quasar | 8b776eb44e02df10fec47058feac9cc18d0f169370ebf7cbd9f0f0b7b66c99f9

Analysis

max time kernel
104s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 20:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

bannas.exe
Size

348KB
MD5

7500a9269a35b159e854312282732728
SHA1

5b3d03a59af9e662f84fb2ab113e6275a9d502af
SHA256

8b776eb44e02df10fec47058feac9cc18d0f169370ebf7cbd9f0f0b7b66c99f9
SHA512

3d46a5cec0dfc5b14381e21c096d0a9d094e6971629eada7fa4a3ddac7ac2192ff69c1c73b627447092d6589caab350fea14235cfbb380a364dba14969a7487f
SSDEEP

6144:wk+zrEsiN1PDA3COn7bblr71T2fJYUzsgNkd:dxsiNczZsf2UzXkd

Score

10^/10

quasar office04 bootkit defense_evasion discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

localhost:4781

192.168.1.159:4781

skibiditoilet.hopto.org:4781

86.175.70.140:4781

Mutex

QSR_MUTEX_86QM62MaEKfEyd8OVt

Attributes

encryption_key
zZvCiezIyCBIqqTBUeKo
install_name
security2.exe
log_directory
Logs
reconnect_delay
3000
startup_key
security2
subdirectory
skibidi

Signatures

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bannas.exe
	9	ip-api.com	Process not Found
	227	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/552-1-0x0000000000790000-0x00000000007EE000-memory.dmp	family_quasar
behavioral1/files/0x0007000000023c9e-11.dat	family_quasar

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	security2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	security2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 10 IoCs

pid	Process
2732	security2.exe
3984	security2.exe
4176	MEMZ.exe
6060	security2.exe
264	MEMZ.exe
1552	MEMZ.exe
3968	MEMZ.exe
4032	MEMZ.exe
5228	MEMZ.exe
5188	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
220	raw.githubusercontent.com
221	raw.githubusercontent.com
222	raw.githubusercontent.com
223	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
227	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\skibidi\security2.exe	bannas.exe
File opened for modification	C:\Program Files (x86)\skibidi\security2.exe	bannas.exe
File opened for modification	C:\Program Files (x86)\skibidi\security2.exe	security2.exe
File opened for modification	C:\Program Files (x86)\skibidi	security2.exe
File opened for modification	C:\Program Files (x86)\skibidi\security2.exe	security2.exe
File opened for modification	C:\Program Files (x86)\skibidi	security2.exe
File opened for modification	C:\Program Files (x86)\skibidi\security2.exe	security2.exe
File opened for modification	C:\Program Files (x86)\skibidi	security2.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4476	2732	WerFault.exe	85
5908	3984	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	security2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	security2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	security2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bannas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1464	PING.EXE
4328	PING.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1464	PING.EXE
4328	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
864	schtasks.exe
2844	schtasks.exe
1016	schtasks.exe
4308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe
264	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3984	security2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	bannas.exe
Token: SeDebugPrivilege	2732	security2.exe
Token: SeDebugPrivilege	3984	security2.exe
Token: SeDebugPrivilege	3456	firefox.exe
Token: SeDebugPrivilege	3456	firefox.exe
Token: SeDebugPrivilege	6060	security2.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2732	security2.exe
3984	security2.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
3456	firefox.exe
6060	security2.exe
264	MEMZ.exe
3968	MEMZ.exe
1552	MEMZ.exe
4032	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 864	552	bannas.exe	83
PID 552 wrote to memory of 864	552	bannas.exe	83
PID 552 wrote to memory of 864	552	bannas.exe	83
PID 552 wrote to memory of 2732	552	bannas.exe	85
PID 552 wrote to memory of 2732	552	bannas.exe	85
PID 552 wrote to memory of 2732	552	bannas.exe	85
PID 2732 wrote to memory of 2844	2732	security2.exe	89
PID 2732 wrote to memory of 2844	2732	security2.exe	89
PID 2732 wrote to memory of 2844	2732	security2.exe	89
PID 2732 wrote to memory of 2152	2732	security2.exe	106
PID 2732 wrote to memory of 2152	2732	security2.exe	106
PID 2732 wrote to memory of 2152	2732	security2.exe	106
PID 2152 wrote to memory of 4280	2152	cmd.exe	110
PID 2152 wrote to memory of 4280	2152	cmd.exe	110
PID 2152 wrote to memory of 4280	2152	cmd.exe	110
PID 2152 wrote to memory of 4328	2152	cmd.exe	112
PID 2152 wrote to memory of 4328	2152	cmd.exe	112
PID 2152 wrote to memory of 4328	2152	cmd.exe	112
PID 2152 wrote to memory of 3984	2152	cmd.exe	114
PID 2152 wrote to memory of 3984	2152	cmd.exe	114
PID 2152 wrote to memory of 3984	2152	cmd.exe	114
PID 3068 wrote to memory of 3456	3068	firefox.exe	116
PID 3068 wrote to memory of 3456	3068	firefox.exe	116
PID 3068 wrote to memory of 3456	3068	firefox.exe	116
PID 3068 wrote to memory of 3456	3068	firefox.exe	116
PID 3068 wrote to memory of 3456	3068	firefox.exe	116
PID 3068 wrote to memory of 3456	3068	firefox.exe	116
PID 3068 wrote to memory of 3456	3068	firefox.exe	116
PID 3068 wrote to memory of 3456	3068	firefox.exe	116
PID 3068 wrote to memory of 3456	3068	firefox.exe	116
PID 3068 wrote to memory of 3456	3068	firefox.exe	116
PID 3068 wrote to memory of 3456	3068	firefox.exe	116
PID 3984 wrote to memory of 1016	3984	security2.exe	117
PID 3984 wrote to memory of 1016	3984	security2.exe	117
PID 3984 wrote to memory of 1016	3984	security2.exe	117
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119
PID 3456 wrote to memory of 4908	3456	firefox.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bannas.exe
"C:\Users\Admin\AppData\Local\Temp\bannas.exe"
1⤵
- Quasar RAT
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\bannas.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:864
- C:\Program Files (x86)\skibidi\security2.exe
  "C:\Program Files (x86)\skibidi\security2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vZ9BeatuC1qX.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4280
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4328
  - - C:\Program Files (x86)\skibidi\security2.exe
      "C:\Program Files (x86)\skibidi\security2.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y4zyVDPkh1FJ.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:392
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1464
      - C:\Program Files (x86)\skibidi\security2.exe
        
        "C:\Program Files (x86)\skibidi\security2.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:6060
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 2216
        5⤵
        Program crash
        
        PID:5908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1984
    3⤵
    - Program crash
    PID:4476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ResizeUnprotect.bat" "
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2732 -ip 2732
1⤵
PID:4144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5cf30a1-7cf3-420d-911f-37bdbcd59050} 3456 "\\.\pipe\gecko-crash-server-pipe.3456" gpu
    3⤵
    PID:4908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c8bc8e8-8f7a-4935-b44a-31048c012ee2} 3456 "\\.\pipe\gecko-crash-server-pipe.3456" socket
    3⤵
    PID:740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 3000 -prefMapHandle 2956 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed9d491a-7a49-40df-a382-5431b70767e8} 3456 "\\.\pipe\gecko-crash-server-pipe.3456" tab
    3⤵
    PID:1480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4296 -childID 2 -isForBrowser -prefsHandle 4280 -prefMapHandle 4288 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ceb8dce-a828-4317-8f36-84ed6b2a2bf0} 3456 "\\.\pipe\gecko-crash-server-pipe.3456" tab
    3⤵
    PID:4644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4724 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 4824 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c122473-fb76-4b75-833a-34381ddc4817} 3456 "\\.\pipe\gecko-crash-server-pipe.3456" utility
    3⤵
    - Checks processor information in registry
    PID:5600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2928 -childID 3 -isForBrowser -prefsHandle 5204 -prefMapHandle 1496 -prefsLen 27130 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e129a11-2763-4d24-b918-2f60af736718} 3456 "\\.\pipe\gecko-crash-server-pipe.3456" tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 4 -isForBrowser -prefsHandle 5280 -prefMapHandle 5284 -prefsLen 27130 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4420ded2-92ad-408b-b808-85d2fd67c458} 3456 "\\.\pipe\gecko-crash-server-pipe.3456" tab
    3⤵
    PID:5920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 5 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 27130 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfc8f802-62f8-46d3-82a7-4c702b4a4d0a} 3456 "\\.\pipe\gecko-crash-server-pipe.3456" tab
    3⤵
    PID:5936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 6 -isForBrowser -prefsHandle 5876 -prefMapHandle 2336 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e348147f-8958-4fcf-a296-c21b665177c0} 3456 "\\.\pipe\gecko-crash-server-pipe.3456" tab
    3⤵
    PID:5400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6424 -childID 7 -isForBrowser -prefsHandle 6384 -prefMapHandle 6444 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac0e90e8-8c58-4fc7-a215-29946dbdfdf8} 3456 "\\.\pipe\gecko-crash-server-pipe.3456" tab
    3⤵
    PID:5180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2916 -childID 8 -isForBrowser -prefsHandle 2760 -prefMapHandle 5216 -prefsLen 27777 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {844728c3-6a1f-44b0-ad4c-af83b944d009} 3456 "\\.\pipe\gecko-crash-server-pipe.3456" tab
    3⤵
    PID:6032
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4176
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:264
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1552
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3968
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4032
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5228
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /main
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      PID:5188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3984 -ip 3984
1⤵
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\skibidi\security2.exe

Filesize
348KB

MD5
7500a9269a35b159e854312282732728

SHA1
5b3d03a59af9e662f84fb2ab113e6275a9d502af

SHA256
8b776eb44e02df10fec47058feac9cc18d0f169370ebf7cbd9f0f0b7b66c99f9

SHA512
3d46a5cec0dfc5b14381e21c096d0a9d094e6971629eada7fa4a3ddac7ac2192ff69c1c73b627447092d6589caab350fea14235cfbb380a364dba14969a7487f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json

Filesize
23KB

MD5
e9b9f73c03ecb0617f8942a1e20253e6

SHA1
c37a0962deb639a54e20c6d84b415cd805cfdebc

SHA256
8d76a9a567b82dffca1a470b1be0e1e2dbd8bc8a0350714703fb16ff0f7d7ce6

SHA512
46ed5ad9c24f205abd184b5511e4d4c5729976166671c5b282d5f11fa157458b3e905682e5ce271cd067fbab9f1d764baf8ff79250360787807a115986e8dd56

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vZ9BeatuC1qX.bat

Filesize
203B

MD5
35f3b14e0b099e754a319fb7b41bb41f

SHA1
28d5126161711a5dff707fd5e4069db9f1a20062

SHA256
5d325767d4c0f138c7f91e7c3103d2279e686866966206543c7c749a9c597bf5

SHA512
6b7f09789a8d7964f5aa20d0672f04d7c399c804ffb7094903b68d40f31dfd1fc0fc6b5cdd637b218ac580f3b94858e56a5d57cdaecd9ab776170c9d78d5fb71

Download Submit
C:\Users\Admin\AppData\Local\Temp\y4zyVDPkh1FJ.bat

Filesize
203B

MD5
395a28eff905d62e3c2f90a3110d1efb

SHA1
47737b056a653ee11d7cc6bcb1ce8796bde4939b

SHA256
d54775216fe84ce9d5bfa66c236440880bf2b80fd723adbe7294bd95104069fb

SHA512
f4a90d530d7d8cba52a01db992c1978ad486b6b460bd0a113e18fa83ee549eb358701eee77c5bdcfee318786a646b3722bb4f8611832e88e26909b99def06256

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\12-14-2024

Filesize
752B

MD5
fc233a4f227edb7fce3846c8f47f481d

SHA1
38c5003ba8076050460f985577cec6d6d6e4a410

SHA256
5ec539874f6379dec732e9018fa8b3d81e9303b14f7b780061dafc5c5f53ed55

SHA512
c1ffde7b428af8738c63e31c5f1a388cf617d37e5346655aada798746bcc32cd3ae2a00434bca2ce557faf567b29eceb97f0a99b295e72af64474e7c7272e4a7

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\12-14-2024

Filesize
272B

MD5
63d41d89d103b780607c75702ac27eed

SHA1
b13a8b3dcf6d42f7d0f45dc07e2315c39b531976

SHA256
9a821d497cb24eba4f9a49ac8ff14cb93c25f518493216eecb2c1dc46828364e

SHA512
471a31583296dd34a28ae15cec8389ed541bd0e7b066f144364ff38eaed3d61cd334752332652af264e08f6c24fb7334f6bd439ce3aaa048bc2cc5b1a0311799

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin

Filesize
6KB

MD5
cb470118bbcc717ac9c9e7e56f58f93c

SHA1
4c0087b1d8c2480bc75ea70799d5dac9fa452706

SHA256
170f2a35b60c8e85c6cdab606291972cf5f6390fdb17e270c1383fa630554547

SHA512
28d85da74489ababae29db6ffa0244feab4cc77091a0702b8682943c1829fb652b84b3adf8976dbde480aac1b83af9cf19728abd377c7c6c9bcc3690fd396841

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin

Filesize
6KB

MD5
082588736c77c7dc22f723ad7bd03a1c

SHA1
17308013c3f7507c1b933fbe472a5ab1d3f02b32

SHA256
ec03f3578acc1ec2a725dbe2b737eed7902d2863e7a1db4614a1dc7b0cb3ecc4

SHA512
0d00ee33c17d7419939d902bcf7b994588f763f1870888203518f3783faca8286689f16f591d469fb40cf0d24567cc6d5bc0c7b80d866c2b3bad85f5f05bdc18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin

Filesize
15KB

MD5
4b40cd7d31c725c297ccac977747d12e

SHA1
59cd8245ea140a4dba876d274a9d95bd06ea496d

SHA256
f5298b5657c34d1bbaf430094974f3fc0c94652c4b136cad23192970413d8cc9

SHA512
634b9201c6ee0322e0b087199e78017dcf9a43b273f6db136d9d7943e6a030a0a6794c9e7bf3477635c1e6ff31f8cbc1222edaba4f3f2b430e3eeca31a48e8fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
985db7ee20bd5e1fc38eb435f330ad45

SHA1
ba5d0a0f19c31e31377217454de114ba57751f3b

SHA256
420bb9af5123cbaa0fdfcaaf366c5d87674563362e3fc426cc3493799a4bc3ec

SHA512
41e78b34454deac1ae1db25e7ba34f77b23c4b931a71b76a28054b253e543fe321a6bfe3c34a19050d9e4abed38224069dc0c9ad0d339e3d620b3697ea853941

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\2b10b10e-de76-42d2-97d9-d6d5f676fa2b

Filesize
982B

MD5
e9607270acf66c951cb74a5d327b2884

SHA1
a03a3bba14fc194d585c2fc0dd6ec77a05b5fda3

SHA256
d51e5b01f875c2ed6b41c1096d84b3ddf2170432ae20d70f3cc50e7b00e32c84

SHA512
297015671274c72a9bc4d9d9fc43293d5cd86724c44c04a9bcb3dd801a685c0316bbc7e6b4dd884a8afad20193d0bc90272ab08f7c2c874f4b33784bb4181ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\77fc9595-6730-474d-8490-a3ebe28cecc5

Filesize
25KB

MD5
51bb2aed29cb7010f7336dc4d2ce27f5

SHA1
76c08d0ae59044429f6d436150bd3e30024593ca

SHA256
4999b50ccda02c5b995122148f94dbe0eba5e3d70674994fd9df99a4d2397102

SHA512
ebc032a9d32852b0109aac42b288085dc93fa66326a475c577023066f175427651c0e2037c8f1bec1340dff247c1a284e7f4c1c9e05cbf4655bd6eb146ad3f0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\8c09316d-0688-4a4a-bdc8-4d112282e202

Filesize
671B

MD5
89db95a9820a64d40ff67ef29bd9c9a0

SHA1
e1ba704a8f0fa34a9a9b614c2ecb78df4de7ed12

SHA256
25ede21cbcd874d2e2a6af8cd902b28659df9b2a26b5e27d8a74fdad487e1e19

SHA512
8fcae7f7d3796e6dc3f0ef6658589b95e9e6266fc72a9865d92d076e4a8b5e44a4a98974c043283abce81e20a44629689084b155bd4ac2d56a9120a936c00498

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js

Filesize
11KB

MD5
ef20672b929bc929a25a2af46a4929b9

SHA1
f832b2fb8f7cf36babfe35ba98cfdfcbbb951798

SHA256
b2ce002bca92d11690e8f2b269cc5ffa3cd96143bf7a7f6e9278ac2ae5384041

SHA512
d1b88bf3d0045f339aeb682e1e28881cb4e87345caa06bfe80a25567f3bfa3db6d44b4b3354be2dc52c9cc57a21ba94eb5e97ae3e857bfa0c490e784d909009f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js

Filesize
10KB

MD5
517a5e6681c676a33ed53d9c3b8374ff

SHA1
17572c342ce643a0bd9f8a11bb66d71e5b5f638d

SHA256
4811e2f43be96d84e74a74d98173370cddf085279f99991c8debce81eb003b5e

SHA512
ecaa84be3a68743c983d23244b63dc41081f718d581ef10f4f868fbe705e2beba1e4ef8fdbad11270b54a41dbf820602460b83091cd2fe4aaef625ea7899c9c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js

Filesize
10KB

MD5
8e85af7e292e503e1bf17fdf3e63661c

SHA1
914babadfd57345ec0633cb6e76939567f1ca8d1

SHA256
718d218a00ff89cbc03062e19b4e8cd57ccef17aa1f07c406a70533b12ffdf9d

SHA512
0025e62204fc65c43c9e3fc7fba228586a8120fa4fe5c622b30b0f70c84e96a27fd5f06618a2b9feace880173a2288815e72dd30afe57e516a1c725a32498a15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
7bc21c5ec3601e15581caf995468e10f

SHA1
054aa4b91df0f09079343f6037957ebc5078ed14

SHA256
fe062595ef23e871e58b92e9e6a667a3d5f054380a624d34f79ae160d9979430

SHA512
dcc7d0a18d43951ea272acca52976f8ba6c7714ade9846b2b25e2dc2150bb885737c90fe8a3ee35ec1014718691516debcf1133e067d370f02e41b5a3cb345ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
524d32c8559d3e7e6be323737f7fc2d7

SHA1
6d8fd157479ed043c528de52181d5d62e8f7a906

SHA256
ba5cc34f420964b28f901d7d029c7b1170fdd027780f5673aac889e1768aaa5d

SHA512
bafc11acdc5b1b6707da2b4ab3fe651474ea60df1dd4c8ed99c08a3232889d66f511fb1e14344548a7de96eaf919320d38c610f85b567a3b7ac0ac1f86fb7add

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
memory/552-6-0x0000000005790000-0x00000000057A2000-memory.dmp

Filesize
72KB

Download
memory/552-3-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/552-1-0x0000000000790000-0x00000000007EE000-memory.dmp

Filesize
376KB

Download
memory/552-14-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/552-0-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/552-5-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/552-4-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/552-7-0x0000000006580000-0x00000000065BC000-memory.dmp

Filesize
240KB

Download
memory/552-2-0x00000000057B0000-0x0000000005D54000-memory.dmp

Filesize
5.6MB

Download
memory/2732-15-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/2732-16-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/2732-18-0x00000000063A0000-0x00000000063AA000-memory.dmp

Filesize
40KB

Download
memory/2732-26-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/2732-19-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads