0f9b67c6bb9d4921af1c6b73139206c426c7de49f3ddb7d434a319669d1b1292

Analysis

max time kernel
398s
max time network
399s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18/02/2025, 09:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

R61Tex.png
Size

38KB
MD5

f5898706e57d4edf306fec196d1c465b
SHA1

4dcae202a36eb08b1c632a89ac9382f6cc927b2b
SHA256

0f9b67c6bb9d4921af1c6b73139206c426c7de49f3ddb7d434a319669d1b1292
SHA512

c85cb9fa575f2b3628d591733297df09302581bddbf0841175c51fcf6bbc1ab84665930c9bfac7f7b0199218c141b049c248107481432d7adbe9ea451849681b
SSDEEP

768:+oUWLrMMIVMP6uRk44WtH5FbS8nGBv4jdL+1iIsOuZorEQ:WWLXIVMPO44Mfdp64rst

Score

8^/10

bootkit defense_evasion discovery execution persistence

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
213	4640	firefox.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 7 IoCs

pid	Process
4304	MEMZ.exe
3460	MEMZ.exe
4920	MEMZ.exe
2336	MEMZ.exe
2760	MEMZ.exe
1056	MEMZ.exe
2948	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
215	raw.githubusercontent.com
212	raw.githubusercontent.com
213	raw.githubusercontent.com
214	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1768	mspaint.exe
1768	mspaint.exe
3460	MEMZ.exe
3460	MEMZ.exe
3460	MEMZ.exe
4920	MEMZ.exe
3460	MEMZ.exe
4920	MEMZ.exe
3460	MEMZ.exe
4920	MEMZ.exe
3460	MEMZ.exe
4920	MEMZ.exe
2336	MEMZ.exe
2336	MEMZ.exe
4920	MEMZ.exe
3460	MEMZ.exe
4920	MEMZ.exe
3460	MEMZ.exe
2760	MEMZ.exe
2336	MEMZ.exe
2760	MEMZ.exe
2336	MEMZ.exe
2760	MEMZ.exe
2336	MEMZ.exe
2760	MEMZ.exe
2336	MEMZ.exe
3460	MEMZ.exe
4920	MEMZ.exe
3460	MEMZ.exe
4920	MEMZ.exe
1056	MEMZ.exe
1056	MEMZ.exe
1056	MEMZ.exe
1056	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
3460	MEMZ.exe
3460	MEMZ.exe
2336	MEMZ.exe
2336	MEMZ.exe
2760	MEMZ.exe
2760	MEMZ.exe
2760	MEMZ.exe
2336	MEMZ.exe
2760	MEMZ.exe
2336	MEMZ.exe
3460	MEMZ.exe
4920	MEMZ.exe
3460	MEMZ.exe
4920	MEMZ.exe
1056	MEMZ.exe
1056	MEMZ.exe
1056	MEMZ.exe
1056	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
3460	MEMZ.exe
3460	MEMZ.exe
2336	MEMZ.exe
2336	MEMZ.exe
2760	MEMZ.exe
2760	MEMZ.exe
2760	MEMZ.exe
2336	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2508	msedge.exe
2508	msedge.exe
2508	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4640	firefox.exe
Token: SeDebugPrivilege	4640	firefox.exe
Token: SeDebugPrivilege	4640	firefox.exe
Token: SeDebugPrivilege	4640	firefox.exe
Token: SeDebugPrivilege	4640	firefox.exe
Token: SeDebugPrivilege	4640	firefox.exe
Token: SeDebugPrivilege	1272	taskmgr.exe
Token: SeSystemProfilePrivilege	1272	taskmgr.exe
Token: SeCreateGlobalPrivilege	1272	taskmgr.exe
Token: SeShutdownPrivilege	3460	MEMZ.exe
Token: SeShutdownPrivilege	2760	MEMZ.exe
Token: SeShutdownPrivilege	1056	MEMZ.exe
Token: SeShutdownPrivilege	4920	MEMZ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1768	mspaint.exe
1768	mspaint.exe
1768	mspaint.exe
1768	mspaint.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
3460	MEMZ.exe
2760	MEMZ.exe
4920	MEMZ.exe
1056	MEMZ.exe
1056	MEMZ.exe
4920	MEMZ.exe
2760	MEMZ.exe
3460	MEMZ.exe
3460	MEMZ.exe
2760	MEMZ.exe
4920	MEMZ.exe
1056	MEMZ.exe
1056	MEMZ.exe
4920	MEMZ.exe
2760	MEMZ.exe
3460	MEMZ.exe
3460	MEMZ.exe
2760	MEMZ.exe
1056	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
1056	MEMZ.exe
2760	MEMZ.exe
3460	MEMZ.exe
3460	MEMZ.exe
2760	MEMZ.exe
1056	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
2760	MEMZ.exe
3460	MEMZ.exe
1056	MEMZ.exe
3460	MEMZ.exe
2760	MEMZ.exe
1056	MEMZ.exe
4920	MEMZ.exe
2760	MEMZ.exe
1056	MEMZ.exe
4920	MEMZ.exe
3460	MEMZ.exe
3460	MEMZ.exe
2760	MEMZ.exe
1056	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
1056	MEMZ.exe
3460	MEMZ.exe
2760	MEMZ.exe
3460	MEMZ.exe
2760	MEMZ.exe
4920	MEMZ.exe
1056	MEMZ.exe
4920	MEMZ.exe
1056	MEMZ.exe
2760	MEMZ.exe
3460	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 4640	752	firefox.exe	88
PID 752 wrote to memory of 4640	752	firefox.exe	88
PID 752 wrote to memory of 4640	752	firefox.exe	88
PID 752 wrote to memory of 4640	752	firefox.exe	88
PID 752 wrote to memory of 4640	752	firefox.exe	88
PID 752 wrote to memory of 4640	752	firefox.exe	88
PID 752 wrote to memory of 4640	752	firefox.exe	88
PID 752 wrote to memory of 4640	752	firefox.exe	88
PID 752 wrote to memory of 4640	752	firefox.exe	88
PID 752 wrote to memory of 4640	752	firefox.exe	88
PID 752 wrote to memory of 4640	752	firefox.exe	88
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2456	4640	firefox.exe	89
PID 4640 wrote to memory of 2660	4640	firefox.exe	90
PID 4640 wrote to memory of 2660	4640	firefox.exe	90
PID 4640 wrote to memory of 2660	4640	firefox.exe	90
PID 4640 wrote to memory of 2660	4640	firefox.exe	90
PID 4640 wrote to memory of 2660	4640	firefox.exe	90
PID 4640 wrote to memory of 2660	4640	firefox.exe	90
PID 4640 wrote to memory of 2660	4640	firefox.exe	90
PID 4640 wrote to memory of 2660	4640	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\R61Tex.png"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:752
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1912 -prefsLen 27322 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9122202c-0395-4ede-bcde-461e59c6663a} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" gpu
    3⤵
    PID:2456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2396 -prefsLen 27200 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {510b396b-8cbf-472d-9244-7d0f1043701b} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" socket
    3⤵
    - Checks processor information in registry
    PID:2660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2952 -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 3088 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba527637-06ad-4caf-839c-b152c48b3bc5} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" tab
    3⤵
    PID:2428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4080 -childID 2 -isForBrowser -prefsHandle 4072 -prefMapHandle 4008 -prefsLen 32574 -prefMapSize 244628 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {414614f3-34b5-415c-9906-72db752a7510} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" tab
    3⤵
    PID:3764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4820 -prefsLen 32662 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fd5beaf-5427-406a-959c-3d2b19caa311} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" utility
    3⤵
    - Checks processor information in registry
    PID:2904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 3 -isForBrowser -prefsHandle 5356 -prefMapHandle 5360 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d312ea13-d0cb-42c6-93d5-9890db8d948b} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" tab
    3⤵
    PID:4364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3181cc62-09d0-493a-ae62-6e069cd75d48} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" tab
    3⤵
    PID:2444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -childID 5 -isForBrowser -prefsHandle 5792 -prefMapHandle 5796 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {816d4c4a-8d23-4f45-9d86-708c4cc2561a} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" tab
    3⤵
    PID:4876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3040 -childID 6 -isForBrowser -prefsHandle 3584 -prefMapHandle 5036 -prefsLen 28044 -prefMapSize 244628 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a1c56ed-39c4-4ad8-88e9-d5b2bfe68794} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" tab
    3⤵
    PID:4312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6204 -childID 7 -isForBrowser -prefsHandle 4464 -prefMapHandle 4584 -prefsLen 28044 -prefMapSize 244628 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {035536f6-849a-4bc3-bb38-19bd858c5b38} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" tab
    3⤵
    PID:3868

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutProtect.js"
1⤵
PID:3664

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:652

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:3480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3892

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4304
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3460
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4920
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2760
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1056
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:2948
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=montage+parody+making+program+2016
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:2508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x148,0x14c,0x150,0x124,0x154,0x7ffcd7ea46f8,0x7ffcd7ea4708,0x7ffcd7ea4718
      4⤵
      PID:1224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,3326018087029372611,10245550485052039516,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:4880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,3326018087029372611,10245550485052039516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
      4⤵
      PID:1664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,3326018087029372611,10245550485052039516,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
      4⤵
      PID:3616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3326018087029372611,10245550485052039516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
      4⤵
      PID:1548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3326018087029372611,10245550485052039516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
      4⤵
      PID:548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3326018087029372611,10245550485052039516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
      4⤵
      PID:4504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3326018087029372611,10245550485052039516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
      4⤵
      PID:1656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3326018087029372611,10245550485052039516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
      4⤵
      PID:2660

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7fb0955b2f0e94f2388484f98deb88f4

SHA1
ab2363d95af3445a00981e78e6b6f0b860aade14

SHA256
a7c4cb739d577bfc41583a2dbf6e94ae41741c4529fe2d0443cd1dabefef8d15

SHA512
c9b6b6de78fb78c11b88860cd6c922d11717f5cf7477f602f197531aea114270c2b7111f66d96f60c3a9317fbf203fd26222e81d2d0eb70ad6515f5af1277edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\88ac8937-78e8-4094-adca-5cc93f54cd31.tmp

Filesize
24KB

MD5
cdd119b072b59ad1e725c3696721c82c

SHA1
6388a6d580637a04e8fc2d344b396ad16914f4fc

SHA256
1ce06b4f5458990ff1eb513d128267dea55902b605589f6c258b6a0f3baa6b08

SHA512
5c3562b88703209421b799128f3d1b0b27b607394221ff8903e65347663fcd9b98fc1dc077ad93fc53b689fcc90c796b98984c3a11dfbee9636456c02e580664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
b7eb8dc872716458e79e211fd5c25549

SHA1
e606c9e3bed4ef7e9aa7b32989f5e8a1e82036b1

SHA256
2486e6c2d977e4e00a20d201a81d661e48259c2312a16a99b67294ac1c591cc5

SHA512
44784830b766365de37bdc2091ff2c8af41df7fe8688c78aacecbcb9e477bec35f10cb133435f1d1167a7dd0a037649793028578f85c2560d8c55f7b93ef9a5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fb4e67dff1585efc1d3dd06463d2e4b6

SHA1
8e367064d751ec5143bf1fe9bbe348731d64c5ef

SHA256
f81fee71cec1d77411effa6be5b9e2352185484f31d77655a3d4662ce64dd319

SHA512
6608b175b3104d35cf72d4b7b1e3a1ba4649397fd79d097bfca73b165a2c0a955df0d4a809b5ef5edbc3d64d1198bd66b564d3d33987daae54963e5a75d4cbdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0af39e511778dfade1687ddd0ee02021

SHA1
2ba711489a006e6eb26633232caaff3e6790e5be

SHA256
a956dc3c4e97b77d56b56646a749eee3e21c131c498a99fe2e67231da40fbbc9

SHA512
ef34a4adf9f848e3861ee968eb3a8eafc0c65bc76146a3657f0de40f60ac1e60d93dd897baed6e9a7d469c7f63d1ebd0fa28bb51a68535d179566d9bdd6172ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4382832b02acfe14a71f018053394ca6

SHA1
007f4f705d61b71b6ecd13a3276f6c5ff68051ac

SHA256
f0d43e5613d78ca33640ae95995546fd7e9cef535e70ac098404e2f11a262802

SHA512
cc13542052c3fee65b682733750dc8105c23b34b032baeaf6191ebca7c708dc3a14e3266ab2e0e332a2ee775a39dfaa2f063ec699a81d8eeecb08333bb310d87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7d84cd61d6c2c5fe18e8e42e00e390cc

SHA1
e1d55ed6956d9b004b2e2b26d172fddab0234d0f

SHA256
5eaa643ba559ce7c7de029ec05498b1e844fa3eca8ca82794448b20405ffaa1b

SHA512
30714d5a509f57874bceb77ee1f5c77f5eeaaeb792cffaf4c7f27777fafa32ba82a79323a0989a76749c8fd5c33ed4c0be4869ca77f3ed5241a6189aaaeb3131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
c256942dfdf7f8f146bbabcef340961a

SHA1
fae39aac27a3384e419df492adfd0873a5f58d1f

SHA256
abc5e1cbbc51800eafd034c8360453e724a0c37c86ac99c16738d7067e7bba73

SHA512
d6010617ab054fc80cd1a076f67fa485c4da25cf846d8cc93bc00fdf5d707ccb459b42ecc321120588fc285b8b00c6885ae7d80769a048ca700d1c3914881168

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7moxhto6.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
f6112fea4cba0a30ca24f1c3622238b1

SHA1
3266b37c7674bd583583ef2d0dda25f0d31baf98

SHA256
bae0451f2302514b5f5c5326d89b28324c1a8d624d8a123237c38618f8e2f852

SHA512
1f6ee04427a89fb0d36dcb4433ba6abbbe7b2186f129eca9507ad40a20ec55c96cdfca7a96e839494b24318494f87e6703f640e8f74a96a1a8248333eb4f4b3d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7moxhto6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
86d6964d5f46cb3506e2b6f7fc0dfc44

SHA1
604daefc89df636c074c2307809fb6f3ad6e3bbd

SHA256
c6673595a4c961a1451536018f8b49a6e91367d4c9de061350dcd52f961c3351

SHA512
49dd138a29e34e0f634da152d966cf1c3f7238049e3225693089860d5c4b03d7f3d214d8464c1fb30e1e012d65168deb8b4a86abb916c08c21d3a8d5b682d7f4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7moxhto6.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD

Filesize
32KB

MD5
649834bf20b846e41ed449e7d266d252

SHA1
841f441dc920237ebb814717406bd6369b20788a

SHA256
2af5ed28fac742f04cf7b0e411abe2996755b766bedf47705a480d97de0a998b

SHA512
362eba7f0f4a8d7367d2eba4fca9e5452126f5a9a8f9ca42a079f6953e327a38251a873a29d760bd1b4d2ddfd2e4e3f9b7157de518e8349e66c1ce8ed9efbc46

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7moxhto6.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
13KB

MD5
6bf7da92863bd70a9c672ce54a4e005f

SHA1
c314a1b8a6f26d7f8a7984fe84cbf5b88023a411

SHA256
cd511d08cb8d67994893122563fa4b593db9bbfe44d4fac5b0e7a08d8b8ae454

SHA512
b4eccfdeab18b31123fe610f0ab9f528819774151431f319cec68a3ce6e0390aa1e51c6feac8b6dd911740ab011bdfd99c6bbd2cc5b022fe4c9351cbe9bd75b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7moxhto6.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\05WFLILR63940I8RYKCD.temp

Filesize
7KB

MD5
ccd1b899196210bf7b818f3ed59ae98e

SHA1
817d88385dc79da83ff1ff1749af9956ddb3a6a3

SHA256
937b7e66abeccd83fde0ee95b30b0fff6aced4e732f102d3daeab367973ce733

SHA512
91c06e6823ef6d8d1862c40895f7e356e3f41dc30803c80de97033ba3e8f1e24eb7423efc52e0cecd42cc269ce53a84598722d7c6e5d02325ad72c3631e9c873

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\AlternateServices.bin

Filesize
7KB

MD5
acefd3c62b6d3350fff29f18d125541f

SHA1
c0f89c3bbc59a26840891330f7dc468c32bf25a9

SHA256
8049ae94d3766e5472e500de84130e5cfdaff1b5675d5bfbb9d8abfeeae1a937

SHA512
a237710f71ec96333380280c61b698cc0491474bb30bfeb2104888c3fa2cef91a2433d42b502164222684742abb5b243531bf2a2d03bdd0808d70d0ef9754a0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
51KB

MD5
f67340ff7c23cd37c7a187de1044ada0

SHA1
1f901d777f456dabde3827b2c2f91f06dddac959

SHA256
c4ff179275d818a90849c14419279f92f1f0604e6687df74b3997530cc6aea45

SHA512
d5b32ed2a1824be5a9b641816125cef9146b867400ba389d3c0ec80c441395145741097c6a74e40577930e7f811765b3ac89b1c89b0334b8b2d802b23941793a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
33KB

MD5
0a2e62c14648c64df49682fdaaba9775

SHA1
c6d4d605e8546e6a021aad0ad047df7bb5a033a6

SHA256
70f5090a68b167d8de784e680864f2f9e1a81092abd54994dcde7f14a72e9682

SHA512
ec5e0c499fb1e9395e46282634282f71d4ec1d5e9c1a14882f06c318cfc343af9434424775b82b05894c8ea329f1fdf94c19a463e6444ec760b9c3a9feb08796

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
52KB

MD5
9042908b98ccc7d8d18236ae074d9911

SHA1
5c0d97d35f28157fbd51fd2e39053705eeb6b9e4

SHA256
643d7cc0e0ae8df1b477e7bea78c8c7638e678fb1f35492b6f0d7bef96812859

SHA512
480b4d7c0fb170708578db93eb28fed838da9c34646744ef09d490bb8a1150ae83d20ce78f75fe86e909cd03c21c030644ca1d72128ef56c6991ff6efff94269

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
996b5eb1a020b0333e7f95b5167230d9

SHA1
e0219d0dafd57aaab26dbfc0eeaa28bdcc4159fb

SHA256
0a7a0921062d47928eb20544bb235d63aed1b34c3e03fb3dbb7be41380f777c8

SHA512
691f45766b58dc48b0d21b349a9cf12eef4f2d0c78d5b0dbb5fea917648ddc3e33cede7e4ae3d16ecc63ac7509d821f7520cd3dcf316f155e7b4fbeb081d1a78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
cd24def810ab8eefebfde0e425b54e8f

SHA1
8dabf5a2255d76428c297d07cb336dc0c4d65ba1

SHA256
2f150ba5834df7fafa092c05b2dbf6577f5bc2773b9ca205805e2b1170d380b6

SHA512
2ae11a7a8c1d6ba9a8f2cba358bc55d7214cb781e51eaef9e766e5309ec23169cb556238ad2e6883c36ff16674fd9d76433a9f9bddd124cac5875b6046b748d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
32691b7676c708ca283bd4b521b14196

SHA1
8a9759b777ff8cdb5b6481ef4472ac877ca43d07

SHA256
d9be25689abe861ce7e25861979e25c1b21777b4b79be913b00cbdbdd05813c0

SHA512
39bc71c973ace854b796071a0a899bb66f2ce1cbf2625b9de72b6808415eab89725047b51c0b780d00e3a096bb5c2ac33cc8ffa53898bb528b3354412b697bf3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
e648cc7565624e6588c3b7725f999746

SHA1
3ee4aa1abcfc9885e82e1bc1e1c7f67e4c8880e0

SHA256
3b572540a348b2e0d62cd69b433fa4c5f83068f97f35e01f71e96b02a0ae68e3

SHA512
e7990a51a4224c9435d33e1749e4e0700f5f748dce63fcfa90237f3d2f24af49350422c814c3d9c5a14bf5eccb8ea50df1b097a5708f48f902bf0786a00e6a68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\datareporting\glean\pending_pings\4693509d-3317-4292-b6c0-5a04c51bf594

Filesize
16KB

MD5
91d2187c62622f77e7bbc533114512d3

SHA1
4a8c94ed8235f17f5c3b8db8821d33c1ce9b569e

SHA256
7e0c24367f0de09ee27900f3299151f128e1a09572f341ce5f2c069eb6de5f1d

SHA512
f433c7c4c44c0aec6107ac0c0c54030b3419d90f07e74d97cb9637f9b34d040b6894cac0701aa13bc534ee2839de4ce1759b09bd2ff0fdf30c3c8229f69502e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\datareporting\glean\pending_pings\49a81942-852d-4690-9ebd-bdea18b948c2

Filesize
27KB

MD5
2aa926bac23400e052eb94d649f41680

SHA1
59c49f40086f01b28c97468ed0f969cb20202073

SHA256
49e536b09bc5ffe4c383a4f94283fa1fe930f80bd2d622fdaabd7dadbd5d9a22

SHA512
f07b1e0a9e3574b638be5278b04a22e4fdad5dac0c66b252766a8f353d27a275f33d9cafabf3db12349d42e0f51072c3bb7f0cd9eb4461857de7d92936ac5045

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\datareporting\glean\pending_pings\8d10398e-4e1c-42b3-b4db-844fa3d4ff81

Filesize
905B

MD5
bb29695fae31eace2ad766e36c9ecbfb

SHA1
7d4a7ac8a188890c7523c3d2c2a8ff2dc774a422

SHA256
81047500221e5e6f8bbaaad125bbe0b5e3cae97b12a35e92326044f821e26741

SHA512
fe062fe7f26e74a1146e4647f5968ed0340fa86c176120ec9246a549499353d7bccf59efbefc272db434f6b9e6bb171213389fb8ac18f9119e0205855c2f1501

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\datareporting\glean\pending_pings\8d632746-cc2d-493a-ae0d-eba7f5933abc

Filesize
671B

MD5
76436e8ab9b2a8c79ba0efb524843e61

SHA1
5f5f9baab3ee54ee35d5eabbd3f82b11b4e839e0

SHA256
634b9850d6560d6443dfacda884797e01930e8670c3e5d70dd56f9976bba6002

SHA512
efadf0e34698cb626f843ef0c388618d50dbfc59011a3a108d8d34164655511c82514dd87bf3c412e7300a89501834ee97e161676870b57608de5b8dbc91a258

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\prefs-1.js

Filesize
11KB

MD5
64a40b575aae5ac320742f1b482e239d

SHA1
a8d55fe4e839aede8c6f8fba41a2d2af72c1a4fc

SHA256
c09f49278dea50a4c0b24090588eb9a310a75d2a5645d4a64970e0f40db3c5cf

SHA512
4cf69a3a5bfdc903117c0deabc8802aa0851db1ed8d10168602e8e67c31eaee49585aad6413ca6b921575a9834271a740b6b4e572b96bd9faa021c764c56d2ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\prefs-1.js

Filesize
10KB

MD5
21c27d9c52b48cb25dbe97519982fe6d

SHA1
2d7af7d54ac3978d47258db4480b88c8279925da

SHA256
f4952e8b6dc5200a41fcd881db84b8551b419c585fe16984fa647aa3ed8bb366

SHA512
9a0eebd250385cda45a002f76b9798f4a1069ae102c8865d41b043f848320c8b331d470dc39b0211d1a1c512ee7adf9d2e0f1195bcf3360625cfe40d51506096

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\prefs-1.js

Filesize
11KB

MD5
b544b7d20e087bbc7213b82419696527

SHA1
f30d918bf84df9562d1c82ef0447d4327adb959e

SHA256
111eb9dacab09cc59a1bc4d72ef5c5bab71bf8155bc13ee3d200828859976464

SHA512
281f9b1de6c3cb95934d883fd19ba44b5da3129b4892a972ac1d3d31d477f67b5370e107dcf17706a927daeca80e116d6cc642440675313082e2ad6487bd8465

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\prefs-1.js

Filesize
9KB

MD5
61ecdd2b1c2e78a202734ed328b08904

SHA1
67b82990262fa9e2cf2745b4409c342fd6ac5074

SHA256
179acf1970bcbaca779a70dc86479a3c01589b2bab42d0e10aebf607380a1ad2

SHA512
331ecb06f0f84bf5d780de332231a58deabb35787532bf0b0b295e46f744d70354c7141501b74228e38591975c4683b927e4831446cd4f0b20fa233fdb1cb7db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\prefs.js

Filesize
9KB

MD5
5e8592e40e80caec8186e6746db893bf

SHA1
fa6c0cac376fbcb63c4a055a7c694ce1881bcf8a

SHA256
244ea65bc83134741ccaedee135e85bd63a27ffce2a30d20da222a64ae91c651

SHA512
031a661a6ef8ab62d75881528014ff4ca9372b2f856514cbab1bd8c068bc57863e5fceecf9c39661785a8eedd265dfb1d2f57ca0a72ae24ebe314a06f63bcbfa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\prefs.js

Filesize
11KB

MD5
fd66558b9e6a57b8c5064bbcbfe59c7b

SHA1
109b47b5e21a5b6948c42df92687d10049b2ef65

SHA256
6f0ba69adfffde2ee2806afaba645b99669532f8071dc7eafa5edee7920782c3

SHA512
f830e2f0e86de3bb3292dc911c0d3922b02ae7f73d041cebd7185f2d35c781fbb637912da612c7802bff67a9fa1ae3cace61f81573910f136999f2b17c603101

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
4a9ea71e88773592a44606a0e85a71bc

SHA1
2c743c5e37eca1694c35fc6af52a81e822bd3d21

SHA256
12424bbb8ad60d147972d9fd3ebb16d0290a3434446f67fc30c3a3ec394341e8

SHA512
df082cb6e930ecb9db5f80d50ff0ce7cdba8e4d5b201b1aa4c508e0e7b32baf2fffd0148f36cf2820a2d602694deedfe02709d8b3e97a1c381e40609902806ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
eff0ff8ca58df28beb7203ced9fbe2b1

SHA1
01c2c4437d02784bfe79e7f1c880e51af8421166

SHA256
dd9163e461201d78193974d085d364a54855c11c3063bd8314b564732b1fedd7

SHA512
2eb7c50716f685028393d22ce2b2e136ba19eb5b2eb10538bc8231f3e7ef029f5f17d6701eb5b13f8b22d676e3e57caff6bb2cf9031d701f0e95c7b4cf3f8e7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
0337e90f275acf1dd8f01cfbd27b2307

SHA1
3418853b4a7dfa82cc3dba1bc381e9747d0ad490

SHA256
05cff8009c576c6b01961e5aabf5dc848f94c90ab1df3c828b31ae4102fd6b58

SHA512
15a4183b7234724fb13748bd6309ce4c149f6439c6eb7791dbc6fc3ba6b693a7b5af2f7be71d6cf56738f85d99d0aa14be090d945267374e9feaee1bd7a7b853

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
3748f1f75146281de5a09c07e0f1b894

SHA1
4a21d87845a01502be178b9fd26d546ffa4720e8

SHA256
bf2264809057694e98369214dfa8b377f331d5170e98f68b30cb947f8ce76f18

SHA512
c28436e3ac7248c97cd44b2870bec6a87c0939f0e631fac59b1d7853a228650ce1a8bc3e9cd9a9a0e2dc4467aedb04c9d9dc6dfdbaf430c59ce9f9a3aefe0338

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7moxhto6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
656KB

MD5
5cf34f250a83ae57fa5191160cda4862

SHA1
b1410dbbd8e1510f0755028e35c6bd556eaeb364

SHA256
c01b8456f01607319f5974845a50210f7ce26cda2ac56ed75f4abc7da7428eda

SHA512
1c064ffe95f886da9a576914578c022293b27f2e0093b727f80b0504342a5068b7ae894ce3c9fb36576c5f901623049a4876bfa2162b0c90802dac9c71729499

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1272-1030-0x000001753A7C0000-0x000001753A7C1000-memory.dmp

Filesize
4KB

Download
memory/1272-1031-0x000001753A7C0000-0x000001753A7C1000-memory.dmp

Filesize
4KB

Download
memory/1272-1025-0x000001753A7C0000-0x000001753A7C1000-memory.dmp

Filesize
4KB

Download
memory/1272-1026-0x000001753A7C0000-0x000001753A7C1000-memory.dmp

Filesize
4KB

Download
memory/1272-1027-0x000001753A7C0000-0x000001753A7C1000-memory.dmp

Filesize
4KB

Download
memory/1272-1028-0x000001753A7C0000-0x000001753A7C1000-memory.dmp

Filesize
4KB

Download
memory/1272-1029-0x000001753A7C0000-0x000001753A7C1000-memory.dmp

Filesize
4KB

Download
memory/1272-1021-0x000001753A7C0000-0x000001753A7C1000-memory.dmp

Filesize
4KB

Download
memory/1272-1020-0x000001753A7C0000-0x000001753A7C1000-memory.dmp

Filesize
4KB

Download
memory/1272-1019-0x000001753A7C0000-0x000001753A7C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads