
324e5f75a7452bc2263d272dc922157281618d51a337b7c4c1b0dce05b6aa0f2

SHA512
88a87d555ea9ca6f4e77ee503cc824d2d27f9b33fa7e0687cf145056b60dff0436d9d949ded711dc5967ce24a95377080af2641f7700513cbc734d2bb38a5b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
61KB

MD5
404eb7491b12b04fe1c90561848b410f

SHA1
2b9385f1aae7db716c348ca196a0d0fb2a9ffbb0

SHA256
52cb434f7893a145ff43570ea6b079e99b6e7240ebf17540ca4f1f9ddf841d60

SHA512
e7c4974e7095ec8306eced40b2f97132e6779ce5c9ff0645126b633db497c50befc57757bd49adbdafb62cf63b384a306fafd1ed38ad296670f6b7a820778d37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
61KB

MD5
a15c538611edce2b9c4ab51de8ec6370

SHA1
50b5ffcfeafb9869d09f0b3cb81f4362bdb9c3df

SHA256
cadb0d5968fcd8876d700c25a5a013087008209b6083c8bd5c9b5341dae5d2ea

SHA512
64005db97d69d514a8f304d27b3043a9a59d02b1d90554fab38e89de5d4d4308734d846ed345d4056710d5b8a5ef99afe032b2893a7f491a7a00176835b56548

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\doomed\22510

Filesize
24KB

MD5
0393d003002508433697d9084b5f1cd5

SHA1
8d21f83e8e95861090fce9eced1769414ca0cde5

SHA256
ecf43277dbb5ef80bdc6a82364e323de628bdba1c7ebae394b00dd053863402d

SHA512
c0f9e4fb12c721df8100862e334c98e99c89b39ca9c42ea995f555886d251e73648633db963ba834fb7a5a7359ac0b79eac1b65d31f5d0903dc4cb45180ad080

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\9C7E91DE38AF1D104AE47F8D47E51ACA5877B489

Filesize
221KB

MD5
0956e1bbfb645d80af42871ad911e41b

SHA1
cd13079f3741d886c9581aaac37b060f6dcf0411

SHA256
3ec2551398ac3a3adb8ac441d95259309619e6c5d0c0e0364e6dd6f8a8a41da9

SHA512
e899b3bdd70713d79a8b663cd833d1c53bc8f5a10598f9b358d6e6f8495f570f9baec32213af202c3ce3b7acb5ef911fcff4c5aedfb76da3245ec0db928f49f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
6KB

MD5
49def8647f35f5f249c22c8518f2a26c

SHA1
76a3fca51e4f443f1d817d64da11e33a936c3bb9

SHA256
553fa02fb6dbdab57f409a63a03d0a8de3a468651f55d5fdf955ffa7f5b88f3f

SHA512
dcf90cdf8b789c18772fb76ac546df47e03f533b380402aaca3e9c3e9e10cc6dde6f5395e28a8c38115c4a8500bd48c577052ee58ba9c8c1608daaa9e1c8a840

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
8KB

MD5
79d120692d18e02020b0a7d1e9ef457e

SHA1
e18de879b4e3864cf946f9b9c601b28e857ad51a

SHA256
6af2c7127e2d287f40e75fcca9ed04ffc42037b5865a486d3b5e7aed3f9126ac

SHA512
0d33411ea67db3ad43f91be38543951c4a4e178d1d21893647d9ee48ddccebfa5b570f1dc5bb26f1180c44c9e4879ba98a66de435f01a854afefad7d9858ec95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
18KB

MD5
937ab941f050ddd04e68d0cabf878880

SHA1
d92b3ae4849847c523d389449e12aea46f83f849

SHA256
25c4bbd0fe9123c94ddda5bebb48c7a572ab64edfcaeb5b352006968a988f48b

SHA512
325563dc16303a9585ecfa8fd8c2f3f28f59ab04607de78a471d17ad64af67821224e585f5c7d85533f2bcb4ff770635380a6969747edf6d991b2618b857e951

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
329bbf041791086a2a9fff1ef058871b

SHA1
7189a04af97ec754e08cd4e29dd8fd81b0764b13

SHA256
fb34a266f0731b1dec07e776f6c983c28480c7f85354ec9a1608466c54175b1e

SHA512
d05472c46c4ae653d62d08ea18e91860e70e9bd75cfcd8d383f2e38fa7eea6dadfab5d910cf5afc7bded8a28f4053ca883d4ffd3d268b14a9117597ceca4ef65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
cb6a6da2a43039c4893aec368688bb86

SHA1
e7be5df292176ffb9260f4247c378976690566fa

SHA256
36a0a8c0a08d2beeac8058df4b4daab9cda33de3512e371440fcc3460cac262b

SHA512
4d9e29e28027a455b864650736db6c22513c700f639ac67a81dce311996db404cacc4d5ffa6512d20f6774827cf645e88628132a63ead39e4c878d2538e06c26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\00c0738e-79cc-495a-965a-526519e333e6

Filesize
671B

MD5
290949ada15cfe3846c8912e94dd1bf7

SHA1
aa9950a0a4fc0f95e46a6e0a28bd8768d43ff9e5

SHA256
3556a240beb89e19440859c281f9c9e77a5c88f07c99b6b92b24f5cd466e350d

SHA512
579bd5df20940e2c311687345f8800b900786d20b07b2b21ee5b1a3a17296b8216feb336fc827fa779f58eee2b430a741cfdf4c693f5e6bb3fde432b1eecb154

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\2e2a79dc-43e0-4e5d-9194-7dc0d7a397ed

Filesize
839B

MD5
214c06ec52507399f5cbb2a549fcf580

SHA1
2d6b906682d65b2f403448d31731d9860fb4634a

SHA256
80182b11730687aa07726f1f418855ae36017be8dee51d2ea28ec4caaf4170fb

SHA512
3c626124e6139f83357239ecee10088ed724363ba22eccf86bb03e4c9c68fa016445f73676282533802fdfc9242e2c4d400a3664370b002e18f14fc30c4cd279

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\6e33b9f8-5462-467f-a118-5425ff5b181c

Filesize
982B

MD5
dbdb7dfdb86d01e2a766f3f4dccf40c1

SHA1
2eff77f894853cbadce6627ab0111fd2ebfe1ab6

SHA256
aa4756ac992a8089a2f9da7026236ac2e803b9ca1d1179e44c3c395b2f1a3b07

SHA512
3aee8e48db3cdb9b0e57fc0cab030c0851bac3c010faf39350b104569e1dfe95a2da2cccbbe195c2d9a6d447d2c3572264c5ad71d260796130d44991cb86b59d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\c2468f63-b394-4d30-ae66-367af5daad62

Filesize
26KB

MD5
c3028a59b713794b7fdf85457109040a

SHA1
5b71efdbc0132bf98d00d3b6bf20d4f372b7581c

SHA256
9e16e15b372c9c3147d6581451b0fb494bcbbf692758a7fd2ab7aae3ebbdc1cb

SHA512
5ac16bf076e5e0fb5a78b9f58efc43ed70da1a3e08fa5a34991e63ff98002c80d697afbebc32d1ee83afe149ba97d2ee199d8663c5d6c44cd5f10a244a35aabf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
11KB

MD5
3d1aa5752e7c384cbf6db47898649926

SHA1
2e765798d8bc97f8af925e0e7434f611d03ca325

SHA256
be54782bf9d898b7a53e6ff364c728c562ccfea8abaf8cf82056a08225512cea

SHA512
781e444a493962b84c31dadf5e24b74ce62708eace8ca1dfdbe4f48c3d28ae5de78f4f0aa9f304bd417fbf55426c75c62a2d94c03e865f4aa9bdbfa87e7f1bf5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
12KB

MD5
1b6898c90278c04d3ffe8aae2d131bea

SHA1
8542aac8423ee71346469fba3fe320791904ab3c

SHA256
323f6fe1fe8861a4e0919b164bee8ca35ff8c6b1479d17cc9908c97bd6a5fee6

SHA512
b57476013c7cdfee3d075f9b3120d2bc1ab0d97feaa048a9c846ce460c11804b8191e0a961e442c58b686e347ca8118cc44f4215a5430b4be579d3721253f1f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
12KB

MD5
78849f4d84810ef900bc7452f44088b6

SHA1
f8d586865ff57216c9888d667acf1e5c9896d73d

SHA256
896625cf58b1af42f68bdc09d6c96cb566967b6ef35dfe07b4de5f7d79e4f714

SHA512
283ce47a4ea4c29c1882bdd05d488c068fb22424b9a0e6e28d34111088f58f09e22397895a3d2386b4f34e4719def8b0c242cdefb5ca6ffefdfd7378a6e018c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
11KB

MD5
3b73cc3e230a6b814330fbbc213e378c

SHA1
772ccf4759da550331d1de823ba6b815870f95dc

SHA256
150c189d78664abc182936eb4c57a425934cfca76d445b8d60dbbfd773184041

SHA512
2d1ce011a63879d01fe6f7a9d44c40d1fae2caeaadad09091c766786618f97e50646d63a59c649b76c6ff89386e9442c33140a815348c9abd357738a74da46c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\serviceworker-1.txt

Filesize
170B

MD5
bd99e8d5668d0937dddee75b2385a09d

SHA1
bec61ff9d0f0874a45b813d2d12526a90d500d49

SHA256
a65e0fc769837b12a3cf03c0e9ea7b7610c88c9202dd31c7b57e2994674943b6

SHA512
1980a4801db666cc3265e6487e465ad43099f513e60ed47ac3fad33540a5b225121be3cd095ac7980f279f1576fcbb6c520c9d15ee70184978709e559078169e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\serviceworker.txt

Filesize
155B

MD5
a4f77ab931bbbcf1d3a082220e51f0f1

SHA1
58765fc4f0d7d9a3a602f0c7b236f7d933a864d3

SHA256
8774da8fd2f7c80b91d7738d3453f8fe1da2e615229cfb306ea21635d992cf2e

SHA512
b3b9aef8ca08fac58d4677ad5a81014654f15a0a279fcf34869d71feb2eb10ae0175bb050b782eb835780d6943cb873c4c69ce15ee9b87f0aeaee3ceec625716

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
5e27f45b8a5fbe44dbfbf0bf2f4a8cf8

SHA1
c679b62cd6d2a134c5ead42cc60739bd4c2f8fc4

SHA256
096fb7753cc53f484bee0965a3760d59a82e792f07bb0423de9f6d76d1e8ee8d

SHA512
c23e9ff3b6d91505c785ad756ad6e9f8b6a8c2f7ad870e49be87d6f6d5822bcdabc8c990975f03781c11446ad9ab6b12d3d21f59af98fdbf6e791598b4ff6eac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
5ffdd20a3b6744c50e5e308cd9a0f831

SHA1
23778f428cd1de979b8cf041a3d86df359e0e1eb

SHA256
3c8ebba0925af6b83387f4b19fa18ef7e4fd7ff2b4313539654194425c1d739c

SHA512
b6b7ba4883e8eabae00a7c760e1e27733aba2d448aeed5f99c6c662d25daa9c16e224f0c56cebb84940c122013fdf7be8a75974d050f02189536edd668ccf47b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\default\https+++www.blast.hk\cache\morgue\75\{79db7d73-9911-4bb2-b073-9dde9a21fc4b}.final

Filesize
2KB

MD5
c940dc8ca7f4bd6329cba8eb3645fbf0

SHA1
c499620db50a77f30c7ea5bad4036578408b16b5

SHA256
7e04a1ae70931bb8f4de79c78550eaf25d149bc2e201a64e27942bfe3e4988e8

SHA512
823bcf2412a0e1c589c658eca6b0c762a7f27def0bedceadfbfb3f961ba04a19ce784ec7a26ce7b4dd05b1c3b014a6a07820887e241490fa429ff4cb9789e024

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
5f86b0fd26c5450456ac5caea34ec0b8

SHA1
d0fdd9d7ad9eb319f2a26d459cf6bf0084c0399c

SHA256
7b83943bad4c4918adf0e9bb2c05884625a9516fbf8b9882dcfc79d3bdba97e0

SHA512
224d97c6a9a972eadfa9631a71c102eb21cad695af42f5fa7b764b375cb8450652eb01ab4fd8852d5e271ba2d99f2ed129deeaffa51f2cdfef00cf96cc0fba4c

Download Submit
C:\Users\Admin\Downloads\1KQ95Qqd.lua.part

Filesize
9KB

MD5
01b4d49f9f1f99b3f8d96ab3b5617c3a

SHA1
6cad12eafe15a3505487d09d341074afd1042d3f

SHA256
48e81105380a63062ac30c422fb3c4c7cde693877aa3f83351975041d9b368da

SHA512
9e853555bc61b763d66c1c30ec5c59e6e9dc687b4ed61e478abbc5973a681770f2bd6bcd5441a287183f00e6b7521a087283aa1d319b066e8ea4534447e1af1a

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads