hxxps://github[.]com/JackDoesMalwares/Gocullinator

max time kernel
83s
max time network
337s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/JackDoesMalwares/Gocullinator

Score

8^/10

bootkit defense_evasion discovery evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
896	png.exe
1080	salinewin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
60	raw.githubusercontent.com
61	raw.githubusercontent.com
62	raw.githubusercontent.com
63	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	salinewin.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\png.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\salinewin.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\salinewin(1).exe:Zone.Identifier	firefox.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	salinewin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1108	reg.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\salinewin(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\png.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\salinewin.exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	firefox.exe
Token: SeDebugPrivilege	2236	firefox.exe
Token: SeDebugPrivilege	896	png.exe
Token: SeDebugPrivilege	896	png.exe
Token: 33	1000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1000	AUDIODG.EXE
Token: 33	1000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1000	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2236	2104	firefox.exe	29
PID 2104 wrote to memory of 2236	2104	firefox.exe	29
PID 2104 wrote to memory of 2236	2104	firefox.exe	29
PID 2104 wrote to memory of 2236	2104	firefox.exe	29
PID 2104 wrote to memory of 2236	2104	firefox.exe	29
PID 2104 wrote to memory of 2236	2104	firefox.exe	29
PID 2104 wrote to memory of 2236	2104	firefox.exe	29
PID 2104 wrote to memory of 2236	2104	firefox.exe	29
PID 2104 wrote to memory of 2236	2104	firefox.exe	29
PID 2104 wrote to memory of 2236	2104	firefox.exe	29
PID 2104 wrote to memory of 2236	2104	firefox.exe	29
PID 2104 wrote to memory of 2236	2104	firefox.exe	29
PID 2236 wrote to memory of 2944	2236	firefox.exe	30
PID 2236 wrote to memory of 2944	2236	firefox.exe	30
PID 2236 wrote to memory of 2944	2236	firefox.exe	30
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2796	2236	firefox.exe	31
PID 2236 wrote to memory of 2900	2236	firefox.exe	32
PID 2236 wrote to memory of 2900	2236	firefox.exe	32
PID 2236 wrote to memory of 2900	2236	firefox.exe	32
PID 2236 wrote to memory of 2900	2236	firefox.exe	32
PID 2236 wrote to memory of 2900	2236	firefox.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/JackDoesMalwares/Gocullinator"
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/JackDoesMalwares/Gocullinator
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.0.1288512168\1283388064" -parentBuildID 20221007134813 -prefsHandle 1260 -prefMapHandle 1252 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ca07788-2412-4d27-a53d-ad4c9ef64023} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 1324 11dd7a58 gpu
    3⤵
    PID:2944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.1.507473685\370540494" -parentBuildID 20221007134813 -prefsHandle 1528 -prefMapHandle 1524 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {acf4a5b8-a2ea-4478-82a9-754a3135c16b} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 1540 d73e58 socket
    3⤵
    PID:2796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.2.575482349\391059238" -childID 1 -isForBrowser -prefsHandle 2260 -prefMapHandle 2256 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94288d72-fee3-42f2-851b-518bf23b6560} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 2232 d2f358 tab
    3⤵
    PID:2900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.3.548078369\59614604" -childID 2 -isForBrowser -prefsHandle 2928 -prefMapHandle 2924 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd053aaf-13c8-4bce-9fb0-574a1411b22b} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 2940 1d071258 tab
    3⤵
    PID:1116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.4.402662222\420473291" -childID 3 -isForBrowser -prefsHandle 3408 -prefMapHandle 3524 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60fb5b61-e07e-4aab-82d3-65a6ffc2cc63} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 3736 1e897b58 tab
    3⤵
    PID:1112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.5.627791792\2103947013" -childID 4 -isForBrowser -prefsHandle 3820 -prefMapHandle 3824 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6f80765-b0a3-484a-825e-ebf52a906d26} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 3808 1e89b058 tab
    3⤵
    PID:2576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.6.1770064452\5989294" -childID 5 -isForBrowser -prefsHandle 4144 -prefMapHandle 4148 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74e73e1c-dff8-4eab-b084-799ab7c4cab1} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 4136 2073e858 tab
    3⤵
    PID:456
- - C:\Users\Admin\Downloads\png.exe
    "C:\Users\Admin\Downloads\png.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:896
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 536
      4⤵
      PID:2252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.7.501456266\1429886704" -childID 6 -isForBrowser -prefsHandle 4636 -prefMapHandle 4628 -prefsLen 26836 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1764e36-3be1-468e-a21c-24aeb55769ff} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 4556 205d1558 tab
    3⤵
    PID:2392
- - C:\Users\Admin\Downloads\salinewin.exe
    "C:\Users\Admin\Downloads\salinewin.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:1080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2548
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\activity-stream.discovery_stream.json.tmp

Filesize
28KB

MD5
b572e6cf499616585e0068f2150f7513

SHA1
42170c8fbee4d5f47696f0cd3ff0166b3889cd13

SHA256
fde059fecb068f5cb1bb4dcde21099c99f50a02724f4d5cf76525496a3f14c80

SHA512
b2ce443dc9dee8b5a1cb8c4fbc19a31de2edb41bb93a31879921e66fe2bc40a93ead6500ca3b4ffef5665c61c3a45b931fbacb56a6e2babaae25ddd777ef3c13

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\doomed\15753

Filesize
13KB

MD5
62eb9daf7e10d067f5372bfb0b9c27ca

SHA1
97a1576239ab0192245a11e1738b7cfc5eb8ce37

SHA256
083ddb0bb87755321841bf46b3ad31adfead591d64b11a7e4cef042a1b68bfa8

SHA512
146cd064075071935c8574d9b4feb41e087308e01a3764251f995377db2d88d07893821ff8e30162eaf2f96278776e113150ab97404b1a5753eac84f5272ed5d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\doomed\29713

Filesize
13KB

MD5
7e53f9926e7ba8ad1186d6c0fcb6e73c

SHA1
673b0c5d2e64cf17aee73339f2e8c61f7d539612

SHA256
2fae9a8c00a980ac1f8169299e8f111c3a0b392b977ebd57f1764d675d3de27e

SHA512
7f84da13eab9acd3391b23b1e5fd706cf4b6de41e4ae69f7bf2bf5298ab15e53a1b665859a3b27098584ee79e16a7c1d4637158b8ec3e517b316a4bc325873f1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\doomed\7415

Filesize
15KB

MD5
962839cbcac546a5417071b5f67859c9

SHA1
7ade5b648ee88ace5d584119b0cb2da92d891ed9

SHA256
8019f68298f9835e8ef89f4bae5a7ffe224bd226e885f5789ba5c5f64790b3da

SHA512
68ef25ef8a8e6840659322746bef17e47811612576b01da94c7c76ed5ca29d8e0290936ef28c9630b86cff7f770bb4e999843e35e6a09710ea76d2b7af03fc43

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\doomed\772

Filesize
22KB

MD5
c35b08ec6fb732b1448bce134a393575

SHA1
e90bf04af7cf66b30aac56819fc5d4a0f6a487e5

SHA256
a295bdf17fdbe6009f6bfd99a61c4b2068f9caff4932eee03f45b22a1e71bdc8

SHA512
a415d06f8bf2d65331714a24ec0a887336675194eb1e8fc0b947e7e822f8416c9b8ecb36da9842fcf7e48cef0010fbf777220fb8d09085982a1b460781271cf0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\0F077B72026AEAD8CF051A3B6F0DCBE36D195821

Filesize
154KB

MD5
0394668b941632b6ca8b5c179fdbe324

SHA1
73805119e4e6cfa6fd4ff52f9aa1f2f3994d3bee

SHA256
d983f1bf1580658947eac01487fc9642126de64e8b715b7dfc1387d4e9bf88e5

SHA512
a5eeb2d2373d39b7f61a5d03c383fa241ad3d964b76630edf74bbb22e0b5ba13a7daf52dac4e524ac68e9452015d2d69a6feb921c90da49652bf7d8789c2ded6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\145F35D7C090569BD5AA7EDD59B4BB259336BB40

Filesize
54KB

MD5
3508cb9658301b441d14cdf5464e5d5b

SHA1
2a632a404ec23e960df5493c7f0a46a4f7b92d2b

SHA256
2dbb6b56b1c8a9f727c03c584c0f7c0a048796662f11c63dfd60e78694552d09

SHA512
15da3075ab0b856c3258a0ee13096fecf829101a109e55c426425fe71fcf6778d58bc555702c101aa295481a795efb77426c92970ef2fada58a65b64ca374a09

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\1E832660C129E2795F07540303D65956D46A9B2B

Filesize
56KB

MD5
763a0e5af7e47f71987fd717eecb3f4b

SHA1
336b15f01987efdc146ba637ebcf85196b14aaae

SHA256
290e453243836a6a0da96cc1db274d5c98776769aa9e4915f88392fbc393e34f

SHA512
d4fe9a995c3a9492d63e08667cf969cb49a6fd715bee7a3c55a2cdb10221830fe681be4a5f073b748a0fb2f2eb24558799c87b082303338d59742ec6d06ada99

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\243A2F1FB4CE21DC659F8672508097CA07E166E2

Filesize
64KB

MD5
ff2047befb3b77cbebf7dddb9cd36b02

SHA1
68fc5ce5487d1abf64e70a4ad0a622927c35456a

SHA256
0bd922e1b51106001a7d2c6bd03ca4bd5e53ce6b9f71fab8f951f3b4900487cd

SHA512
c7a0279042360551656dd04f4089bc888da46faa819e0819199069c17d4672ff830e897e26d86de58bd6bc097c8311512daaa7d1d5fdff9432799727aacee8b5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

Filesize
63KB

MD5
b23f5ab113786a991194051835d114c3

SHA1
61230a395016b264ca7b147c24a3b9553be7c5d5

SHA256
628885abfbba1371a9a52201ac138b104d807b0baa199613ebe5d6132155e662

SHA512
37b140d640fa2006ef446f2e832a4cd1bc2c2eba45f9dbef4f6dec5a3e34a103e6bdbefec84ffee2394a30ea02ac9517ccbd71756f3ac69433896f8fc02f0e58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\36E236217D9F25C7A86C9126F7388649F0D6BD2D

Filesize
18KB

MD5
54975aa2a5715302c9cc5b7bd6efb2ee

SHA1
ede7ff7c8a34281dc31f4b93bf25c4fac098a448

SHA256
9d590f1d16d0c473966c1c8df7673b5529dbd1a99ef0de6ba6769d028f65a0ff

SHA512
3d91bb8f4c4bddaf7f99c45adc97607965c659106b96e2d4030bfef36e267b1aee23bff79cc05bc537b0c85e216821d0f0361f6b2b7edf6435902cab986e6430

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\49FF6AF014E74A221BC232435AAC5DF1535D6AA4

Filesize
62KB

MD5
815858738cbf1c26155b79bfa4bdb4d8

SHA1
8d93e74ac75fd2f9756a527ed99c2a6ea93beaee

SHA256
465a06d6339051d0d65b9537df03dddd39bdc276f6242defb0d3736ca25cb61d

SHA512
34601cfdb2e7e6326a5839384afec62c4e0d169cc2fb57afe3201440c5f6ec214f207cacb89cdd24c0116eb0db29e02f40dfa1e72e3e2d561ff80b258ac0c98d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\56483F518B89154204BE37A0B4E165A6BCE7001B

Filesize
81KB

MD5
9411795ec1f57d67f7b18d7db998fd16

SHA1
065a658184baf4f18a052248bb40ef09f7076762

SHA256
89e20959d200494f76de8bbef6a17ae5e94e407d6f7398e98d8f792861cbca03

SHA512
69c7946c3d2cb1f41cffc7b4a0724382f957d9f478c6d52933a1776befdb290ba56809803605f32b2f9ee5980d0b866ec0741441923f4ed07f08fff63570d0a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\651B858F44220B774987EB7B73C3F9ABD3033E52

Filesize
157KB

MD5
14e81e9f9ef37051f516a3118f04e759

SHA1
bf8aa439c15d52c2945e79f322873f1e7e8767fc

SHA256
68f4882a4baa924377ae16107bd98c31f953fa1cd1dffe44448c6942a3bf6001

SHA512
5d6ca13195a8e0471be1c012ac3d4a6d034dbae4a538b508d42725cc43f7bfa0f2eea55eec6efe55f2e3383fedc43f4bf4808f1bb6c49434352e1b3a2ba5f140

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\87448AF01C02E6C57DD2CD1ADC7CE77C921FA9CC

Filesize
17KB

MD5
403fb8a34d84bd87d40d8f484509d122

SHA1
14fef22da5fd2fe7befde6cc98e9bc4f528752d4

SHA256
a84206cf4b3f85bf044560dbc5034780a8f598fa333f207ca1873ff7d103a461

SHA512
649bbf3c6408c6b67b8c53c8c21e45dee5ea7eb57d4eb1091e074ace6bfdc29e2eff8b5a7687c14b85ea6d9029660969db49f6b6464e79c7ede66983719de5bc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\90E315DCF5B2BC30C2545E8761A3B6990853FD46

Filesize
68KB

MD5
dbebc3e8948689058b20cd1ca2424055

SHA1
497e612485ac56da14dd859f366bf5badcb66bf2

SHA256
11c2e9f71295de7ce5c54f58d68d1814aa34fa723b204b0f3c6f523fcfefb3e4

SHA512
93d0fcd673d022fb90bf5e342819819702352c5afd07c9ffccb63a0a3d62afd6097c8f017c8866c6da8d559c824c2b1966e43ef1a0b461f18df057f2c984cc7e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\D16479E925AF122292501EFEF9D2A14A47D3245A

Filesize
15KB

MD5
bc1be9b88d96c087fedd0792c6841ace

SHA1
4ed8f7c72a4c2c0c0c2ff07c6f1e4870277ed620

SHA256
01c91e0a6c9d02dd97b3afb3e6cd93034f57394e1b51bcbefb27a0fe6a6d26f6

SHA512
9eec54ece99ef87179c30d49d05e74946064b896e8f71ffa2cf1e92590d8acafa0b73ba20d70e27351662d02f38c0de7153c6b9f80aec90a5484a4aaa3ad3830

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC

Filesize
40KB

MD5
94c230434d150b5ed74bb7d1b105cea9

SHA1
744cb54d7f94f244f71c15fcbbf18c7a93253707

SHA256
88846884516ccd2bb9272570c45769952e29b5fcd0bccd589fcccd7a83c88be7

SHA512
b52ef3e5ff9f33bb2009696dcf9bc6ce7b3db9971d22f6be54e4cfa7178f1bbf98066bc224754d984eef8527eb023f12fc461c5acdfebc7adcc7e7757dd5ef68

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\F6145FC8E80B38F02CB99236A33680978789AF55

Filesize
36KB

MD5
febc838698e17eea0595978e52410d27

SHA1
cd6a345ba080d7abbbf0429cb0cb898a14410b5c

SHA256
6e2d436c1d486c0a1b1de603ea128ad6ff3d5fa0aaaefb96e04602fd93dacb45

SHA512
7cf32ae297b90aafa7d740c8404b537c42ecb5037cf345f843c5d1185719ae42aa5c716c8e17496092f6f4eebdc852a74a7e1d3afee086a2fe41eebbfd029332

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\F6B636132B8C3462018861F26B409677059564E5

Filesize
62KB

MD5
64bb56db247377169b4458951f365fd7

SHA1
bee5b3e13f42d5d3592c59d5ce6bb1b38897a6ae

SHA256
77bccbaf205b1063caece3901c50dd3acca8ed90795d034741445a70c73de4e7

SHA512
3bb6e2dbf91db11f5489781883044bb11f0dcfe6506c1e047c0ce9614fc236ab861b5a6713a075f14da7cffffd52ff031755b30a75a223fa0f92b46b1cc14286

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
fd7962a3019bac13a6bd305f3d23ac2c

SHA1
afb84dc17de6448e9a971fb99659b80cf3f25865

SHA256
e15b64ef4003d17ff09152826e4b7eea254ff6a1dd0fb2c8ba362aad3c2930ee

SHA512
605c7f903846d30b373359079afe58a668f5da759b3720247aab4e79b7479cc15aec009eb45b08aaf0db5460c3804f7f03152d02669a6cf23bf7c96f55da08d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
0cb31a673004aae489c0a62b71ac7164

SHA1
6a0441e1a815418352fc51e62094810788582e78

SHA256
2835ead04fc473f3a37c1027b189790f36346bd5088fbc8caab3a71ebd21b24a

SHA512
f19fa628c12a146d5dfc918477c2f6aace27d107569f97930b0a6f58133877e84172f470ad5477bf9da412ed7e8142966396a886609ae5c68a38b33437c5755c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\pending_pings\5210dea6-9dfc-465b-9476-6ac46ef91be3

Filesize
12KB

MD5
45d1b3fbeb875e22250bba97d80436ca

SHA1
1ba36a3cd18f8c39f1176743bbca124d39fea2b9

SHA256
286890f960eaec7042835f167f3b03f54b073e682448e91409e0145ad6a74e8c

SHA512
91003f9207ecbbb7afd7367da2182576a6aae68dfa3d7135caa0cdec57ac3fca28df175f520dd0d0ace273eca01a2f58a4dd7141148aef325e826bc4ac099c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\pending_pings\9b3b31f0-cfe6-42b4-b130-ed8c1feb389d

Filesize
745B

MD5
a019e7033957e44d96a20bdcac020b65

SHA1
f02eda0eaddea0055a77194568be1bd24b99c620

SHA256
f7652cb19e90753c09db08f4917b726b1c1323313b4f487e68a0d824cb74e028

SHA512
c45b6d555db60e89d3fb315e58d6066c203a9b1c687f25cc915feefa1c043039454faed23513930fc81a36fd2f125bfb94884087991cd92dc998663f981d6cd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs-1.js

Filesize
6KB

MD5
1be00eb5391e0b160cb2553f135af9b2

SHA1
e7c364b6baf1153106cea6717c8ce1b2716bb361

SHA256
458eacd84e67dee368fe85617b04fd96466c2dcfef43ae5606a1c37f0e0c97cd

SHA512
e8280672f67af2147d1b34b5d07a694e7ffddfad9573ce9751f2ee6eadb74bbf7cbe6705d7bd4839d07af0330e55be54bd1a84d1e64d9ed90c43ca5676d3a6b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs-1.js

Filesize
6KB

MD5
eb510efbbf7dd1c272c8a888be528a50

SHA1
10b9c73fc0353d6407490e96fdb2a44d10364f01

SHA256
812de00bf07701e25e50913a44a5906773660fa43d468b9e957b313a0a0b3f4f

SHA512
04b9f8fa3e34ddc4db06271acdb4864aebb5fb73d3dc149e7af32157df4f46fc9ff072bbca4a690163776af0fe91aaf1f3b2fc0a820c022c0f8130003e6bba26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
ff9138f82f52526ddfd504d7964d2eae

SHA1
4e67a99ef81929d46724aefd83442c577296ef51

SHA256
06eb9a4dda52b78d7b1f16c88cdbcb93bb49e73c68a8cc675d04a711175d982b

SHA512
a8bfbc2a589b566688910d401638a0707f57e6c0ea8544d6c145bef8f1fad65ffbbcd2218f289364e74044aee551f9a285dd95bb4d0a06c38a035e5d569b1624

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
f2d8112d69d146201115374735997edb

SHA1
9ac9a2998737e78c5b9ad4e73081811172706dce

SHA256
e5d7e88c27aae7a6b8cf05346175c40c92857d8186d63b66e332b594cd1ba4fa

SHA512
f208ad6abfa8932bcba7dd8aa329adbdb9fe0be086c08848d4db66c1ab7238f31a24db08684d26add74a02f4394d92a52287850038cd44f63ee4388e10c65d7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
bc244796d15150fcbed338565340dbca

SHA1
e0114acd64618d46ea775b46cafb6489d7c6329d

SHA256
14384574bfa58caf8dd9344292d6538a4eb1734835db1e22ac10f88f56bc356f

SHA512
9a99ca092f32ec1cae3368d9e18c0c85884b00289d07a72355b5826ddae87dcef9527203700b0fe48e8d779fcae455dbe5d1d14563b88301e22b1f3630c5f370

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
a843c2a1855e5ee43ec0c5ff26c27cc7

SHA1
c8dbe2e1b5a8d35fa1eeea14f1922610e6325ceb

SHA256
bc89c46712572f6a3cea9aeebd5044baca866ae35c043d8290f1715634786327

SHA512
3393d5ed3e68c3f7cff6bd8e0b19e151b664d01d5e5f687ebbdaacfa081790f379da4d8d27866b7e5cb4ddf6454096629e64b8d5757592e68d0bb741f8747f7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
bba11eb3dcdcf287c389c527b99bd145

SHA1
df2ce7e90191f4fa2aa81a7f4965c7f655f2a971

SHA256
c4b8a8603d1e1bbcae03fced9be5d089492c3219d15889dd8c6b0f44ff5bf6ee

SHA512
d49816ba82c4244c223040af403228acf78df43d69d2c4911cfa4d5984a57a4c443995fe9e0ef522aae058e4daaf2ff5e7f058ab0a0274c1f00d1b18b5b8b81a

Download Submit
C:\Users\Admin\Downloads\png.exe

Filesize
502KB

MD5
93b879a5817788358a28e6f615c89970

SHA1
1f9dd30bd0f91cd47a6aa456401e3fc4e12f6e28

SHA256
5901f42666b910e070c4289dcfd3724aab224e4b8a28a46aa6aa11bee0a3bcad

SHA512
796d87e324660c439351323e49c8c1f904e251ee0754018094453c228f97a3455e720530263d3083662eab07a293574396c605e86f02818170a9fc5f847cb3f5

Download Submit
C:\Users\Admin\Downloads\salinewin(1).exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Downloads\salinewin.exe

Filesize
283KB

MD5
2b1e9226d7e1015552a21faca891ec41

SHA1
f87fcbe10fa9312048214d4473498ad4f9f331ce

SHA256
7163fefbf2f865ef78a2d3d4480532fffb979300d6f0a77b6f3fc5c4b0d2cada

SHA512
1852f6d05c9fca962178bc190bc8c90f0ca54ea99714480690f44417e49eee6c392579091ae8a6cd053ec47ad1980dbbbc0db3e0e00520ee1bdbadbf8dc9d69e

Download Submit
memory/896-386-0x000007FEF4530000-0x000007FEF4ECD000-memory.dmp

Filesize
9.6MB

Download
memory/896-383-0x000007FEF4530000-0x000007FEF4ECD000-memory.dmp

Filesize
9.6MB

Download
memory/896-385-0x000007FEF4530000-0x000007FEF4ECD000-memory.dmp

Filesize
9.6MB

Download
memory/896-382-0x000007FEF47EE000-0x000007FEF47EF000-memory.dmp

Filesize
4KB

Download
memory/896-388-0x000007FEF4530000-0x000007FEF4ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2252-387-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads