remcos | 27a48ee19bd16817e6b345db0497c3b1c7be49f6ddb1e6214af38a44b4a7e0e5

Analysis

max time kernel
162s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.rar
Size

1.6MB
MD5

6a1737d98917b44ed8516619ec2b00dd
SHA1

1f2e71b431bc0d968e5fb04a3b243fced6205e62
SHA256

27a48ee19bd16817e6b345db0497c3b1c7be49f6ddb1e6214af38a44b4a7e0e5
SHA512

c64a4e77ec63538736706e85ec92cb4d40519ff5f286677bc235a5a04a59d51316cd3518dad2f6450c2c411270fb7f38ad495b9f09ecf93b973f80bd0b787f8f
SSDEEP

49152:iQWng0Uqk1O4HPgzir3uV4Oiq8ZU9+rdnVP/Q:iJg1b1Opir3uVj8ZLlVP/Q

Score

10^/10

remcos maloh discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

MALOH

octubre8.con-ip.com:7771

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-CGYV12
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
3980	0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.exe
5512	0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpeedDesignerEditor = "C:\\Users\\Admin\\Music\\SpeedDesignerUpdater\\SpeedVideo.exe"	0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1876	OpenWith.exe
5512	0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	firefox.exe
Token: SeDebugPrivilege	1624	firefox.exe
Token: SeDebugPrivilege	1624	firefox.exe
Token: SeRestorePrivilege	2020	7zG.exe
Token: 35	2020	7zG.exe
Token: SeSecurityPrivilege	2020	7zG.exe
Token: SeSecurityPrivilege	2020	7zG.exe
Token: SeDebugPrivilege	1624	firefox.exe
Token: SeDebugPrivilege	1624	firefox.exe
Token: SeDebugPrivilege	1624	firefox.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
2020	7zG.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 796	1876	OpenWith.exe	89
PID 1876 wrote to memory of 796	1876	OpenWith.exe	89
PID 796 wrote to memory of 1624	796	firefox.exe	92
PID 796 wrote to memory of 1624	796	firefox.exe	92
PID 796 wrote to memory of 1624	796	firefox.exe	92
PID 796 wrote to memory of 1624	796	firefox.exe	92
PID 796 wrote to memory of 1624	796	firefox.exe	92
PID 796 wrote to memory of 1624	796	firefox.exe	92
PID 796 wrote to memory of 1624	796	firefox.exe	92
PID 796 wrote to memory of 1624	796	firefox.exe	92
PID 796 wrote to memory of 1624	796	firefox.exe	92
PID 796 wrote to memory of 1624	796	firefox.exe	92
PID 796 wrote to memory of 1624	796	firefox.exe	92
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 1500	1624	firefox.exe	93
PID 1624 wrote to memory of 568	1624	firefox.exe	95
PID 1624 wrote to memory of 568	1624	firefox.exe	95
PID 1624 wrote to memory of 568	1624	firefox.exe	95
PID 1624 wrote to memory of 568	1624	firefox.exe	95
PID 1624 wrote to memory of 568	1624	firefox.exe	95
PID 1624 wrote to memory of 568	1624	firefox.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.rar
1⤵
- Modifies registry class
PID:4280

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.rar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.rar
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa087f7d-7058-4fbb-b0b7-4bdbb2699c10} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" gpu
      4⤵
      PID:1500
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1e0aa2b-efdf-4fb8-ace7-cf811b3ae2a3} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" socket
      4⤵
      PID:568
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2748 -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3244 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8e8f934-7182-42f1-91af-03dbb1fc259f} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
      4⤵
      PID:1100
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3836 -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3540 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {843e047e-59f5-476f-b0d8-e3029ce98508} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
      4⤵
      PID:2364
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5080 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 4992 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13752c3f-53d6-4248-be79-50aa760218b2} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" utility
      4⤵
      Checks processor information in registry
      PID:4132
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5112 -childID 3 -isForBrowser -prefsHandle 5260 -prefMapHandle 5256 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a434b272-5955-45ef-a8b8-f4e572cfdb20} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
      4⤵
      PID:5308
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5452 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa986d88-1828-401c-8d93-a3e8ae1b001c} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
      4⤵
      PID:5328
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 5 -isForBrowser -prefsHandle 5684 -prefMapHandle 5688 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9ebf261-b244-41ad-9f59-3702ddedc4e7} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
      4⤵
      PID:5344

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2428

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap31082:244:7zEvent30743
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2020

C:\Users\Admin\Downloads\0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.exe
"C:\Users\Admin\Downloads\0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3980
- C:\Users\Admin\Downloads\0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.exe
  "C:\Users\Admin\Downloads\0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
132B

MD5
24e3b60bc853b059350d6afa2cb893b2

SHA1
83ce221a8acafcd84ef7a0268bcfd371bb93c8d5

SHA256
3693d2ddd9382e007d5a529c539c4151216918844e7d4b493e81841b49053320

SHA512
3ffca217368c18649c2c22e8612f5f7796743fc9696308e39c650e51692bf3791b7ef2283b49494814873506c2bf1b49f9f8315167682c5648ecfd334af77769

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
dd991f6a90a0a26e8ba06814172f37a7

SHA1
5b68b93cb339583e7c4897bd16af131adc8932e3

SHA256
75d49f759da1550dde47e9b196c500beeff18097234c19c6b5eb473c4f231cb7

SHA512
850aa77373538ee0b81c6918b2a69bedadc165ba117f997488d1ca54c6604650813a7c037250a5222560d2f46a66e9392be96d6b0fbc6b8154c16e82c25e9bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
8KB

MD5
61560f1ef9f7cf3ecaffce649eddbcde

SHA1
209c1bbd84b5440c9dc3eaea2dec8d5cb5d43308

SHA256
595bdb0ca3ce0f888f84ba1c3048a48c74fdd4d9bc93091a2ef55526c34a318e

SHA512
a79d62623c15d585a72198392068020826bcafa0cb7a35a74895b37c3e50c7bc6b29e322bdc3cec9ae42ef4a53dccc10c3323e4f1eb03d58c09c281bc35a2742

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
346dd2a4310813ef38f67689c7ce9719

SHA1
1ff902ea634cbe0552831e73a7f8bcf76001412d

SHA256
5fdedbd348abd0d35cc206cdc7891e1e84ab8cc81c59415c57f23ab5a67e6962

SHA512
c4b83def7899adda8dcee1b5fa87a85d8a0c221ca0722e21f3b776fd8e2538d952fed9a26dd8ce500f604ce53393f663b5f8c43ee334b5c6239ad62b830c50dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
564d5baa9c3c2e4eb9426725cdf45f97

SHA1
c0d26c1c13d97b969bb2658d4d2e0c1b678911ac

SHA256
22575c377a55c7cd7decaedf9175a735f194f03c6b7e4428ae05eea8cb9a2f34

SHA512
430b4c7fcadb0c3cb267f6db896fbc37ff91649af1020ab4b1358ea1a0d5950cc2a6db973c7dca3adc4437822eec96aabb9725c0b705f25f94b49d42151bf17c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
870494c1b734f7e24af8fd7c0f9d19b3

SHA1
d01f911b960d5ddde22fd63fd1609ee24a3c3cb3

SHA256
d4759d3c63149b2f4811ac734f24eee01e0fcb9aee0f1030763f7e9de7af9897

SHA512
dbc2086cdefa8139d0db0c35ec1f7458551ced42996a38e2490f7a0f53a1fc4613d1d5812407d2a42f06b589d22d7c38af00e01f8d298ac3ad04ba6f93e01cd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\3a6035c1-225b-4051-b207-7d16e4245580

Filesize
982B

MD5
f596f323aa3750af24f032ca04a961ad

SHA1
4435325c986b4ea598b3d9b7abaca8d03a8f3636

SHA256
7c5c04a562e721eae38073b7ba1c70d5ff3b7433238ca7734371c791adce0e94

SHA512
662e8cf34bdcc5ac88f59227e55b7eb57910d3a49e2a382d49fa086299b8b7472493935240d5532242a50e0c6551bb1744f8fb2a64566cf0c5b3ff76f0396d26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\4f73e66b-10f7-4568-9265-00c70518eb5c

Filesize
671B

MD5
7e24112da3fc84d31db7c20e658e487d

SHA1
31cfaa4d878cc80d30583f4f7f868cabcef9e8e2

SHA256
8deb8b628e3553a6756d1479e9ee815dba8c85f7cb8d6b3198602dbfcb303fdc

SHA512
e2e46d9f324e58ad441111a7ebb9a10d4aad4e3302b90d5f059b402a8f97289f95e1bef3f205666325be9da3b058310f1822a1b3d9f1958a1e9cc764b2c931eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\d9444492-17c7-47d0-8f26-72a49bb09363

Filesize
26KB

MD5
644219a7ae78dd040efb5d7819fd484d

SHA1
5d0619f7e01b748dda483fb668c544936fc6c0fb

SHA256
9450a008f640666bacc6a6b98e89685536eb42c3d0a9af6ba48d0b0e27b1144b

SHA512
5594093a59b3a35e1e0cdc19426980837d361b052b6f4bffa0392e1fbb03ecb10a0ba991616d6ae68208023f6dccb831bde6e0ddbaa5e9e4fbce5262b6485cbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

Filesize
12KB

MD5
b56a3c66101be0e2e2f8b66bebf3ad80

SHA1
255335d6e1107173451b74ba2213252a882217d0

SHA256
326eb60c87f663d218e6e493f18c9bc5562e82878eea6d02915d9bd70b596548

SHA512
bd7275bc764ea67454c9adb160fea09ca93e4d0ac4607ab4fe7be85ea2d8104763119a4783e4bd8c1236b2dee38b0bf25777c9f32548cf629df064e2c8e5a902

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

Filesize
11KB

MD5
321efbbadb071949238ba8357178b078

SHA1
34efde68b1961d026885b8d35f8cb6635e7c93b3

SHA256
29369784e8227d158d732b116ed4cd5683e5aef13113933dbdbb2dee6c0518df

SHA512
e69be43fa13916fc7ff6d8f0673eedf7aac2b379457594863f0ca3113e2ef5f0d425538b808eb072d86a6b99aed72b24b3380ec69598c734012be3efaf217a7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

Filesize
10KB

MD5
c8d02c8eed1c402895e9883153666dfe

SHA1
9a1cae86bad7e0064d344594695e218c929bf8b7

SHA256
01b23a5dc4554ea1b2bcf8b3a01b6ac171f43c4342d1f90cdaeb40e0b06a563d

SHA512
65da3905a9698797f6117169d1a7e6e78c0e58b4b8697e61ed3b79bbcdc3afd47278259040a82bd9822cf51425dccf49c45d4b53fa9cfbdfde5f1610696ef865

Download Submit
C:\Users\Admin\Downloads\0000000000000212154548789889484119185531513321323215154664889744562245436884816184326414251.exe

Filesize
4.5MB

MD5
34ee6b8d2c0578e18dd75c52678b81ce

SHA1
6d552c784b281b8587d7e17e0c59b4d997a654e9

SHA256
d41f8ae0df709b0243db420707a5d87d45eec903ad2fda40a03963b958f83a18

SHA512
dff0f8cfb91cbc59364c8eff3a318814ac696bc99947804bd1c325d8fc3ac424a1932af4651115a26dfeda8a02b42ce3a76175c9e07c8afb48120b3f5224b24a

Download Submit
C:\Users\Admin\Downloads\arIujOno.rar.part

Filesize
1.6MB

MD5
6a1737d98917b44ed8516619ec2b00dd

SHA1
1f2e71b431bc0d968e5fb04a3b243fced6205e62

SHA256
27a48ee19bd16817e6b345db0497c3b1c7be49f6ddb1e6214af38a44b4a7e0e5

SHA512
c64a4e77ec63538736706e85ec92cb4d40519ff5f286677bc235a5a04a59d51316cd3518dad2f6450c2c411270fb7f38ad495b9f09ecf93b973f80bd0b787f8f

Download Submit
memory/3980-420-0x0000000000400000-0x00000000008D1000-memory.dmp

Filesize
4.8MB

Download
memory/3980-422-0x0000000000400000-0x00000000008D1000-memory.dmp

Filesize
4.8MB

Download
memory/3980-417-0x0000000000400000-0x00000000008D1000-memory.dmp

Filesize
4.8MB

Download
memory/3980-423-0x0000000000400000-0x00000000008D1000-memory.dmp

Filesize
4.8MB

Download
memory/3980-379-0x0000000000400000-0x00000000008D1000-memory.dmp

Filesize
4.8MB

Download
memory/3980-419-0x0000000000400000-0x00000000008D1000-memory.dmp

Filesize
4.8MB

Download
memory/3980-418-0x0000000000400000-0x00000000008D1000-memory.dmp

Filesize
4.8MB

Download
memory/5512-432-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-444-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-421-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-427-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-429-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-435-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-436-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-437-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-443-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-425-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-431-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-464-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-465-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-473-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-472-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-485-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download
memory/5512-484-0x00000000008E0000-0x0000000000962000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads