netsupport | hxxps://www[.]4sync[.]com/web/directDownload/RPjWS2ET/tBq1mUpE[.]f0fa2e9d3a71d39b343bad0edd034306

Analysis

max time kernel
68s
max time network
58s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-01-2025 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.4sync.com/web/directDownload/RPjWS2ET/tBq1mUpE.f0fa2e9d3a71d39b343bad0edd034306

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Blocklisted process makes network request 1 IoCs

flow	pid	Process
28	2368	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
3488	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
3488	client32.exe
3488	client32.exe
3488	client32.exe
3488	client32.exe
3488	client32.exe
3488	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\ProgramData\\6n5yt18\\client32.exe"	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Payment_35.js:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3388	firefox.exe
Token: SeDebugPrivilege	3388	firefox.exe
Token: SeDebugPrivilege	3388	firefox.exe
Token: SeSecurityPrivilege	3488	client32.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3488	client32.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe
3388	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 3388	3400	firefox.exe	79
PID 3400 wrote to memory of 3388	3400	firefox.exe	79
PID 3400 wrote to memory of 3388	3400	firefox.exe	79
PID 3400 wrote to memory of 3388	3400	firefox.exe	79
PID 3400 wrote to memory of 3388	3400	firefox.exe	79
PID 3400 wrote to memory of 3388	3400	firefox.exe	79
PID 3400 wrote to memory of 3388	3400	firefox.exe	79
PID 3400 wrote to memory of 3388	3400	firefox.exe	79
PID 3400 wrote to memory of 3388	3400	firefox.exe	79
PID 3400 wrote to memory of 3388	3400	firefox.exe	79
PID 3400 wrote to memory of 3388	3400	firefox.exe	79
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 2676	3388	firefox.exe	80
PID 3388 wrote to memory of 3256	3388	firefox.exe	81
PID 3388 wrote to memory of 3256	3388	firefox.exe	81
PID 3388 wrote to memory of 3256	3388	firefox.exe	81
PID 3388 wrote to memory of 3256	3388	firefox.exe	81
PID 3388 wrote to memory of 3256	3388	firefox.exe	81
PID 3388 wrote to memory of 3256	3388	firefox.exe	81
PID 3388 wrote to memory of 3256	3388	firefox.exe	81
PID 3388 wrote to memory of 3256	3388	firefox.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.4sync.com/web/directDownload/RPjWS2ET/tBq1mUpE.f0fa2e9d3a71d39b343bad0edd034306"
1⤵
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.4sync.com/web/directDownload/RPjWS2ET/tBq1mUpE.f0fa2e9d3a71d39b343bad0edd034306
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1584 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44ca02ce-0156-4d83-a29d-304a9d5e787b} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" gpu
    3⤵
    PID:2676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2332 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8841d68b-1584-4791-8954-4c5053d9349b} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" socket
    3⤵
    PID:3256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 3044 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cae3e17-5550-4c1f-9da6-2d8b3824b390} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" tab
    3⤵
    PID:2460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4032 -childID 2 -isForBrowser -prefsHandle 4028 -prefMapHandle 4024 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c71950a-da2a-4cc7-a05e-50b33205baea} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" tab
    3⤵
    PID:1348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4468 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4712 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f006686d-d8de-47bd-ae63-c13ac441f8bf} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" utility
    3⤵
    - Checks processor information in registry
    PID:3572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 3 -isForBrowser -prefsHandle 5820 -prefMapHandle 5816 -prefsLen 27218 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc937fa0-c59a-487f-b2a7-a2cb7d601f5a} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" tab
    3⤵
    PID:1468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5956 -childID 4 -isForBrowser -prefsHandle 5964 -prefMapHandle 5968 -prefsLen 27218 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ea2c9d5-0e81-4a92-9398-2ab52db7a1f4} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" tab
    3⤵
    PID:5048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6152 -childID 5 -isForBrowser -prefsHandle 6160 -prefMapHandle 6164 -prefsLen 27218 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58529f5d-cc6d-45a0-8740-ee4b7081432f} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" tab
    3⤵
    PID:4636

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Payment_35.js"
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
PID:2368
- C:\ProgramData\6n5yt18\client32.exe
  "C:\ProgramData\6n5yt18\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\6n5yt18.zip

Filesize
6.4MB

MD5
18605ec1a9b44bd056dfbeef79a27f89

SHA1
a67fccff3666f82dc3b517a0bb9a76604c33c9f2

SHA256
5d5e67fb50030d44113ab3fff345319a7fc366957c7f9368e94264416de2dbf1

SHA512
e839b984a8c06924ef0507050ee406005eb166b8e8edf2c87dc79fecca5750b85d0ef5947183cc8360a3e67c83c33e663f771874b3d643e0150971a9ee056a22

Download Submit
C:\ProgramData\6n5yt18\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\ProgramData\6n5yt18\NSM.LIC

Filesize
195B

MD5
e9609072de9c29dc1963be208948ba44

SHA1
03bbe27d0d1ba651ff43363587d3d6d2e170060f

SHA256
dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747

SHA512
f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0

Download Submit
C:\ProgramData\6n5yt18\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\ProgramData\6n5yt18\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\ProgramData\6n5yt18\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\ProgramData\6n5yt18\client32.ini

Filesize
675B

MD5
c2f1650f30a58d315d63afcb41477e2c

SHA1
07e4bc45bee544addb3adede9707eabdec07e59f

SHA256
42c08ee408c75ed058844294e303143012063e6d0689d3b5ad7d8932be159803

SHA512
a5acef1bfe7bdb81cb5361654c869a41fd14436e3de0aeffb1388dad1ee3b0bfb02cdeafe61c48395c696e4dcc2eea298bca38527144c35ee1180126b95b1137

Download Submit
C:\ProgramData\6n5yt18\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\6n5yt18\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\ProgramData\6n5yt18\settings\apprun.dll

Filesize
740KB

MD5
975ea37829f057463e66b3c237f1c27a

SHA1
972cb78912f7e975383a8137a2e982b25333e633

SHA256
8b496688cf2d963eca198f0291d1448b0f357fbd764e22db7dcc7b252bd71562

SHA512
8463210ed0238785848a65b0d51fbe6b0f67e01a1659a0db5ee9493a1ef3ea9fcd504246e3fde5898ad60692d106319845ebedf6bd9dc159e6b2bfe307ff3d8a

Download Submit
C:\ProgramData\6n5yt18\settings\avcodec-53.dll

Filesize
1.0MB

MD5
bba1fe328cea501fcce1e5df16276439

SHA1
ed4ad3a8d6f0e3dd86abb19bc18127f960ea2131

SHA256
f5522d2c936de8d53f97a6ec439d8f8391cb50a0bc6008a399f9454c00929d35

SHA512
8f585d57baa39d3e5e6b62efea53b6b3797319ae86c0c4373774d08e284a49c0bd005e200ae4fabc789470b3f100f98c8ce503fd4702f79dcbf4be4aabc58a9e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\maevrvll.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
41adaaf7e42b35909e90913dce7834cb

SHA1
52ae93d483d11c7139bd8c92c71ea1b268e1a21f

SHA256
767ce586abfd771dab5facb29a2ac023c5adb98bc22b224e01a16276d1de5b8a

SHA512
a325536b1f17fc90b3fd7eb71e6d0b85c5f523e81ef1dd97e513dbd5f56c91b26f7ba514ecb9a43a23f628df0d7149f6b7badff7ec194d238d9a4e721d53d038

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\maevrvll.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\AlternateServices.bin

Filesize
6KB

MD5
8d1d6454e1c0e70ab5f5e1d0cbb87989

SHA1
368352c57c1cb6d22adf5d7770eb0a866100af25

SHA256
7560a130b957ced03738294e6f49d29cc8ac1bb2c5a1957e13735a666522eae5

SHA512
e46320103b88635f0f48c49e78ba364557ba51341bdfce6d0c412a4452f5f85ba809fa3308616894a4cb1f14cbf49d635a63e8f862ae3a9d8b825ba2ef79cdae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\AlternateServices.bin

Filesize
8KB

MD5
8dd0115a33ea63e776f4ac70ebcfe3ea

SHA1
1c3099ebcb3e0f63c513a1010287a8880c32552f

SHA256
489d052d22c60a7f4f8829b394f7527fb4ef07d9b85a1e9b22b095602294f7d5

SHA512
7f8edc9eed9fcb1f2ff546a0241cd658ba25bf5190ad480fc0d43d6f2541fe7d9d71e9b423f9401e2bbcceebdb0ac4ac38d1f2c04f4c1caa382b68b5df6cc28f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
ae07cca32b66c66e0fde2fedffdd9f61

SHA1
c043a370910b89e13dc39431f6e6f9c5f0caa897

SHA256
64678457d2160ec343a510d0b1d7cb7d615f530643b9bbc7beac1976211410d8

SHA512
411f209a066ae8b41e259583cdb7a89aa3d05b87e6070c1956d4e99514d0a4145d1036f46a473330cff104daf69e2120c8fb5303f15bb83d06bef2fd3bbfb098

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
969e2fbd9dcd676ab27158f7f4bf9f3d

SHA1
57beb8f318b3ea2e66bb1d5409ecdd45932714fa

SHA256
1d263c70b4581a492a0fe834fd88b20e176806c2cd3ce5b7c14bbbfdce79c90c

SHA512
c2c32f48cba7a61ca0762589661469bca67551adc0c3b7b969908d941349a946efff93324dcdf72dc42a208c8d4232a30012bbd3b707af55a3280daf2b102e8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e888a49fe5a03a47a16aed66ea2cb379

SHA1
382589a5f2d64907ee6d2f9b4144b45a4c173939

SHA256
2c4994b67cc74cbcc39fdc265cd0a18cb08830c4a3fa1e626ed4257b486c4891

SHA512
418d3d822b118a05e05266d29e939bc31522a723e9ecc4e4be54811ba3c0c4685ae476d320faeb5c7e7adba2e49b63a405a14fd7732f9d0bbd5690d65398febe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0f9871f47c5c2c1cbf816fe7d3c2f255

SHA1
65ec02284107a9e1eb3a7bcc3fd90a1df2a2aeed

SHA256
b0d73ad54160ff4d28dd30cc7144d1d01cec2e3d85c9eec7a40156b6e2f0b63a

SHA512
d37ca5be8bbd976b44df8e5be3e64a8865a9963488dbd12d8e24e677daeb90f03608e213f883d7402bff5cea193359d6179fd832d21f08aa1e746da866426210

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\1efb2b1d-43ac-4b05-90db-7285f4f8d4a1

Filesize
25KB

MD5
4707e5c9427ebf9b3f4f5d7f0402b8a5

SHA1
970c35298410ae4c4645c42adc26dd9938133312

SHA256
88ef85e8e5f9913bec93e4e1f29b8d9f2e7d1068a79ab4c1f3065aa3b2f73afd

SHA512
f7d6a7cfafade278f331e25925868a2e698955281e375ebe7ddcab9cebbca9f843838eccc203fcd62f461330bad48c24aa836dede31e513859d9852887a5c7ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\4280d6f2-34c0-483a-a536-7453030cf72c

Filesize
671B

MD5
d9f0a8c88ce77c5e7656d894b6d630f1

SHA1
709176fc8ea7607fde57fe0bd76b9c3c4aa9a777

SHA256
3f88d67cd799712ad7c852e43f6d064d249e8fa7493dcde09488d01901f58e63

SHA512
b6f817c98f5381d99ca165bd014ed03ebef5fd6a28143b9f3e13f00030539024c1e7bc9b090f2627729e55e7a0c23a765e8f401b7d4b2918a660afda978a47d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\d335780b-36e6-4b51-b47a-aed1255a565a

Filesize
982B

MD5
92fa43c6175eac9a7232fb2b3a8809c9

SHA1
c335ca6e02093df71eebcfd134bc07a0901b36c4

SHA256
3513cc6f19b9a11a46ceacbe5cf21d42cedf964e55186c8cc17cad9361c6fc20

SHA512
bd7d6f7a0a5549865dd7b2d51625cfe5406c05fa8378f6ace3661024bf987f5992dd9faf69b1db4b529f8ec7fa2fc4635ef853c694fcba2b5e3f2e44b288ff12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\prefs-1.js

Filesize
10KB

MD5
7814c72fd68514fad5ce24e05b1a11dd

SHA1
ca1f1e744c04bfa0a4a560a0e7d0ccf8e15986b2

SHA256
b97c38277960322606f8393db6831e333405106f775f6d82c9ec190c5a64aae3

SHA512
69abd6a97f1bfba6665e989d3301b9efd09ef91f1ed493d9935d86cb26fb85cb757a0ffcbaed920ea872f3d56fd3f48ca046bfb53712dbd4ab3b0eff699f05b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\prefs.js

Filesize
10KB

MD5
38ce8e3b844056d4b05dff6e186d1107

SHA1
b3b9a495846d37e41b16ed683140c112ba7bcebe

SHA256
8b8d631b37e524e8270fafec374f2cd5d71a7cdead75ce7a98482785a4fb7888

SHA512
4bf6fe6fb81e7a5275fdf58dc373e0ec0e5d0a2c868f5b2fb156fca0ae9cd91951ddb077a59da57fc4fe697bb2a367708a68de4b0adb5be5fbb64f74039b73ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\prefs.js

Filesize
9KB

MD5
ab5fe5a92ecfa4918710dadeccdefb0f

SHA1
fa83779b57d239223f5f930ea544238d789f975a

SHA256
5f7494c417e1edce7e68f29c139d64f65d32a13fcd3f9d43ad3e2863957f3830

SHA512
da48890fc3c2e86b10fb4c15f18c6805fa76e28d1f410ba402fcde1c2e32e0585b05a4312bc6012bf6a7eac7ff4e2ca818ab5ee8ee9818f82df7541750d78c95

Download Submit
C:\Users\Admin\Downloads\Payment_35.bVhT0zO6.js.part

Filesize
4.0MB

MD5
aa22b147ea79a429797315b0282a57b1

SHA1
9c3df87d03afc87a88b92ca9e52bc4593c1fc42e

SHA256
18b281c467bde8cf246990bf8bacf1e8fd8d70107a04aa528f9f56343f15b690

SHA512
6b665a7c648e352ef0e0ba79c1c0ca90d35c5036af8c2b476fde41a87df140f38ae5f9bde881f9c7da3714f6af6b3e883bc997e9efd2694224ff047e9ef1e563

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads