aa8fa515fa6a86b433a0445145ed4700c7f7141689520629347ba8a9c2e28cd9

Analysis

max time kernel
22s
max time network
17s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03-12-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

killa.exe
Size

251KB
MD5

78358a69077076025340aab9d5969a81
SHA1

1180e9133be91c474cc3da3e77f612abcc5ca6e8
SHA256

aa8fa515fa6a86b433a0445145ed4700c7f7141689520629347ba8a9c2e28cd9
SHA512

7140b090854761a4e1bf243f4355f1d3ad83a44193075a474bc0b006a980472215ff7424ce264f7e875b07b49b94a7a60256ff612d093f906bd02a6492395280
SSDEEP

6144:xa0T3uQwzIn51Fc/SQPbg8s3TZ4crBqB1:B08rkfYTV8B1

Score

8^/10

bootkit defense_evasion discovery evasion execution lateral_movement persistence

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

lateral_movement

SMB/Windows Admin Shares

T1021.002

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	killa.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2052	sc.exe
2460	sc.exe
4848	sc.exe
3604	sc.exe
4492	sc.exe
4876	sc.exe
228	sc.exe
3672	sc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2620	NOTEPAD.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2620	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeAuditPrivilege	2656	svchost.exe
Token: SeAuditPrivilege	2656	svchost.exe
Token: SeAuditPrivilege	2656	svchost.exe
Token: SeDebugPrivilege	3628	firefox.exe
Token: SeDebugPrivilege	3628	firefox.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe
3628	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3628	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 1120	1004	killa.exe	83
PID 1004 wrote to memory of 1120	1004	killa.exe	83
PID 1004 wrote to memory of 2128	1004	killa.exe	84
PID 1004 wrote to memory of 2128	1004	killa.exe	84
PID 1004 wrote to memory of 1700	1004	killa.exe	85
PID 1004 wrote to memory of 1700	1004	killa.exe	85
PID 1004 wrote to memory of 1096	1004	killa.exe	86
PID 1004 wrote to memory of 1096	1004	killa.exe	86
PID 1004 wrote to memory of 4588	1004	killa.exe	87
PID 1004 wrote to memory of 4588	1004	killa.exe	87
PID 4588 wrote to memory of 1484	4588	cmd.exe	88
PID 4588 wrote to memory of 1484	4588	cmd.exe	88
PID 1004 wrote to memory of 1428	1004	killa.exe	89
PID 1004 wrote to memory of 1428	1004	killa.exe	89
PID 1428 wrote to memory of 4848	1428	cmd.exe	90
PID 1428 wrote to memory of 4848	1428	cmd.exe	90
PID 1004 wrote to memory of 4408	1004	killa.exe	91
PID 1004 wrote to memory of 4408	1004	killa.exe	91
PID 4408 wrote to memory of 3604	4408	cmd.exe	92
PID 4408 wrote to memory of 3604	4408	cmd.exe	92
PID 1004 wrote to memory of 3452	1004	killa.exe	93
PID 1004 wrote to memory of 3452	1004	killa.exe	93
PID 3452 wrote to memory of 4492	3452	cmd.exe	94
PID 3452 wrote to memory of 4492	3452	cmd.exe	94
PID 1004 wrote to memory of 4416	1004	killa.exe	95
PID 1004 wrote to memory of 4416	1004	killa.exe	95
PID 4416 wrote to memory of 4876	4416	cmd.exe	96
PID 4416 wrote to memory of 4876	4416	cmd.exe	96
PID 1004 wrote to memory of 3252	1004	killa.exe	97
PID 1004 wrote to memory of 3252	1004	killa.exe	97
PID 3252 wrote to memory of 228	3252	cmd.exe	98
PID 3252 wrote to memory of 228	3252	cmd.exe	98
PID 1004 wrote to memory of 4056	1004	killa.exe	99
PID 1004 wrote to memory of 4056	1004	killa.exe	99
PID 4056 wrote to memory of 3672	4056	cmd.exe	100
PID 4056 wrote to memory of 3672	4056	cmd.exe	100
PID 1004 wrote to memory of 2468	1004	killa.exe	101
PID 1004 wrote to memory of 2468	1004	killa.exe	101
PID 2468 wrote to memory of 2052	2468	cmd.exe	102
PID 2468 wrote to memory of 2052	2468	cmd.exe	102
PID 1004 wrote to memory of 3496	1004	killa.exe	103
PID 1004 wrote to memory of 3496	1004	killa.exe	103
PID 3496 wrote to memory of 2460	3496	cmd.exe	104
PID 3496 wrote to memory of 2460	3496	cmd.exe	104
PID 2860 wrote to memory of 3628	2860	firefox.exe	116
PID 2860 wrote to memory of 3628	2860	firefox.exe	116
PID 2860 wrote to memory of 3628	2860	firefox.exe	116
PID 2860 wrote to memory of 3628	2860	firefox.exe	116
PID 2860 wrote to memory of 3628	2860	firefox.exe	116
PID 2860 wrote to memory of 3628	2860	firefox.exe	116
PID 2860 wrote to memory of 3628	2860	firefox.exe	116
PID 2860 wrote to memory of 3628	2860	firefox.exe	116
PID 2860 wrote to memory of 3628	2860	firefox.exe	116
PID 2860 wrote to memory of 3628	2860	firefox.exe	116
PID 2860 wrote to memory of 3628	2860	firefox.exe	116
PID 3628 wrote to memory of 4292	3628	firefox.exe	117
PID 3628 wrote to memory of 4292	3628	firefox.exe	117
PID 3628 wrote to memory of 4292	3628	firefox.exe	117
PID 3628 wrote to memory of 4292	3628	firefox.exe	117
PID 3628 wrote to memory of 4292	3628	firefox.exe	117
PID 3628 wrote to memory of 4292	3628	firefox.exe	117
PID 3628 wrote to memory of 4292	3628	firefox.exe	117
PID 3628 wrote to memory of 4292	3628	firefox.exe	117
PID 3628 wrote to memory of 4292	3628	firefox.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\killa.exe
"C:\Users\Admin\AppData\Local\Temp\killa.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /q C:\Boot\BCD
  2⤵
  PID:1120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /q C:\bootmgr
  2⤵
  PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /q C:\EFI\Microsoft\Boot\bootmgr
  2⤵
  PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /q C:\EFI\Microsoft\Boot\BCD
  2⤵
  PID:1096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Fonts" /va /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\system32\reg.exe
    REG DELETE "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Fonts" /va /f
    3⤵
    PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop \Device\Harddisk0\DR0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\system32\sc.exe
    sc stop \Device\Harddisk0\DR0
    3⤵
    - Launches sc.exe
    PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop i8042prt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\system32\sc.exe
    sc stop i8042prt
    3⤵
    - Launches sc.exe
    PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop kbdclass
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\system32\sc.exe
    sc stop kbdclass
    3⤵
    - Launches sc.exe
    PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop iastorV
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\system32\sc.exe
    sc stop iastorV
    3⤵
    - Launches sc.exe
    PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop msahci
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\system32\sc.exe
    sc stop msahci
    3⤵
    - Launches sc.exe
    PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop NetBt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\system32\sc.exe
    sc stop NetBt
    3⤵
    - Launches sc.exe
    PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop Tcpip
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\sc.exe
    sc stop Tcpip
    3⤵
    - Launches sc.exe
    PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop LanmanServer
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\system32\sc.exe
    sc stop LanmanServer
    3⤵
    - Launches sc.exe
    PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Remote Services: SMB/Windows Admin Shares
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83447688-e470-44c7-aa5e-f6e143cbf881} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" gpu
    3⤵
    PID:4292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aee486a5-ca33-4fea-aa0c-64252c3100e1} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" socket
    3⤵
    PID:3468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 2824 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c5a9809-0214-4106-8635-a313f4fe1aa8} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab
    3⤵
    PID:1284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4292 -childID 2 -isForBrowser -prefsHandle 4284 -prefMapHandle 4280 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1b7a8c1-796d-4459-8cb0-cb128b677202} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab
    3⤵
    PID:4588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4684 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4696 -prefMapHandle 4692 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3e15b71-8c0d-4a10-960d-3e2afdd7be32} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" utility
    3⤵
    - Checks processor information in registry
    PID:3152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 5244 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9bcb8c1-cdce-4f18-abc1-4fcb5dfa4dab} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab
    3⤵
    PID:4648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 4 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a30177e-c00d-465c-808f-b45ef88f5a86} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab
    3⤵
    PID:1908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5632 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f490ed3-feb4-49a6-93d9-80c7d5e65a60} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab
    3⤵
    PID:4884

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SyncPing.txt
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Opens file in notepad (likely ransom note)
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Services

T1021

SMB/Windows Admin Shares

T1021.002

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
0c31428c0d18813c903da14463da0a16

SHA1
5ba0e78e3782bb439dfcba4c1be697f4725186a6

SHA256
fbb1be6e695dcd3b6f2415d4a957d49b80288be15505d61e725c7cd69cebbd29

SHA512
03f2d95e9cbf961d7ecf740398831da4c39a80e9e8b57798d959c5199229deb21f1df4030d327012a23fefd77ae33ae375599cd7e0e9ed4505666c5c009d6780

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\AlternateServices.bin

Filesize
6KB

MD5
1321f04d39bc8df6725208eecf92ae0f

SHA1
ded6e6d5cbcadeafa353d5281fef5381039dd343

SHA256
afae41e0dbec0b5f5711a776b5c1430032ffa7f24fbf3eb80b5cd82aa13d6fd7

SHA512
6bde12b3f69b144cb0d3d987873040fa17c50408ca7afea5279b76793e2e0167f912d4726da4dd9eace8281084af2dff877fc1623484320bbc45c7201b8467d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
6890f2c55b996b4e90f59005172bab71

SHA1
3111eabdeb26074a6344eb31644b360ceea3a40d

SHA256
b98ab872e6980ff8041ce875101124a46a58581299b6a5c9c005663e20139bfd

SHA512
74905a6165103b0254cd80aba8a6af0cbc3a843099d89dbd5b466ab83cc78fe3c8c2db96367796d15367cf5c0f19827747b51fa670e0aea7426f2e35bd54394b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
bdaf04e4f8fba06010798fb65d952793

SHA1
a30c480b9db1fddda68a67cb3b649b556da189f1

SHA256
530a24c81a2339703a719fb2e2e07786d75d953059f993c6f0b7c16b7c8fdaa0

SHA512
686bf978a61bf5d8fa75ba0868eeebe30c03bd1faa5e4f9fc8a2ca3e12f987fffdb63516f014ae1cd0813dc15149c2368fc80a8a1796980012e3b6ee856fc34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\45349841-6f94-4718-bc8a-fe5b9827e585

Filesize
982B

MD5
699040093273dd50f0b3408c2cd822f8

SHA1
a13b2a9c4d0e09f7ed4727fa7ad711a4b1398c07

SHA256
fed2002cfacde42f849ba3b2da39e0d85aa2f0c706217a97656f897fd63e6aca

SHA512
8881ee5c04414498e0ece364bedf6021747182599ac8facae1a86e23dc8928dd73d1cd2ac16bbf7654c3d1e7437ee9525c48453fd7ba36636e3fd58e65b50d94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\df04e52c-f5e3-4a13-8503-2a52b0d4159d

Filesize
26KB

MD5
2c41a91b02b5e7986f0a9b6ba7c16d01

SHA1
2cb07c60b8a3130d0e3c7114b38d501deeab0602

SHA256
1601e518f01affbf3031f0de743b009a70fa0499372a9dd8505f33649091a51d

SHA512
a0e2ee5efb4c6f6af76be25a4b3361cbc010155c0d9504a6e9db9a64e5e04120a616e7c6a45e5843927a773368ab0a6bbd2d04d20923d2449a7177bfb62552a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\fadf5fa9-e9dd-4559-8fa6-05f611b0359c

Filesize
671B

MD5
ba62db419d256fb465cedf198ac68009

SHA1
7073d1038785f224e28ebe12ba7af93df1a41c3a

SHA256
ce93a0502b053d10b2ee818bffe484b7749c432bc53f94c5274d7ed96b94d72d

SHA512
cd82177b0fbf278358a4bc51db3eda11fafdd6d694d1b5732d12ac8ac1a4dc319233200c183125ec63406850056398e4f236d787d5758e575567f22ecab62d36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs.js

Filesize
10KB

MD5
e6d1cc207b06ae9735d3cda6e3660384

SHA1
c7acd63cb03bc73f9819d3ed8200cd65860dda8a

SHA256
f8405abcb671996715dbc02db33ab86f95cbbfcd985ece32c8c4317f250536b9

SHA512
21251aa320ad2dffb5f4b2213f8ee45be2b6876d51d1740d445c083386711abfb616bfb24d356d092dbdf57d561f371131cc39703031f1958bd5df2ce5a96a0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs.js

Filesize
10KB

MD5
dd11bf5e9237e28eb9232f2f8f51292f

SHA1
a5094ec77f6fc216cfad354af26e52284fcfce6e

SHA256
c2909a383456568b41566a01ef65d825ed409c30bb6471a37ff73a10fbc54f3f

SHA512
347ea946e3d2076bdd746f997ffa6898d3c150b311668be572303af4c5b07148422cea444b58861bc6a0966a91f4c9e9b400dc270c1c7d042e00383daa2cac79

Download Submit
memory/1004-0-0x00007FF696470000-0x00007FF6964B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads