bab52efb1c11cba17e9ae78fdb51c2d8c825af93538eee05b12b2e30b8a0d6e2

Analysis

max time kernel
1350s
max time network
1348s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21/09/2024, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37626322_1871171556512529_4700140521996156928_n.jpg
Size

62KB
MD5

fb2e01e7199ecdeae00c5764a4005ed5
SHA1

2387cbd2f3ad41e2596dfb987baf65ae3b229db3
SHA256

bab52efb1c11cba17e9ae78fdb51c2d8c825af93538eee05b12b2e30b8a0d6e2
SHA512

2b959bfe22e321db451b6f1681880ceda9d6ef660547ef0601feb442d6bb1079377cd4da782821428a23931480e668685ab9058ee6945a41f53a95986f5d2794
SSDEEP

1536:cRF5Wepb57lB9oqjVTs5sTkxO+VWhLVIB4kd+Wes1LLOsqBMQ:c9Ws5f9JSBWRVIB4cMspL7Q

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1896	ColorBug.exe
3320	Gas.exe
4156	IconDance.exe
988	Sevgi.a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe"	ColorBug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Netagent = "c:\\windows\\system\\sysfile.exe"	Sevgi.a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
169	raw.githubusercontent.com
171	raw.githubusercontent.com
172	raw.githubusercontent.com
173	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\ColorBug.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\IconDance.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Sevgi.a.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ColorBug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IconDance.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sevgi.a.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Control Panel 21 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\ButtonText = "147 48 92"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\InactiveTitleText = "226 215 137"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\HilightText = "1 31 225"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\ButtonFace = "97 20 157"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\WindowText = "96 86 245"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\ActiveBorder = "233 192 118"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\InactiveBorder = "224 130 192"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\GrayText = "213 131 2"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\InactiveTitle = "140 80 229"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\WindowFrame = "248 164 106"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\Menu = "210 5 184"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\Scrollbar = "18 128 47"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\Background = "134 28 255"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\Window = "77 125 70"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\MenuText = "25 137 150"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\TitleText = "71 242 206"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\AppWorkspace = "36 207 125"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\Hilight = "194 18 61"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\ButtonShadow = "96 208 14"	ColorBug.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Colors\ActiveTitle = "80 197 41"	ColorBug.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Sevgi.a.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ColorBug.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\L0Lz.bat.txt:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\IconDance.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
784	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
988	Sevgi.a.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	firefox.exe
Token: SeDebugPrivilege	4992	firefox.exe
Token: SeDebugPrivilege	4992	firefox.exe
Token: SeDebugPrivilege	4992	firefox.exe
Token: SeDebugPrivilege	4992	firefox.exe
Token: SeDebugPrivilege	4992	firefox.exe
Token: SeDebugPrivilege	4992	firefox.exe
Token: SeDebugPrivilege	4992	firefox.exe
Token: SeDebugPrivilege	4992	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
988	Sevgi.a.exe
988	Sevgi.a.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe

Suspicious use of SetWindowsHookEx 49 IoCs

pid	Process
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 4992	2224	firefox.exe	75
PID 2224 wrote to memory of 4992	2224	firefox.exe	75
PID 2224 wrote to memory of 4992	2224	firefox.exe	75
PID 2224 wrote to memory of 4992	2224	firefox.exe	75
PID 2224 wrote to memory of 4992	2224	firefox.exe	75
PID 2224 wrote to memory of 4992	2224	firefox.exe	75
PID 2224 wrote to memory of 4992	2224	firefox.exe	75
PID 2224 wrote to memory of 4992	2224	firefox.exe	75
PID 2224 wrote to memory of 4992	2224	firefox.exe	75
PID 2224 wrote to memory of 4992	2224	firefox.exe	75
PID 2224 wrote to memory of 4992	2224	firefox.exe	75
PID 4992 wrote to memory of 2708	4992	firefox.exe	76
PID 4992 wrote to memory of 2708	4992	firefox.exe	76
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 1508	4992	firefox.exe	77
PID 4992 wrote to memory of 2856	4992	firefox.exe	78
PID 4992 wrote to memory of 2856	4992	firefox.exe	78
PID 4992 wrote to memory of 2856	4992	firefox.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\37626322_1871171556512529_4700140521996156928_n.jpg
1⤵
PID:2272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4992.0.980388429\1121758268" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1544 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8b4eb77-cce1-443c-b8c7-b9c37cf59ad2} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" 1796 1d96fbda358 gpu
    3⤵
    PID:2708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4992.1.429687645\1156453750" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {138de329-18d1-48d2-b698-b1497c91f427} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" 2152 1d96fafc558 socket
    3⤵
    PID:1508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4992.2.840528036\812839103" -childID 1 -isForBrowser -prefsHandle 2844 -prefMapHandle 2988 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49c4c223-d7d4-44bf-8533-18d8be0464d2} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" 2816 1d96fb5f658 tab
    3⤵
    PID:2856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4992.3.742837097\554182434" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8177153-f1d8-46a3-86eb-b607b76efc53} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" 3512 1d95d772b58 tab
    3⤵
    PID:5096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4992.4.432894274\641134499" -childID 3 -isForBrowser -prefsHandle 4252 -prefMapHandle 4248 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9318808-7545-4d3f-a6f0-389e36aa439b} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" 4256 1d974ca5458 tab
    3⤵
    PID:3224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4992.5.1544469125\304167256" -childID 4 -isForBrowser -prefsHandle 4800 -prefMapHandle 4820 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43cae319-81e8-4428-9377-3f5ee6a6b352} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" 4848 1d976136958 tab
    3⤵
    PID:2748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4992.6.1675587795\932221408" -childID 5 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a908cef6-86b4-4974-b659-905716a018cc} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" 4968 1d976137858 tab
    3⤵
    PID:2528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4992.7.1707616962\965410784" -childID 6 -isForBrowser -prefsHandle 5176 -prefMapHandle 5180 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43d7f6fa-f9e4-4282-87dd-f3cb8e1cbde0} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" 5168 1d976c70e58 tab
    3⤵
    PID:364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4992.8.112550825\869976101" -childID 7 -isForBrowser -prefsHandle 1644 -prefMapHandle 5220 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {503a1b0e-a311-4084-91fe-4261cdccd75f} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" 5152 1d972413f58 tab
    3⤵
    PID:3044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4992.9.1344995403\88666686" -childID 8 -isForBrowser -prefsHandle 1644 -prefMapHandle 4468 -prefsLen 27407 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e1e4d2d-aec2-4392-8c38-3e69b235d03b} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" 4416 1d979b9f858 tab
    3⤵
    PID:4984
- - C:\Users\Admin\Downloads\ColorBug.exe
    "C:\Users\Admin\Downloads\ColorBug.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    PID:1896
- - C:\Users\Admin\Downloads\Gas.exe
    "C:\Users\Admin\Downloads\Gas.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3320
- - C:\Users\Admin\Downloads\IconDance.exe
    "C:\Users\Admin\Downloads\IconDance.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4156
- - C:\Users\Admin\Downloads\Sevgi.a.exe
    "C:\Users\Admin\Downloads\Sevgi.a.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    PID:988

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\L0Lz.bat.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\17671

Filesize
9KB

MD5
0b903712a5501d169d8dbee0799dbf27

SHA1
6821cd1cf8e9708ee5a10afd42d5269b8fa37f38

SHA256
04b25866f511a011c90bd5c8ea7986456263ea129fabe8a8a11d56a57e873cfa

SHA512
20d36e5cfd8ce4e866f985f30ebaeb0617b0e1f19bdb3d143d5220c19e41da5c8e9d18b920fd798e6fd5bcbd4fe49dabb6ccd26ffc1513854168bcd2ed6cb513

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\24600

Filesize
22KB

MD5
bbb659fb9a8bcb1614254d62afb2486c

SHA1
be095b61b27ef3699675d53a45a3073674206974

SHA256
363174190728cd6d123af99cd0015f08291150405f13c9ce50f365714e15541a

SHA512
52bf36cad515eb6a39dbccdc44fd87e6d9481b2edcc7db0bb6837cd0348391237be0aa7cf339833a0fca88efa33e5e6c00331a4b910bd0e3fa1190bc999de27f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\006D3DFABB7DD236CF8A44AA7E9CD9CA8F2EB2CA

Filesize
60KB

MD5
e3ab0d9aaba2ecb869b50592296a5c20

SHA1
6316110b5ad5e7616345bb881a4422249ec97d93

SHA256
b10a2f37a979b567153c2b75de72c069d1af8529521dc269c84c064efe59713b

SHA512
22c78947dd623d3b3423deb500e25eed659c4ca9df15ba77fe4091d54598dfac3eb0bccb2704fbb1d268c999a378e15bcc80ae223f6921b1eb4e86367b0d166a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

Filesize
63KB

MD5
2b30ffb22128303eba704274d6cfe5ff

SHA1
c67557fe13111009994dacc6c3dde59825680af5

SHA256
12993ffc5aee08d04e37a2401bae4f8bc4335d90ca81492827c4fb1e25750734

SHA512
c1498a1dee75403360328be0f0eb1e572718d04a1dd2f33d2f27679f3ebc94a2ab551a5f5363c7788f5600b606feda99705bfd5b1e948c1918381d99ba4e0f5c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\519BCA8D3AE219A5B894AD416EF90CFE45AEE07B

Filesize
14KB

MD5
73a1ef5e886f6a995753b56c9a4b2a77

SHA1
789c5b37e13e8851997b5436fe78887e93493ed5

SHA256
8bdd56eb9952dfaf1260a5931b37c16a265a0aeb216a8866c153839ba0667b53

SHA512
3efc75d757734ab75be3eca1c1472378c98b0fc724fb8d6ae0567a6a1b7df9c998a58f3b4087ae1930b42e015f54f63aa03fd69f2ac468b0c81bda9627fa9f2b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\5309AB1AF99AF2C672F1EB5BA2C3ACAE697CF77F

Filesize
165KB

MD5
0160808a6601b3674e946af899e7d614

SHA1
a1ca9e8ef86c0c31666bc753bd31e53ce9c9ead2

SHA256
4053c12100e741f1bb09866298bea958889c19ca1359a7054fdddef59e289852

SHA512
5e3248ad9e8f2112ed1575f77587594c2a203d31d830b70fbbbbe46cd7c32e2ae3789913acfbce95b5169356023fbe950e78a59d13d14b6f0a505b43fd56acf9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\5EAD13BBB5CBE47846E6C546F28FE2F53142499D

Filesize
14KB

MD5
6f398b29cb47bc4d32c22194abbe40ed

SHA1
db076d5197b1b9d0ad5623036b1a1a2f634641f4

SHA256
33cb62648af4eee234f8f1034ffa1f453a90819295edfeb63eb6c1dee126743e

SHA512
95090806df8b9b90431c396a7da780e61dd2b78ca566077291007f57e45fe924f9e573e466a0dc7fd151e197089c0cc307f691c094e1c82bce5aa17cbe801a4c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\71A5877A224793604405C071054D003E804BDD71

Filesize
17KB

MD5
067a8ff2acc0c51dd71e6ac425d876ad

SHA1
f92c7b955d4b4b2b11b2c22f0bc15ea2b86283ef

SHA256
38e6a5ec1f09175a5ebbd62daa0023c09a3cc8c2ff9ce8d9b58e6d92f6a144d0

SHA512
577b06c4d9832fd7b3e567653de4eff49dc5d9b74f34780d48c1f2cfd4f89003e2545742c90ca9e1c77e53e2781d2a054088d479262ca29d42edd91c6edf9d0d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\7F30F53457983F11F2D61636C9FB5706ED9AB60D

Filesize
16KB

MD5
463ddb2f51d45eb3bd032731b78f8bc6

SHA1
8bef2cbc2d5ddb10d1bd5f173d7ea45cefa156ad

SHA256
2c72ead20c9e5aafcb0cb743eee81f088ecefbb678a65dc54c685ba5dd3a5284

SHA512
cc328ed24413fe3466f517fed477478724a21aa88881efa9427e6ef3bbab6dca33d3e7ff924b8a0dc49eef888355bf00194df5c02fbc2f8f713091d592fe3d95

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\8D9D13D2F1E22A996B4AB1AB746108030CA8BFA4

Filesize
14KB

MD5
acac1c4790332ced1521d58698b77556

SHA1
d85b7309ad69ec394376401035899ed60f472503

SHA256
4647171452d3c1424872e4e381546682802b015076bbffff4aa7d249be0a274d

SHA512
665919079fa73232fdc32405571396c28a493134ab634b0e3e26f1de7d7989844539493eed71892e09b4fbb79ba61da256f314e47789d4bc0a6c03d03abdbb6e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC

Filesize
90KB

MD5
6e4019c8d4e23349fda66c1e74fcd540

SHA1
c974ffe31347091d45d973e996b836b60621dc11

SHA256
2fa518e5c3d2edb83210fef6cefcf1d06a29ad1e569d8ce42a571b36a6a92516

SHA512
c7df2d694139a5ac4c1343616814133135b7358943636142dd0146d003e39f94d62a1dfd6194599a5706e182ea5f098c11a086178b54d3da508d7af7c11d1ff0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\EEF66EC3FA6C5051F87025E37140208CCFD36506

Filesize
148KB

MD5
25ef058a32630cbe3bc9a853bf243034

SHA1
502272335cb1335f3cc193c5edcf9f5e3d36267c

SHA256
9dff10a6a81d5ba082772a1611dc1b1f4f9cc1a24af668889864dd154b1c740a

SHA512
de8d503b75c5a80a086d2104c79b5ed76039f820b86ebe2e2b0364f44ae525e0c29b22ba720a589117f1aeca1ffe65525b4794babd947b871a41cf2793f8e1d0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\jumpListCache\YgO5QO13gsMtn3BRxrl+tg==.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
168e8e163444b778d8a393b1104ac353

SHA1
063c91e9d5fb591e5b3f89e07fad42751521285a

SHA256
c3cccac8dd2a1cf74072890d3d974282071d117f2606de7d2eee45bf774ebd4f

SHA512
f9ce6fe501ecc4a6723e93d5f8fd56433e52e60ff321faea4df212b3edc39bebddb64cc67739bed8e8da7e2e9c13744c54535c7112ef047ae3d2aa6172749a90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
887d6a8969078af6d07b537d429472ef

SHA1
23b41a1ef5edc38978d599ba562cf64855a8440e

SHA256
8f5a5df95e442371b2ac798e8c82b32313943299265446f77d621025a8b67c62

SHA512
6ab99354984ab4a9cec904566f803ff67ad0e1930e9094ad7daecdc275fa5779d688bc9b65f98c8b8814a44be1bd77a3b9ad14e64909c293c34f8989d8237da9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\1aa4479b-01b4-495f-9aa2-5f7cd6ddcd52

Filesize
746B

MD5
0158cc69d3406af3c3398826caebab9d

SHA1
5094ffd4f2c59b9f14e444779b09418b4ed57e5d

SHA256
205e79012e01e5fdfb8bb72b7ca273ac8166651b33d11762d883a90ae5e2f764

SHA512
f86d39813aefc02a6363bb2940732eec4d34943384caf96f33baa71c1b4209c8b155671e897cc7504c9ece8df0ecea1fa109a90095bd5cfd3db2a4a7d1698749

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\4499761f-b699-403d-99ec-4f353be00ac3

Filesize
10KB

MD5
b255fa6bdcff03714b05630e85c6fdbe

SHA1
e1ad019d4780e89e384bd2c08697afeb723a9421

SHA256
a74b6f35ccff2f84d1476771281d00cccf7ad065b1f78c50b80912fb388b9303

SHA512
c230d177df33ac4010f6b5f7a11b0feb7b0e8a89138fdbb659dbdaec67938e77d8efd4ca062a7b1da30b1744f62bf48d528dfa939d123ee34fe2621a4fd7fc7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\5445c61e-6f21-440e-98b3-452ed08be9a7

Filesize
855B

MD5
2e9e9448cae879e4119f0bf62137aed9

SHA1
50b5b6fbf9cea5901076a1e4f58e4f2b895dc6d5

SHA256
365d9803bbe8bcebcf4a72a86da303cfe46a960c032bd69370424a23e37ab3ea

SHA512
36c862e259cac9556c2f22575555cdc3891797438ef645484741965c6378cbd2e8151d2e95f57889eca4e7420efc9d5e079dcd21fed19ad8b1ab925f87fa695c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\5bff6a6a-f624-49aa-a7b1-809c313337e4

Filesize
770B

MD5
5bd1b45965c8736d6596b0aaac1232b5

SHA1
d9f4b3b7f682feeff35a7a84136d30c2d0821333

SHA256
6c4e18d4e25bb0bcdb7d617528201881be113c5104bd26479a21bceb134d4864

SHA512
feb6d01ee8d167c8106788c461579b7adde915d242827c45c75d8d49d5441b467aca403d9bbbd39b6af58089798240835cfb40a0c106d98f23d5aefd59b54210

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
7KB

MD5
e11d4fef8c3cbc3366b1222eb7bd321f

SHA1
84a62bf3097be446a9db68d12c1382c07a0a731f

SHA256
fa95df5240ec7859741bdc3b4300fef19f7a2de352ad4370e91c8c0a38c18042

SHA512
f1382bc5e5fe74d0f0b6ccf0c09bd1d818ba976e5bab304333882bdbe418ebd4b5406f997532d3dcf7aea012a037636f7f27ca041bc309f8085501888fc2fea7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
9a9873a3541d0ce66800731d27718cdb

SHA1
a0b7953f1f747c4700dc11e736794311f5520898

SHA256
2c9d60cbd2b75f03013e28af831d1391d545709f453d8ae915593c9a7723da91

SHA512
1e15343f8e8222df9925b07a5bd07592ee8fe40d0f951f45afbea100223410faaad018cf09c7ff2f8726e244792adaba118c41acf35d17152dda0729ac30d0e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
7KB

MD5
fe49e9834cbaa2f2a510e1c1e86a6595

SHA1
07ec8f06d52f617867f76035de42fd7e8f8622f3

SHA256
7f521f252944f812cd9697b6a8667dc1a9da90f282ab1a98a1429ad138f53c0e

SHA512
8aad0a02799c99e0d87faa85afccb1c069591bac1ad2df55768ce9f62700adf65c70281421a4423af40f067fab41bf2e45608bd0c2131d67c0ab0084ea74acc0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
960b7bcc60cac2780c8cd4c387a7ac1b

SHA1
c2d268c63ccdecbcbf98e04bceca14074698d66c

SHA256
05dc233b54099226f7ed45dcb34d65cf5fdecdd544ab1c6de854fa126b858af8

SHA512
2bdb872adafdcb8605b18baa7a0e38296602e1323470ff35be4d8e59b8b2a861614400b526d3cf92135e5ab638a9bce118439637758b31fb8757752c2d7bc572

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
0596230672ee3ff0aa5e27a1685bc95b

SHA1
88ab5d12f22a4fe0d3a6499f9110dd179ffed60a

SHA256
44810a753b1ac4490b2d38cad3024a7df502e88123a15d7bbe0e35fe7e8e0ed4

SHA512
0941c6b04d45aed245d7cd1945d5542e5f87f3b3bc0a3a05dc3a9c44f8d4ee6ebbeb3bb9c4b07bad7f3daae5566f53c9da18fd5cb0523f630b91071e5a7eec3a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
20de615258cb490758f9b07b3f588bdc

SHA1
767b9f1a8e338d476646eba2bb3f34375998685c

SHA256
9628c420fb3b7d3b14ca318269a8a315df33fae499ebc542202f025decb95853

SHA512
64f8e59dd4dfa37143530d5083ae71adfc9260f8f389f8d70ad086e7f6e3ed599cf39e950c06b418f7508b5941ba74d20823af60e7d8bf94b70b809ead1a7b10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
909c0cd8c487bb8a1be496d29f1ce195

SHA1
640403df1b3afa8fbfbd8a7a2bd26df748ea7e2e

SHA256
533866192bc6a074c9427f2de2432a3cb05a684bd87506776b8c161576eba978

SHA512
ebb4139e1194cc8739485c259c82ecb0580fd313c9a5ce109b568c6fea1c65dea5a8f94531bfeb6c725a3a6a78a0254463623493cd678289471523570b87081b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
a7d6e6cdd4cac6910b6a0ac971e32d7d

SHA1
552b945e4289a2edbbe01969cab8e1d346d847c7

SHA256
8a5238800a826072e179baa791f541ec83061bfde80e2a209b4e1ce19e5a4868

SHA512
4337a61421ac06d5b3f8b499e1f3dde075e54b61761c42c7c92bae606eb63a4a6b1b5cfe5e9b863933bcabed8e11cd5b94617425d56f9134db34747a3e454989

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
ef81e9213201b793767192c3bc165003

SHA1
521df91061b3d3c90cfa285f83e9dae508ffa734

SHA256
2a99ad373fc9a3817f1759574913d327d25613815870ca57d3ca1d3659a02811

SHA512
c8087588bcf56c492ed4be584dcd91d451d2322b6f22102a94bc35822e1266d54dbf6f259edc7c72fdc2634544f67e867c7f8100838f877a1d776e071049801f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
d1d453ae36631691fd2e3bcd572b0bee

SHA1
2f9e8c20ded8ae78c987b2a48c15cf921ff8e6f3

SHA256
1c17126a50ba97ffb72098996e7ed8008ce817a18778796d7fa114e2f2df3267

SHA512
ac2efa86fce46decf98f0cadd404f911762eebc5e69f02520c1865319f3b7b5fe17efab37d9292f203532f670a2f885c27ca3967b8c200e95d0f4a170fd90920

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
f17a9c3aed427f65a0c39b7e2316b3ab

SHA1
fc845199ceaecb4ad77c0ea35186a5408cd88c70

SHA256
4f5fb45f41c5348b4eefea4b250d3d71d3a5f5727340ce92af0c6b91cc32848c

SHA512
ca79d07d3d4d3a6c393fcbd784c53d4e732e366bb3a0d9648eb7affaf74bf18532f3054e59276c641c5726d4bdd6a8af411a188e8b22f7ec50a0c0bf85daf573

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
145acdb6f9a60c0fe14b42cac2e6cb00

SHA1
9793342c4e8fd6842ac2affd35436de1d63ae266

SHA256
715049e439641a25ce7288d24dcf49778509419cb51b94d0c2add4b95600abac

SHA512
e75fc63bd6c724f8278ce7948c9eba2477371ea000b2184d9b960d131fec8851c7a2d693741bd5937aa5292330879244868642bf67d2123c41b345b57314a224

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
41dcb613f2bcd3985825740b76deff65

SHA1
f4c719a7c7dac4b24bc5a83edd6fd1c27cbdb73b

SHA256
53fd1e92265aff4082efd7e19ca635c366337cb74babb849048ad8ba0713f592

SHA512
231fe6bc08d041787df81a2d482598c3ad5e85c5570f7a3c0ee2e475f164d36f81041439a97e68d262ca4db81fe561b97ec4f5fc7947a3bc6b1c3fd686f0b050

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
e91099f814766abfd848cc1d46833c3f

SHA1
f33290b7b41de700861c327656b9622f83ebe698

SHA256
1d06b09962a0be939f63f07d5d99d39f59fc05f88205a98c5075deae4219b3e9

SHA512
0379e395844296172ff0bbd10bf64c27d3ab20d32801d85d4e5aa096d3336283b8a97ef7e1bbb93bf4da7e3ed2436934a0d47624488fe1b3d3d4740489947460

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
e9a693899eb3a9aeb68884bcb1cafe0f

SHA1
697f0aa8258cc674af26593b2e799040afde930d

SHA256
a7868f0fcb8df2e2b7b09fd0ace18bc5b71a2d1fa9533b4898924b4de6dc2139

SHA512
e319f45387700631c94363708aa35d42239d8714e8bdc60a1fd5bdf01ef2c657e1e5d46adc2b189091a17feca9275b33f1afd3ff9e7eb543348efe781dfd6122

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
ea52b8c170b13107ef8cc849aab87d75

SHA1
539f56db533b453e3df27e1dee7527ab9cdc19e2

SHA256
a1ce5e0cea80e0a45d0db0e39b60e2bf71f194af978e7578b249c58409aba91a

SHA512
f5fe2fa9ea8b045fb0f78242a214b066c0eb479cb513b647680b949f124271e45fd2896429bf6c71e520fb2c1198d717ed49bae09bd373f54fb50f5993482e55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
d9212e2517cecced8f48222df9b109d0

SHA1
70226e281442051298f56fbc23ed2a20752f2672

SHA256
4c4710f601c760dfb82fc36ceaa2fe0f9108ffa35a928812bc6919a0f74c50f5

SHA512
4742db6a024dac8842d355a3d41abf738fb91ea247653f7c662ba1e317674bafedbecb53b6a80cf57a8d35d4eb17d0667e28110c8ab4103b35821578fa2157d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
caa88fd687558f906e39510869528842

SHA1
e07d381069ec187e1f631ca1b049e60868759151

SHA256
dc70f4a2d73d2c504758463b02801707194ac1f538ea9d0f52fa84ab58ec9858

SHA512
b7a0db0e4ff133d42758a0e7e89be14eb9b8f72559bdcf6bcf24f5fd68681f161302479c276d891a2982a7fb3861e2d573286845a85c8a5a2ae12860acdfea88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
03ef64659121ba5bc0540e930134fb8a

SHA1
c44e87c4be8396491cc85b6389ddf4dc90ce8a76

SHA256
3c17f9c32a63e5f998c22bc47736203b6ec58573e03abeeedf331e07d1b5a4a5

SHA512
46e6c9558e32e4c36d5a7c95ea58a3de7e83ae18f0dbc2a44a99b2dfbb60f55420eac979bafe5b8c539b36a514104e443db2beba8c9abc92bd680339d9358649

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
a483f2733d880dd73cb5f9a3cf33b49d

SHA1
2bc845eef762a4a8c86db17fa9ffba01d3e66004

SHA256
aac392f1be9b358366998614d6ca19b80cdc1096c949e1af8ea6a69a831c0c0d

SHA512
6ea01ef12efb05b82f1e5cb8ac27c633ff7805ba8b8d105417a003c72293024bb45c49e1a601146576e96ddd75494aa4d3054bb0d1dbc6d23b3d074b4a66e00e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
f72c2c8a738f1bdd4a5e24326ff248df

SHA1
d60277881f6b36509d709948fcf7ed3ec3da74a6

SHA256
06575a0a693c9e0f265fcf03ee5b6ced4dd922ac999f5d767a9a7d92fb199082

SHA512
7fa2cc3e4f6e6f9c77fc12e188a0ef4e5dfd9079e1ddd2d689669513bd2e512136ac4485b34aa0ed8587c8cd519572d31eb2496b4091e229b6c339bf25c27d6a

Download Submit
C:\Users\Admin\Downloads\ColorBug.exe

Filesize
53KB

MD5
6536b10e5a713803d034c607d2de19e3

SHA1
a6000c05f565a36d2250bdab2ce78f505ca624b7

SHA256
775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

SHA512
61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

Download Submit
C:\Users\Admin\Downloads\Gas.exe

Filesize
18KB

MD5
e7af185503236e623705368a443a17d9

SHA1
863084d6e7f3ed1ba6cc43f0746445b9ad218474

SHA256
da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a

SHA512
8db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3

Download Submit
C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Downloads\IconDance.exe

Filesize
301KB

MD5
7ad8c84dea7bd1e9cbb888734db28961

SHA1
58e047c7abecdd31d4e3c937b0ee89c98ab06c6a

SHA256
a4b6e53453d1874a6f78f0d7aa14dfafba778062f4b85b42b4c1001e1fc17095

SHA512
d34b087f7c6dd224e9bfe7a24364f878fc55c5368ce7395349ca063a7fd9ac555baed8431bfa13c331d7e58108b34e0f9d84482ce2e133f623dd086f14345adb

Download Submit
C:\Users\Admin\Downloads\MlJscd0b.txt.part

Filesize
6KB

MD5
74f8a282848b8a26ceafe1f438e358e0

SHA1
007b350c49b71b47dfc8dff003980d5f8da32b3a

SHA256
fc94130b45112bdf7fe64713eb807f4958cdcdb758c25605ad9318cd5a8e17ae

SHA512
3f73c734432b7999116452e673d734aa3f5fe9005efa7285c76d28a98b4c5d2620e772f421e030401ad223abbb07c6d0e79b91aa97b7464cb21e3dc0b49c5a81

Download Submit
C:\Users\Admin\Downloads\Ys1QLYAJ.exe.part

Filesize
203KB

MD5
b28505a8050446af4638319060e006e9

SHA1
d3ddca0f06af4df29a9f9fadb6bad8504add5525

SHA256
750e37d1fdd64e9ea015272a0db6720ac9a8d803dc0caad29d0653756a8e5b17

SHA512
889dc35054f5adc5b5445fc90dae5e19fe95ee04432f5230994124b73f9a1fc4bb050aac789f4934c84ed42d8c063b8219563e33a48b92f10294b7d8e426b9f9

Download Submit
memory/988-937-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/988-990-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/988-1000-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/988-1006-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/988-976-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/988-972-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/988-1043-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/988-956-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/988-941-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/988-939-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/988-1159-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1896-736-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4156-891-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads