8279696c1d78b14618500e9135886a3667b9decc65946f3729002e4bfdbb20ab

Analysis

max time kernel
2648s
max time network
2502s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rufus-4.6p.exe
Size

1.5MB
MD5

8fe64da09af371b02a31828415ece8f3
SHA1

5b5c90dcd425c814b555a4567405601aa977ee0b
SHA256

8279696c1d78b14618500e9135886a3667b9decc65946f3729002e4bfdbb20ab
SHA512

e49f9b1c9d33364101ad2fd4f2c5ed030700cc941bb469cf2ce7d5b32c51cab9e62b265e05cbd92435453e7e4008c9990bea532298676f7d81e5d6dcdc2f590b
SSDEEP

24576:H8U9+A6KdMt7ZRuYfuv9dTWGNj0GvXFGfkRssBUEt3kRQrf7zSIBDICweAVdEY2Y:cUUvltf6SGd/FGfIsTE665h0dEY2nY

Score

5^/10

steam evasion phishing trojan upx

Malware Config

Signatures

Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	rufus-4.6p.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rufus-4.6p.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rufus-4.6p.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rufus-4.6p.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rufus-4.6p.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3444-0-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-51-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-59-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-60-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-62-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-63-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-80-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-82-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-83-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-85-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-86-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-88-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-89-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-91-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-92-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-94-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-96-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-97-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-99-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-101-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-102-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-107-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-110-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-114-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-117-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-121-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-124-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-128-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-131-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-137-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-138-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-144-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-148-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-152-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-157-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-160-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-163-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx
behavioral1/memory/3444-177-0x00007FF748790000-0x00007FF748BFE000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\cachev3.dat	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rufus-4.6p.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 17 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	rufus-4.6p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	rufus-4.6p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	rufus-4.6p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	rufus-4.6p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	rufus-4.6p.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-81-e6-88-f0-f0\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-81-e6-88-f0-f0\WpadDecisionTime = e6bba25ec63adb01	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-81-e6-88-f0-f0\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-81-e6-88-f0-f0	svchost.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rufus-4.6p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rufus-4.6p.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	rufus-4.6p.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe1000000050ef5e839818db01165740b39e18db01ef981c45c13adb0114000000	rufus-4.6p.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rufus-4.6p.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	rufus-4.6p.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3444	rufus-4.6p.exe
Token: SeLoadDriverPrivilege	3444	rufus-4.6p.exe
Token: SeLoadDriverPrivilege	3444	rufus-4.6p.exe
Token: SeLoadDriverPrivilege	3444	rufus-4.6p.exe
Token: SeLoadDriverPrivilege	3444	rufus-4.6p.exe
Token: SeLoadDriverPrivilege	3444	rufus-4.6p.exe
Token: SeLoadDriverPrivilege	3444	rufus-4.6p.exe
Token: SeLoadDriverPrivilege	3444	rufus-4.6p.exe
Token: SeLoadDriverPrivilege	3444	rufus-4.6p.exe
Token: SeDebugPrivilege	2368	firefox.exe
Token: SeDebugPrivilege	2368	firefox.exe
Token: SeDebugPrivilege	2368	firefox.exe
Token: SeDebugPrivilege	2368	firefox.exe
Token: SeDebugPrivilege	2368	firefox.exe
Token: SeDebugPrivilege	2368	firefox.exe
Token: SeShutdownPrivilege	2716	svchost.exe
Token: SeCreatePagefilePrivilege	2716	svchost.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
3444	rufus-4.6p.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe
2368	firefox.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
3444	rufus-4.6p.exe
2368	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 2368	4504	firefox.exe	142
PID 4504 wrote to memory of 2368	4504	firefox.exe	142
PID 4504 wrote to memory of 2368	4504	firefox.exe	142
PID 4504 wrote to memory of 2368	4504	firefox.exe	142
PID 4504 wrote to memory of 2368	4504	firefox.exe	142
PID 4504 wrote to memory of 2368	4504	firefox.exe	142
PID 4504 wrote to memory of 2368	4504	firefox.exe	142
PID 4504 wrote to memory of 2368	4504	firefox.exe	142
PID 4504 wrote to memory of 2368	4504	firefox.exe	142
PID 4504 wrote to memory of 2368	4504	firefox.exe	142
PID 4504 wrote to memory of 2368	4504	firefox.exe	142
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 1156	2368	firefox.exe	143
PID 2368 wrote to memory of 4532	2368	firefox.exe	144
PID 2368 wrote to memory of 4532	2368	firefox.exe	144
PID 2368 wrote to memory of 4532	2368	firefox.exe	144
PID 2368 wrote to memory of 4532	2368	firefox.exe	144
PID 2368 wrote to memory of 4532	2368	firefox.exe	144
PID 2368 wrote to memory of 4532	2368	firefox.exe	144
PID 2368 wrote to memory of 4532	2368	firefox.exe	144
PID 2368 wrote to memory of 4532	2368	firefox.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\rufus-4.6p.exe
"C:\Users\Admin\AppData\Local\Temp\rufus-4.6p.exe"
1⤵
- Drops file in System32 directory
- Checks whether UAC is enabled
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1704

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a222142-70bd-4269-9bc9-5cd4af9e1eac} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" gpu
    3⤵
    PID:1156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce123ceb-0766-4e32-8736-fc0bae4a68f8} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" socket
    3⤵
    PID:4532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 3212 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6f9d421-5ca3-4cc3-a31d-d398c24f427a} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
    3⤵
    PID:3684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4308 -childID 2 -isForBrowser -prefsHandle 4300 -prefMapHandle 4296 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c9a2b9b-e6dd-4fae-a7be-292fde78abc1} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
    3⤵
    PID:2888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4880 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4836 -prefMapHandle 4912 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67865a1a-5871-40a7-872c-55a6dbeca1b3} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" utility
    3⤵
    - Checks processor information in registry
    PID:2960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5236 -childID 3 -isForBrowser -prefsHandle 5232 -prefMapHandle 5228 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3356bfa0-5200-48b1-b0d4-2d14b55295a2} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
    3⤵
    PID:1544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 4 -isForBrowser -prefsHandle 5488 -prefMapHandle 5484 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d75679f7-0380-4952-b593-5f87413b3ea8} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
    3⤵
    PID:2156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5652 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16ac00ba-d6b0-4234-adaf-efcb9f2fa8f4} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
    3⤵
    PID:2420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6096 -childID 6 -isForBrowser -prefsHandle 2768 -prefMapHandle 3032 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d028c42d-44b5-43bc-8d30-0f98012396f5} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
    3⤵
    PID:4704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 7 -isForBrowser -prefsHandle 5304 -prefMapHandle 5356 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aab8abf-4b32-404c-9297-ac8113620c52} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" tab
    3⤵
    PID:1992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6424 -parentBuildID 20240401114208 -prefsHandle 6468 -prefMapHandle 6440 -prefsLen 29357 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38592c2d-c7c9-4191-81eb-fa774e1e1266} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" rdd
    3⤵
    PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
ed5149f2844d8ad2cc9d5f8ede97ce85

SHA1
f4cad78932af886f4b4e7d6c2b9e7966386f3db2

SHA256
868dc43586ae1fdbbdd6a37ebcb93712a654debae00b1468cb881dfb0e793594

SHA512
82757c76cfd6dea79f0d2eeb8091342f80c76a7d333ba1e13e5956405cee000a10ccbc8a8db77e43657b064561be051b69119b487125ea4c5d0bbd8cfaf93456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
b5dc2767786ea9f76b0b3df243222054

SHA1
23a7dbd0737a7ad9f5b833a33b38408c819d9956

SHA256
9bd5e23a7b0408f55c9368d8843fe073f2d56dbadaa59ba328ef53ff88625542

SHA512
cddddffda816afab786ee472c43c4ad1ceebc73e59d43487a37426bef907990aa08aefa4280015b430f435432aaa2e0e1b49ea6b3d38f80e1e325891ee3efc24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
9e3878180b070d5f34c6e58b1fe58dd0

SHA1
e8386509105f35e52a0ffabb5de81569414bcd6a

SHA256
5290a76c8b2e51a1c3f1b365195bdffe07bc13385d90ecabaefe2bb7a1fd9947

SHA512
275096984713f00898a9b693fce29f9d46219d530f79db59d70f72f8c5952d69bfb929ab8d6a7f713bc683080f6261731558aa7510e7201b9949b19ef57ae9f4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
0036de04dc865508af096293b31238f8

SHA1
24486c66e499875dba5c5fa431dd30155547a047

SHA256
20fc5b254d61dfa70ba92f3dd6c5c0686e857f84a26e60f742ae5344a72730b0

SHA512
4203c53f66df62e99bdcfe1c07525c3d32b4005de7e15140a27841e41f2d52d68ed06f74bd9eabdc6e1176df84e225edef26fed099ae5dd5d3b33f2b41d3d60f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\4DC8F91AE42AC2746A419318BB9EA6F9A6879CCF

Filesize
13KB

MD5
46a8f33b874bbe8538d129144e20bfd0

SHA1
db08abdd04df551ad58b8414e3cfe823f4d6fe93

SHA256
1449b3be190e29ca1200e18dc569faaa07fc1ddd084e6014d93e1ac1d912943f

SHA512
9af0c90f645d21d0ebd09acee31c7682339a475a3fb6fd4965b15cd0f1548e11da7f164755278203ac48ab4cca114aab6791c18544f8381ac169dffd3af1211e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
14KB

MD5
6858c5182f4e679630a98eb0502b09a9

SHA1
4669fcf0df5a10fdad7d34a1f6aa036537753149

SHA256
1dc03a74a08d81e1db5b45ab0a391c3f86a61f1e94dff030c4addab6b1c09e5f

SHA512
315df233476e44ee7910d8377c5c970e0c4071c6044c7392fadc6abf99b161fc8d1b28c2ba366e7a2dc07bed33b28527544df58661bc7791a901600cef2860db

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\7943793AD6EF12CA229A1DF7A721B44C210BBC82

Filesize
40KB

MD5
722b380ddd3f5b0b4f3bba61dd811a3c

SHA1
1cad4fcf6dbe44815beb895ce3d2267b630533ed

SHA256
e8aacba12c5c8f06b8df8415762624c3904f3e7b26d4cf53a06e4bed654033db

SHA512
52f0de9ca7d9755205946ebae42fa746a84ac372650341b382cfc3525ffa39387e0238a0596e4558547be148c739953892c165da4d0586848a5d70acb2d93288

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\851BB334A727800348F10A7D7463FB06FC4B6C32

Filesize
125KB

MD5
df644bcd0d11237d8deb981e86f90b70

SHA1
f0a4712e77655fc374a3eec62ba949842649cadf

SHA256
6714641091eff656b2ddc953923323c25891fb1641aca54e92eb0b96650f8f87

SHA512
72b63e6e0275f4d768f8e05dcbbe40310eb82b8647da28af9d5b9c75c32177be96dda7590b9249f073d05c24a088f4a46edfd2e58223e67cff73b4773f984b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\rufus.ini

Filesize
41B

MD5
c8e136cdc30f6c111b4b2c17684055a3

SHA1
1bb3af54d9ac87173d9f3c0421037622ce80e73a

SHA256
f0713498cb327a15755c3b72ae88bd82a8c3a4f45a244ed1a28e635c31ff4c09

SHA512
1dc2c4e071d4be166fa71747e0cf61de4d4c2472652410ea597735c9d75f6f3b0d1d7909829421a19a94cd28d9160fcd1f5769f53ccb49c641a87c898684af1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rufus.ini

Filesize
70B

MD5
d66a273150a8bbd4d8d3c52280901b0c

SHA1
e027efdbb2f57dbe9af3d20a2bb2817ee557afd8

SHA256
f3c50ca224a0696b0626ce89bcad08c8496c80c3af6f0ef25b5d296c82bc3d9f

SHA512
bfe0a29304b87e108043937abe3226c5280a11afcfe77e8bef2ba0cd03f83239a981c8509f4d8a3cf44d0499adba7668047cc57b93446aa6d55c098064c55731

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NYXNFXDUHKZOY90I4LDF.temp

Filesize
9KB

MD5
14a7fcbf21ddbb3bb661d52d73971467

SHA1
78ce6cf6386ac95f7f15043f027762959f5de443

SHA256
51a51ffb9ccc1b9852e2f3725681f601da4aef4d72c3980a6fc3abd880bd7339

SHA512
42c8a53d291e9793d902e926591fcc44212f691ba06c3a18ac349b106409c9ebd46eeff43ed2e47133d7e9e017249e43ffddd08b1cf03ea5c40eac97f00bbb94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
8KB

MD5
7bd8c148bec2e69b19f31ceeb8c60dd3

SHA1
7f3dd9e492543341d45a0a3bec1589964b6b76b8

SHA256
0014b582bdc37ba6e246181e6f69726b2cfed59ae521fcb02060c74d07ac4100

SHA512
0b4c1558cd5bd8290c62ef4cc8c5ec4606398db54e4bb5bf8cc9d4fb3caa125a5c04cdf9b841baf79f16effee101591d9dc2b19d5bbd1846fd9c00bb8d9c1dab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
12KB

MD5
86f7b074cb8543e1afdc54c5f5b4ef08

SHA1
1d560baeba1257c275c710a1c6df61d2a6c85d5b

SHA256
e942c4eca330930b2d401876ed5b391724028a4464651eb4a32099de3e4a9337

SHA512
31a3967711f2d2fe25c797e17e64f46866c7a09d56f406f8c5f65d792118ecdd0fb2a1c67868a95d79e3be5b4a08eed456989e635742d6bd6bcce3b1cbeee595

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\bookmarkbackups\bookmarks-2024-11-19_11_ZrdYzC-eJDxPzl9eWEGoog==.jsonlz4

Filesize
996B

MD5
faec8a82c35d6bddd9b1d7f4a7c68dbb

SHA1
518f8d9856574fc11d61576a2980fec26cbd7327

SHA256
c173a9013f78ec791bc1617ce873f96299c46c83df700dfdd02986b08de89e84

SHA512
20f8627622f835c46f59f44e6a5f6cdd6f20d775f3a6ab817b0489de7cef6e5be0e9825fa56787e19fca912a5ca7c1ec3332e0a7f5008c8c2c8970468082d2b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
83725f49e951d83b6c24308fb32b2095

SHA1
ed6945377965b13e10601a7f811997e45c5cc00d

SHA256
9873ad86d97ee125acc5a372fecfd98dc21db6b82c7bd9fa946b85ff6280f1e8

SHA512
a624cc099e487ca65f96db9d2c016a7293079f5ba98e17862b6cbe1a976c3bff0cab3a10173d50b7cba58aa4aba43af48a62b65c25cc338e82be7392c86b12db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
0f5ab2ad964d3db7cec25251411824f3

SHA1
e52e7b335c371fc916067cecf932b8e1e1521ed8

SHA256
b3558a830d0b404adb1f7874c79826863cb0249b4c84d20e3b59332acffaf0fd

SHA512
f06d9902c55fea59705c2d1409f3cf7a6d46615a829d59e2427b130ff900074ade9c0f7debb02cd9d43932278b29cf3d75cf8f5779bae4d18a6960932b963036

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
5cf2e87ca1d5075b088dcadbc62ee404

SHA1
8839a613eaf71e9c8f0080f678bf01ee5c76cca7

SHA256
5fe7dc54a49c44b7f74e23b2b98e764163b2696b94236d0bb5a713df86a5ce0f

SHA512
ea75c000d707be72372d5b53b9a8194859f9a0ab72504d3692162cbca15d182b09d7a99eb994b326dc2a1dbe667a39fe1bb9f4780f62699a0fe39f3f1c42a9bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
53KB

MD5
ddaf4f01db48cd94f43be7035381d2ee

SHA1
ce4a97df943726a05e8ac75517c864b89d36c3fb

SHA256
2cbb688d72fd7db89a910d25e8c7f59c3c2596d51c21fdbb8e323532876a5c68

SHA512
ec375765d806653b15eb41881ee45f7d85d3575c94f232ae7dcd33d8362ef359d6dc954da54a0f6e00aceb43b58884e317bd91020d372f0d3312d20ba4f21de3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\54522379-edb9-4db4-8f55-d5e2787f520c

Filesize
671B

MD5
b39774b5e47e586daeebaa3c341d5638

SHA1
2891657167d238351f64164b9137368eab3d662c

SHA256
47a1d4f7384dc894f32d7a1257c96bfaffb7838e6a31fe15285f92e49c2c0be4

SHA512
2b2684e15aafea54b7f8060990bc41bd752c4a21af38afbb45bdd7b82ba231433f1173cb984960938f557c10ef94c5c361a98a71502fa5b73ce4c9d149c911d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\8ebe1ce3-56f9-4cff-9a0f-8fb275c06e60

Filesize
982B

MD5
3c26fe4e82165ba8b03d0dc85e5b04cf

SHA1
f8ef1941475a3aa9be4bfcfa6b6e868adb1c9744

SHA256
ed961aaae817103ba987616ac699e5b160569309c6f0eb1ef1faab0fc6bd4484

SHA512
83d32f73ba78be0fdf1dfbb6483c162267f406afe874154ac368132d2fe41ef8f4280ce29b47dbee8d8d5eff3f2f98b7182e138ae141f465442b5ff3a1065591

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\ea03f888-0855-4d88-ac2e-66a11709afa6

Filesize
26KB

MD5
0ab3d4f6fcb0280881a806240adf403b

SHA1
66eb44abfccaaee79732fd6c92787c5515324d14

SHA256
ff6d539f0c5a4e190fcc0ffe95495b85bf0da559696d885c238dec0f57792b2a

SHA512
ef1cfcd94beab53e0d4f833643781fb5edd3a0c455ca74ec77bcca5824551d0c868871e876d8565d0d87c001f0670ca7e928f118cc1562ed5e738984a5dabee3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js

Filesize
10KB

MD5
55c7c72b1e20f7491fc746b1b39cae7a

SHA1
69a877fb76b34744f542f584101bdfaf89a6060b

SHA256
a2ec2b534d3d28568899f25c23eb5ebff976422f524a25f4eb793db8cdc3a9ad

SHA512
6ab450a3972d52575e78b8d0889dca1a4cf45d886a03b0f045dc9f0d83a79331774e1641335c925ea993388e34c51e4d3c09b5075500611a534a4e548070f0b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js

Filesize
11KB

MD5
bd2d21aa40966a74f700212290f56e50

SHA1
492e4f4aca668b071c1921830c166e49aea134cc

SHA256
05ca9cceacf816caab208e99cd2b4445e7e7a99b1ccbe7559be4d2202d22c752

SHA512
27fe170ee09d95d54bd8cbc013b6637e68fd5b4430e7440be0e50bd876092bad48920366dfac4166b59a4e89bb6810ec070af9bfc90f0c519086422a6cbddde1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js

Filesize
12KB

MD5
05bd09c0374b12b7119aa4f23ee66d58

SHA1
0f9b86b28bbcfca9c7ff501c5be9487ac181083c

SHA256
af3be14cdf9c97446f7b0bedd9332ee73f5b691582ca7ee589ecadc7e814937a

SHA512
a1805ee8b11bdded9f3b22b3d3bc7ed1158af144d75c54f4c076729e301059456681f47ce34900b24c15e0e205eb034894536a5dcf6db9b8d767b63f61a1d758

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
1582b191f39b8915a58c9cf7092f6fa5

SHA1
cc11650a570897847c52eb3757cc7f808c7f3383

SHA256
eb70ce9995ff40f576059de4152e5d9e39e3b1e45f92df26d851b8a47536040d

SHA512
bc43ab100034fa7bb6f9e4cbb3e991ec675b7a4fbd1ab00e0cce997b30d5dea01a9d375c092ec7d137fe8960d1f84b01aba91bb27d0c48f78c255d95bfb81f5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionstore-backups\recovery.baklz4

Filesize
42KB

MD5
44d72d08c42a3d5542cd41987ee5abce

SHA1
f6500b6ae214a782c5a2b34da79bf6829614a1fc

SHA256
8f419d393dbb97c1065d0b2c5069b1d75d6e90c70842638367dac459f60cdda0

SHA512
b5722bd84e8dcecc877f2c336f4b0969b440d66f5362045f2d9e448372d38bd490bb4883d5dc70ac9ac075249728cc104a4501789b21eafd9206c41e55fcbd6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
584KB

MD5
431a936955bb29c80df32e052e50f6cc

SHA1
06a126d32c1cf2302dd2e52688ba1b04eac7ebde

SHA256
6a22d1ba5efe39b0d9f35c59ab5176e1d83c4e35c97837ac2c5ed600b641d766

SHA512
9992fed7f6909234bdc4b7732891c938353c23ac2324d4bf800346f98f96df9a6a02f189fbd0341366ae30a5fa29cc736f6252f338a6e05f3c60cda7b31a5ab1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
d545a217818e78603d10a0a422649021

SHA1
834cafc804e3666168d2adf199c4824c0b87c505

SHA256
71d02d9b2a26a09d40588c12cfc914105651b5c4adad6db57c83632a2b147763

SHA512
fb86aa19992cb60213c16194a835f0e579eab72de658a75023e12774f4ea410fea655c629655679533c8f361b89a82dbfac73f0b0490b0c2eb229519ac20a56c

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
cead048a81341e7f91c31f96a82e98e3

SHA1
32f24dda3c3774957c623df11c1237c36ded44fd

SHA256
07956deed8284ce2dc1ff98f4a0fc3776df4b2299f53fac42962fe6f8de39836

SHA512
34c2887a34a65befe377822c93c662f26ace734b74628c77334d019f22633ecde948ceba29dad5d2b38685bfd90bbdc9817887f1f5a7bd4d3d68fbde38611a7a

Download Submit
memory/3444-97-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-157-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-160-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-163-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-152-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-177-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-148-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-144-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-138-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-137-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-131-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-128-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-124-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-121-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-117-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-114-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-110-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-107-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-102-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-101-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-99-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-0-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-96-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-94-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-92-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-91-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-89-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-88-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-86-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-85-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-83-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-82-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-80-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-63-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-62-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-60-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-59-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download
memory/3444-51-0x00007FF748790000-0x00007FF748BFE000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads