revengerat | e7950daac34b2fec77f776dcf8fea064761cfcba83759477ee27047b82d3bc17

Analysis

max time kernel
212s
max time network
214s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-01-2025 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Links Grabber By Mf4Tn [zone-h] v3.rar
Size

411KB
MD5

09b7f2392816377e89baa662c1bb532e
SHA1

4d2d891260a43224064346f17cd8ac4621f9ce02
SHA256

e7950daac34b2fec77f776dcf8fea064761cfcba83759477ee27047b82d3bc17
SHA512

3a56e41a02948e34bf9c1fb58bd0960381ef0d95fc08fc6e51c9a7accdf74990a4aceacf88d29a55ba97ceb2d009b7d9cbf6cf8dff960a6cb1048322c1573f9f
SSDEEP

12288:X3enDmhcng8yxnVzkUgSDxF/p05pVcBGxmAxF:XOnPAnHgCFWp1MA7

Score

10^/10

revengerat nyan-cat discovery persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

NYAN-CAT

blog.capeturk.com:1111

Mutex

RV_MUTEX-FZMONFueOciq

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/3080-362-0x000000001B370000-0x000000001B37C000-memory.dmp	revengerat

Executes dropped EXE 7 IoCs

pid	Process
1760	Links Grabber By Mf4Tn [zone-h] v3.exe
4696	Setup.exe
2244	Setup.exe
3108	Links Grabber By Mf4Tn .exe
2684	svchost.exe
5040	svchost.exe
3080	explorer.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe"	explorer.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly	Setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Links Grabber By Mf4Tn .exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3984	7zFM.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	3984	7zFM.exe
Token: 35	3984	7zFM.exe
Token: SeSecurityPrivilege	3984	7zFM.exe
Token: SeDebugPrivilege	1200	firefox.exe
Token: SeDebugPrivilege	1200	firefox.exe
Token: SeDebugPrivilege	2684	svchost.exe
Token: SeDebugPrivilege	5040	svchost.exe
Token: SeDebugPrivilege	3080	explorer.exe
Token: SeDebugPrivilege	1200	firefox.exe
Token: SeDebugPrivilege	1200	firefox.exe
Token: SeDebugPrivilege	1200	firefox.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
3984	7zFM.exe
3984	7zFM.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe
1200	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1200	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 1200	1272	firefox.exe	81
PID 1272 wrote to memory of 1200	1272	firefox.exe	81
PID 1272 wrote to memory of 1200	1272	firefox.exe	81
PID 1272 wrote to memory of 1200	1272	firefox.exe	81
PID 1272 wrote to memory of 1200	1272	firefox.exe	81
PID 1272 wrote to memory of 1200	1272	firefox.exe	81
PID 1272 wrote to memory of 1200	1272	firefox.exe	81
PID 1272 wrote to memory of 1200	1272	firefox.exe	81
PID 1272 wrote to memory of 1200	1272	firefox.exe	81
PID 1272 wrote to memory of 1200	1272	firefox.exe	81
PID 1272 wrote to memory of 1200	1272	firefox.exe	81
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 1236	1200	firefox.exe	82
PID 1200 wrote to memory of 4008	1200	firefox.exe	83
PID 1200 wrote to memory of 4008	1200	firefox.exe	83
PID 1200 wrote to memory of 4008	1200	firefox.exe	83
PID 1200 wrote to memory of 4008	1200	firefox.exe	83
PID 1200 wrote to memory of 4008	1200	firefox.exe	83
PID 1200 wrote to memory of 4008	1200	firefox.exe	83
PID 1200 wrote to memory of 4008	1200	firefox.exe	83
PID 1200 wrote to memory of 4008	1200	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Links Grabber By Mf4Tn [zone-h] v3.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98d42233-e69d-41c7-abc8-6dcaa654cf86} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" gpu
    3⤵
    PID:1236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac2d9e13-a2d6-416f-abbf-87a51409bea8} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" socket
    3⤵
    PID:4008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2996 -childID 1 -isForBrowser -prefsHandle 2868 -prefMapHandle 3188 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52fd6e99-91e6-4a86-931a-78508d9cc291} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab
    3⤵
    PID:2632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3796 -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3456 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe1a820e-ce23-4c1b-94e1-6924e64c2278} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab
    3⤵
    PID:1444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4744 -prefMapHandle 4748 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {caa4303e-e784-4f93-a388-17aa4a393cbd} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" utility
    3⤵
    - Checks processor information in registry
    PID:2028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 3 -isForBrowser -prefsHandle 5484 -prefMapHandle 5536 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65aa6bfa-8819-40db-84d2-73bc6917b9fb} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab
    3⤵
    PID:2348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 4 -isForBrowser -prefsHandle 5748 -prefMapHandle 5728 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {723e8083-487d-4178-a7c5-13ac5421ff40} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab
    3⤵
    PID:3564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5768 -childID 5 -isForBrowser -prefsHandle 5760 -prefMapHandle 5756 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3510e854-a5ee-4489-90c6-904151729996} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab
    3⤵
    PID:1176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 6 -isForBrowser -prefsHandle 1524 -prefMapHandle 4004 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1def763f-7323-406e-b096-675ad0db8984} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab
    3⤵
    PID:1272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6504 -childID 7 -isForBrowser -prefsHandle 6528 -prefMapHandle 6540 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {077c0091-db9b-4ee9-ac61-3967b7b108d4} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab
    3⤵
    PID:1408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6588 -parentBuildID 20240401114208 -prefsHandle 7064 -prefMapHandle 6528 -prefsLen 33931 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {303fa81a-1225-43af-8f4f-28793fedbe58} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" rdd
    3⤵
    PID:3804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7060 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 7020 -prefMapHandle 6720 -prefsLen 33931 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50e72d08-61ed-4f94-8957-00f62a9da775} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" utility
    3⤵
    - Checks processor information in registry
    PID:4312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7236 -childID 8 -isForBrowser -prefsHandle 7224 -prefMapHandle 7220 -prefsLen 28163 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7a42b7b-6432-4179-8a20-1333b23ad0ce} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" tab
    3⤵
    PID:3112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3240

C:\Users\Admin\Desktop\Links Grabber By Mf4Tn [zone-h] v3\Links Grabber By Mf4Tn [zone-h] v3.exe
"C:\Users\Admin\Desktop\Links Grabber By Mf4Tn [zone-h] v3\Links Grabber By Mf4Tn [zone-h] v3.exe"
1⤵
- Executes dropped EXE
PID:1760
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  PID:4696
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2244
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5040
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:3080
- C:\Users\Admin\Desktop\Links Grabber By Mf4Tn [zone-h] v3\Links Grabber By Mf4Tn .exe
  "C:\Users\Admin\Desktop\Links Grabber By Mf4Tn [zone-h] v3\Links Grabber By Mf4Tn .exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

Filesize
408B

MD5
252d820f60b1a8716c6ecf2a06f4efe1

SHA1
9be2566cf6aaf73ff7679db9cc2a6277b27a5896

SHA256
3b1cc12b59dc1e8a72b957d9b9be782c0cbf2a6fed1305b339e55f4ee38efe91

SHA512
49bc304d7454c112011474fdd557a3693fa7821b831d45fcea0cd2562cf23cad7b3512195054f7d90c7a8149f4c380cc8ab68131e7d5bc37066fbd0e0d580c39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

Filesize
588B

MD5
0c58dbc9a794b32825516df4daf69dbd

SHA1
bb9324b7c1c929fc82fbce3b535fae872e2d0b46

SHA256
06566cb514a94a80523723b05acb8175993b9626533a1f254f0ea7680af1b3d0

SHA512
76b2a83faa0daa9909bc1f0890ca8adbe81b63a19337fe3a9339b1b8ad179b1f7f5863444b9ae89ac149b447b5ca56feb243b76d7f337f4bf4d9e61bb18d9df4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
8290ba9d168552873c7d7f40d24eae17

SHA1
8eed0914c1b5740ae014937e9cb10d4f89bdb23b

SHA256
4bbea1c0056ee400728cf464dc88e47f59ef074315152a88c942ca9b72c602b6

SHA512
b62684da8d6295b5eb71cf57363aab06f724ba8a02d1766ae1ad83cd0112d2783f538eaba5b1329a55c818fd5b3b327ed84b596dda84b6a4d307fdec64e42ca6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\2D1E4DD6B944677A7224304C8AD049FC8011EF39

Filesize
1.3MB

MD5
f11ed1d8162b774e60912124364fb3c0

SHA1
f6d9c0deb7cfe38d56096fdd025a71802cfaf379

SHA256
2c0b65f38d3ea4cb92cdeec26f0a9b5706d187c67e31a8f65654c9d0aa8989d0

SHA512
22f3d01ade398755ca9620f6a3e6cdac9075a43e6cf0e5a59b68cd904d8553819086bad9a741801c1cb584fc047161bbd0faecc85b0c168d7ea547437c0900f9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\41CAE31DE2594B41D8C753CFCD49304007D02C6E

Filesize
8KB

MD5
12c1e48704ed09ac853a7845ada733ff

SHA1
81f9b4a0467a6b7d860d5adb97151b13005f672a

SHA256
f3ea8d2155fba08948fcdda0d0aaa76110b0c5a2d9f2c8dcca1d5ffed43b4947

SHA512
e73e30636674f10b285d2dff73e4f8003cd75a820253d8f5872b0ea6e2ca672ca2eee885112fc3bd70862c08f765140f3afabc91fb6b8c17723ca146be600594

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\91796C7DA32FE0793E60CEB60B92E4434949439F

Filesize
10KB

MD5
4762bf851e4633adac93fe7739e718f1

SHA1
2d73c53d10eae0e974590b4e992cac7ecabaddf3

SHA256
ced9e179268d7e1f783481307145d352919ffa2b86017950063258721b9db60e

SHA512
610b35d39f149741940efdddabb887ffcede5ba2b2d4aeba8984e5cd4e7f1c14d5225ef1aeab2e6807c2db15097631d51cba674675624f33b45a2402f31ee58e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\985B50FF4EC64151AF78E3640EFB382A07A5DA80

Filesize
480KB

MD5
1a1ee1516631b63adfecbab626621e12

SHA1
e377a07eb722ccac20dd7d23b01261bb78cf3545

SHA256
5b9b70d5d8e918799a0e2da49634cdbb46cdcde560858ecd8c5f6c33334e3916

SHA512
102e5d5f9991085fc5ebca4aae508d73de5280220342ce430dc8477e038ef5e3d05d08a0fff072b8b02c48f7eb7ccb1ceb26c488ba57d7b3c3bb04e77ee36168

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\D87FD446E662296EA7458FFE88DC63D972D93962

Filesize
61KB

MD5
1dbe35e2cdf5fe225630001154ee0033

SHA1
cdf855d6b0b0d3e60d28b950b456f7aa4449f5d7

SHA256
36c2a43cf831349c6ae403111970746ce7207bd7a17e84d7a91a62f3031c47a1

SHA512
3fba28ea57c98ca6bd08e1a1609e66ecd6c488f874b8c0097538f4ba0888216ce1538401a31947adecba486218bf369afc4b49401739e98bda1aed5424963bf9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
420KB

MD5
ada0cbc54989b2cd2959601c7a5b8499

SHA1
9c8739d476016fe0a87b176bb95f3a5bcbeff0de

SHA256
a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96

SHA512
f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
73KB

MD5
8e3d99e6a1064f89744ccb24dc6802bb

SHA1
1b6c31ab4236538c8423c19575c1e19a031b3876

SHA256
d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8

SHA512
f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
293KB

MD5
1303779b354738a8c93cc522ffb21f11

SHA1
ce29a26e1363ddfdc830e2934fed935f15032187

SHA256
0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5

SHA512
b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

Filesize
255KB

MD5
938670594dc5d2fcb3e7782425780da3

SHA1
afedf59a98374c265190f1d49707dbadf608cdaf

SHA256
04275bd861b03845f7292d59cc3e676c4fccb9df355d106c085cf6bff763a456

SHA512
75e2c40d33116242ba600c8ad875f6a6910ad09ba9c8977e4b97e28600b69709d02f1e0153f73cc50ad73607c819dbb29287910119af1152e0e20ccd9668d85e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

Filesize
6KB

MD5
b348bff7c3c990a3e5000785ccbeeb43

SHA1
88ad8ee30d88e6fe5cdaa2d249aa4d1c8c8d8f62

SHA256
3b8a2513a636c812ead4c2f5ec8669b7b228283682a954a702f6c804ca6e3a7a

SHA512
4df25f47c1ae958fa53b87f68fc47c8a129d327aa2f0e8c892297d29d686680ac99f9bed38aad284f3ab6e3534247f697b7777b3c01cbeba6c725938282429eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

Filesize
12KB

MD5
81bd741cac0436c0c54fea2c5366bd12

SHA1
d84ed006082deb10b7593912363438d37e9bc90e

SHA256
1abd5ebccf342d0e6768327c0fc6a8bf35b6492f2943b10cd74ca2f3dfd3a5f2

SHA512
5f1d6ea5a6cc9abcf3ffc810b6c3927b72085d18afcc24e6d1e93d027a1301584131f50a18841888f301b393bd581681af411b5917b77bfd9c34a471ffe62708

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
1489277023b63b0dab9ef412e8fd2a9f

SHA1
d5a755b6b076477198cafa4863cb46174883ee72

SHA256
75eb07c3b85fe5eb61e2186e7433a7d519286e2d048a07e759db24be134298ea

SHA512
a839be3b2384bfb1fa498119f28179f778ca6a801200bdd7b0de190de8399d20930a865f4ccd783b16f18eb32012e39cf343ec2f54738d48253f09dc0219dc74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
2ff4571160f2478cd88acc7a9db9de0b

SHA1
23a48b72ae654f149ff2807e45f37efed522615e

SHA256
355398064c20daf680420c892330dae9305d54443bb32a770e6f513b9b7a40cd

SHA512
af6441098f9f124fe3cc481f1abe61cdd7f2e7748de48bbcc5c57eba69d892eb63a6d75ecb67c3be2170d4532d5404321ea04c70e61e27b5dd6afab06e53de53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
6fe3305d69d406c4e82d0d37d42312cc

SHA1
9e0e663b843a2747e8625a0870496f5b6c5ac241

SHA256
5cbe3e68d48cbe960c5b9905330ccaf5d6b22d4be45b90b8604058470de75e16

SHA512
3649c5b67b0df93f300be78afaf95f9880b7860b38c63a8d8a12580ccbb7517240ae60bcd427149792c6befae18c4abc3a10e38fc466ab049564e2b1997e43a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\cba00a38-dbd4-4540-9dda-46fd2da34287

Filesize
659B

MD5
b30c11a990a10a4a4302399fe0c6c7dd

SHA1
e75e3ed3cad048347870cb89ae3ef344854fb867

SHA256
1b2a92b56631866e68ca0544bb5e31b2788e52584e036cfa32db90c70072e26c

SHA512
3f55515fbd35df2359e95468ccf0e2d69c99d0c399a3c74f53c54c82f43b762e981e509e8c105488d12bcdd7dc647c840cab8a85ee0dfc8870b9739f2b3055ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\eeefa99f-2cfa-4788-b34f-4386138e3f04

Filesize
982B

MD5
a6ce2d23262e25fb5464da5b69aefbfe

SHA1
53b6a11e93de3644244df9e0472d9a9866add6c4

SHA256
99df8c11a11a1495de087de366b30d7b2edb54a890937523067cc3a32d800753

SHA512
3eca20b7a5f9f4cce22fe3c29e5c233eeba72b8c3839d4b1f0a764d2fc6ae106bf2c04a38efce7b68ac297933be416142d550fba51dffdb46e372bd120077a65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js

Filesize
9KB

MD5
caf71a57981c5dfd45edeae570d3eb04

SHA1
3a4b70a1fc99356115013ca81c1a051a6614ff17

SHA256
6cfd3318e8e2c391709bde14f29e691acaa32b31e11287102607f1893c73fae0

SHA512
4d493719fed7e6227b07ae8dfabd87a18016fdbf9704e78b802e6e640c18c23826bfe53cdba16f1afc8d1676e0db001fe916a6f0ec99b94a0be599d536f5995f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js

Filesize
10KB

MD5
40ccde07a67f2ce299e29b8deb9e8b9f

SHA1
7ff02e048de64b86ff26ba899129687252a741d9

SHA256
0593cb080a99ac7f64f947b5bf1e378df6aa371982df67977fec6da0064be2b9

SHA512
44bdb4814e00b3ec9a0ce7bae58d36ecdbafea1991b87bb9b187b85ecc693d811265ee81f3c7b8800d60654b7a15afd0a8c905050528030e7da08fa25ed859e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

Filesize
10KB

MD5
8a22bfe9e38002118fd20d57b44a7f3c

SHA1
c7e7bffa28a2e1d8af10d28349e102bca2541817

SHA256
42f346fc9b6075fd41bbf28c18a3ac328bcc92d08d3dd93b53017fc63fbaed2a

SHA512
07860c204be357d8835e4aed5e44de788f6a16f2921e4a98f3dfee858b77fa325b8aeae5221619e36166bb2487c8e4c84e8207af9114ef2d36da6d473bac94c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
428c77deb7d2c5558d0f6861d44682b0

SHA1
b8c9eae5ebcf88835208e0f2f6872be224366837

SHA256
ece8f2adc41c9e3b762ea85cf6e494500ffbb816e0a37c9e9bc62bee7e8a379b

SHA512
e879dbdab8ed3a3bd81e438323e23b7f2c26e2931098f9006f5e8f8b788c3d4f16ae5cb4f3fab18425a4d092c2484df21d8e235fa46b7cf501f9c0da0c27b54a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
8b294c10c650ac5b456e12d35b34aef8

SHA1
a2f2e0630571f5f85c37d5ea12915728404f2f5a

SHA256
8a602c86eeccb39ff5577ad1f79dca6ed49892efedfdff394258f2b2cc7fa28b

SHA512
a9d7cd0856890c3cb09e5abec55eadb3670b34789583fbe4c37daf1e1cbdced56069a5a15e00002b12dc37cbfae1e23ce6e04fad29296edf9583276613042e97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
974d2d44527f9fb336b32d857d4b0848

SHA1
f9959cf6b00ab8a3db79b347f14d864f696da83c

SHA256
04f290e1d7be185dee1350d90e4242b163e575ecdbaab2153395cb1db575b233

SHA512
62bdea09f9d49773df6e7389c94bebb3f699af36e2d4c4e44b5959a4a65d3e145ba4995e4daeb15b5670363f952f711438770ba69a27ce78c85c7f76cc3c67d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
2c456a7081d82eaca3f5e8badec2986e

SHA1
b68f0442b9613b216db44db3146022e78c8983a2

SHA256
5f8800cc48ef1b3a1e02e139edcfbed2f30e40acc46375c2acf9b1dc27e8c7e3

SHA512
3de38539de54caaf11dd1a1aaef924fb1a7b1d562df52c3115aab1a1b552f300431f2bde00fac148a711b7c5aa0449fc1df3ed27c8f3201e0825db2f51d4d913

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
d35afec6a2b607860561dacb5be4477b

SHA1
9fd6216b3f935b981b815e11d8fb0a96e4ec7f58

SHA256
b2501094aebdeb7c772d1ce6448a2fbf19bb767f9fe4edacd77171f656ea4248

SHA512
5f512cd1e798ef5b9993cd4b1b9df9da59688009ca2be2e9f857aee523a805b2bf9babb096093f292ff93e6697e49d442d1aa6991d793468c121b20121592e2a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
2b060e0193f0982da00312b1ad7fc43b

SHA1
a47d997e6cb2aa1c9622ea5c42b1e7ceeb629de8

SHA256
b5c185e54cc5bf27ffdcb33f20649f6a34445ee8387f3e2fd363e95b1af15409

SHA512
371cf22485a3f1a6a506dd87c943d8776e75c63a0c72f86b8340c2593d191bf70234e2787a1b52f96e62a1d02c5f50833bd3faa51fdb2460d0b929f59d2e5be9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
3947f53653a5ac967ea86a2873a295be

SHA1
fa5c47a01905207a4b45a14770585d3f1769167b

SHA256
c27360d147bbed33fed09611bf47ac9503f6ec46ee19982035573b67c1673bd9

SHA512
8a769a49a27d5fa233e4ed6383d67108f1b9cb263363d4d56a5050adc29d57b48907c53a820dbcdc0d58d892dd0f4c9ef7d7668a7ed8c43fad929d1fbbb00e24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
f9548b1810fa5ad7b03461750f7f64dd

SHA1
ac6daa2a0812f51865e664686550a0264a23844e

SHA256
16d0bedcbc40481fdb510652e772b0bf9c7b1015ead008cd2f7951955dd7dae5

SHA512
4ccebf4d080ad158745f05472e93e3d4cae4ddfe4dfa4bc5bc8d1aaee9659d92bec14b9a583a9214702b868f3415c916081168dceea9a77292c6d399f1c0f568

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\storage\default\https+++www.youtube.com^partitionKey=%28http%2Czone-h.org%29\idb\338426317LCo7g%sCD7a%t8afbcabs.sqlite

Filesize
48KB

MD5
c010f969658b2c547bdc8defcaa7484d

SHA1
e082b3490fddac13f52e0faa7c0bb6583291b5ef

SHA256
51638d8138e348e8ac77b4681a2bbea92685fe929741dafc7cf30e7d205923e8

SHA512
b388ff850c1b9f40186853ba5001247703142d33886749c8439ba45537116e37047860ad1247a2c583ceacbc4cbf3f4f9e4bf4824b8efc93a3f336538e459ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
af317ebba7976fd71b3d868580ff2031

SHA1
038a2db48822976b600db096c4a75928fefd875b

SHA256
96ec654c1401aa446abc09a1d2c80f2ca61cf646f44a060a4678ca4dfbed43eb

SHA512
31fb2c380389e04b36d5df5664dae0151854f7444a9abf9a36bc8e239061dcecd5bacafc206c4aa28759e626b1999c491394b0a6bf3b030f86a5209c6a833ed7

Download Submit
C:\Users\Admin\Desktop\Links Grabber By Mf4Tn [zone-h] v3\Links Grabber By Mf4Tn .exe

Filesize
119KB

MD5
52b8a584fa6df999feac0a2df6c4df9e

SHA1
ecb7f2c26ab2ade4cfbc8be927c431986cb972bc

SHA256
f8bced63e388f43d1a3f0ff624dc71a0dbbdae02257b6ab0ba30bae442d0c33c

SHA512
8b823ab2a1ce74bfd3ffda35b26480e13f4993a0d96d6b3e62be338d503d137ea6c7f99cea2b87c073dd66d1da5ea2cc369f6e470ce995353839bc016bac783d

Download Submit
C:\Users\Admin\Desktop\Links Grabber By Mf4Tn [zone-h] v3\Links Grabber By Mf4Tn [zone-h] v3.exe

Filesize
559KB

MD5
d1c72b5a269d93880a5501134fdffd4e

SHA1
1d1cd31b2f4bb7b883e03e7980f0f519d6b2a412

SHA256
3c5792b0162130d23f6fc52e386eb9a20aa018a9ee5b11d03fae12f48798e209

SHA512
3f84c3643f240b2f82e5081abb8049e5a857c96f27345fed4f9eddebdf48a158df8aff712eab208d3cf893b1db57d3a5334ddbbad4a3d4e68646d9b526c96dfe

Download Submit
memory/1760-291-0x00007FFD35A80000-0x00007FFD36421000-memory.dmp

Filesize
9.6MB

Download
memory/1760-321-0x00007FFD35A80000-0x00007FFD36421000-memory.dmp

Filesize
9.6MB

Download
memory/1760-292-0x000000001C810000-0x000000001C8AC000-memory.dmp

Filesize
624KB

Download
memory/1760-290-0x000000001C2A0000-0x000000001C76E000-memory.dmp

Filesize
4.8MB

Download
memory/1760-289-0x00007FFD35A80000-0x00007FFD36421000-memory.dmp

Filesize
9.6MB

Download
memory/1760-288-0x000000001BD20000-0x000000001BDC6000-memory.dmp

Filesize
664KB

Download
memory/1760-287-0x00007FFD35D35000-0x00007FFD35D36000-memory.dmp

Filesize
4KB

Download
memory/2684-337-0x00000000033A0000-0x00000000033A8000-memory.dmp

Filesize
32KB

Download
memory/3080-363-0x000000001CF70000-0x000000001CFD2000-memory.dmp

Filesize
392KB

Download
memory/3080-362-0x000000001B370000-0x000000001B37C000-memory.dmp

Filesize
48KB

Download
memory/3080-361-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/4696-312-0x000000001B0F0000-0x000000001B118000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads