rhadamanthys | 9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

Resubmissions

19-06-2024 15:18

240619-splwqsxcqn 10

19-06-2024 15:13

240619-slz9ysxcnj 10

Analysis

max time kernel
51s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 15:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

XWorm.exe
Size

456KB
MD5

515a0c8be21a5ba836e5687fc2d73333
SHA1

c52be9d0d37ac1b8d6bc09860e68e9e0615255ab
SHA256

9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae
SHA512

4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522
SSDEEP

6144:2uWP/BtSnurUylcrGYlnIttxv8HbcLgsd1Gus5psdrvV44dixP+MHDkBYdxtG9+V:2uWP/BZUyoLu8Agsmxwrvejkd2

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4644-1-0x0000000002450000-0x0000000002850000-memory.dmp	family_rhadamanthys
behavioral2/memory/4644-2-0x0000000002450000-0x0000000002850000-memory.dmp	family_rhadamanthys
behavioral2/memory/4644-3-0x0000000002450000-0x0000000002850000-memory.dmp	family_rhadamanthys
behavioral2/memory/4644-4-0x0000000002450000-0x0000000002850000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

XWorm.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	XWorm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

XWorm.exe

pid process

4644 XWorm.exe
4644 XWorm.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

XWorm.exefirefox.exe

description pid process

Token: SeShutdownPrivilege 4644 XWorm.exe
Token: SeCreatePagefilePrivilege 4644 XWorm.exe
Token: SeDebugPrivilege 4264 firefox.exe
Token: SeDebugPrivilege 4264 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4264 firefox.exe
4264 firefox.exe
4264 firefox.exe
4264 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4264 firefox.exe
4264 firefox.exe
4264 firefox.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

firefox.exeLogonUI.exe

pid process

4264 firefox.exe
5360 LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe

pid	process
4644	XWorm.exe
4644	XWorm.exe

description	pid	process
Token: SeShutdownPrivilege	4644	XWorm.exe
Token: SeCreatePagefilePrivilege	4644	XWorm.exe
Token: SeDebugPrivilege	4264	firefox.exe
Token: SeDebugPrivilege	4264	firefox.exe

pid	process
4264	firefox.exe
4264	firefox.exe
4264	firefox.exe
4264	firefox.exe

pid	process
4264	firefox.exe
4264	firefox.exe
4264	firefox.exe

pid	process
4264	firefox.exe
5360	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4292 wrote to memory of 4264	4292	firefox.exe	firefox.exe
PID 4292 wrote to memory of 4264	4292	firefox.exe	firefox.exe
PID 4292 wrote to memory of 4264	4292	firefox.exe	firefox.exe
PID 4292 wrote to memory of 4264	4292	firefox.exe	firefox.exe
PID 4292 wrote to memory of 4264	4292	firefox.exe	firefox.exe
PID 4292 wrote to memory of 4264	4292	firefox.exe	firefox.exe
PID 4292 wrote to memory of 4264	4292	firefox.exe	firefox.exe
PID 4292 wrote to memory of 4264	4292	firefox.exe	firefox.exe
PID 4292 wrote to memory of 4264	4292	firefox.exe	firefox.exe
PID 4292 wrote to memory of 4264	4292	firefox.exe	firefox.exe
PID 4292 wrote to memory of 4264	4292	firefox.exe	firefox.exe
PID 4264 wrote to memory of 2484	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 2484	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 3004	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 1500	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 1500	4264	firefox.exe	firefox.exe
PID 4264 wrote to memory of 1500	4264	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XWorm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4264.0.2106152263\1814886941" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d23edd84-b392-4c97-9199-57017976f94a} 4264 "\\.\pipe\gecko-crash-server-pipe.4264" 1980 1e06d0dc158 gpu
3⤵
PID:2484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4264.1.29605221\467344620" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8aaca320-2a08-4c9c-a10b-cc677255abbc} 4264 "\\.\pipe\gecko-crash-server-pipe.4264" 2384 1e06cc39e58 socket
3⤵
- Checks processor information in registry
PID:3004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4264.2.526285470\717729971" -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 2984 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96a519f9-3aa6-4e31-80c0-a1d1cf74f66c} 4264 "\\.\pipe\gecko-crash-server-pipe.4264" 3184 1e0710bda58 tab
3⤵
PID:1500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4264.3.1895851477\336238890" -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3a28546-6350-4675-980e-e6807d0c7c97} 4264 "\\.\pipe\gecko-crash-server-pipe.4264" 3628 1e059461958 tab
3⤵
PID:3696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4264.4.1976830589\507197628" -childID 3 -isForBrowser -prefsHandle 4328 -prefMapHandle 4240 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66a4fd98-c381-4a78-8046-903e8ffd8aa9} 4264 "\\.\pipe\gecko-crash-server-pipe.4264" 4340 1e0725dbd58 tab
3⤵
PID:1356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4264.5.1772339171\1350548454" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 4912 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c866ffb-c8b6-438c-ac0b-d6e1dcb2e4be} 4264 "\\.\pipe\gecko-crash-server-pipe.4264" 4928 1e06f980b58 tab
3⤵
PID:5352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4264.6.406765469\884550788" -childID 5 -isForBrowser -prefsHandle 5172 -prefMapHandle 4964 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fef3feeb-8279-4d28-a106-a86412412561} 4264 "\\.\pipe\gecko-crash-server-pipe.4264" 5196 1e073676858 tab
3⤵
PID:5488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4264.7.417640217\179546916" -childID 6 -isForBrowser -prefsHandle 5420 -prefMapHandle 5416 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb919b2a-b279-419c-9e0f-6e772e3533d0} 4264 "\\.\pipe\gecko-crash-server-pipe.4264" 5328 1e073675658 tab
3⤵
PID:5496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4264.8.1857064739\467775979" -childID 7 -isForBrowser -prefsHandle 5780 -prefMapHandle 5800 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90c19b31-a79b-4845-889d-7e60aa647a00} 4264 "\\.\pipe\gecko-crash-server-pipe.4264" 5836 1e075691b58 tab
3⤵
PID:6136

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4264.9.1523579774\506006826" -childID 8 -isForBrowser -prefsHandle 3576 -prefMapHandle 2912 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8988d9c1-3a2d-4d4c-badf-84e1063a2ef2} 4264 "\\.\pipe\gecko-crash-server-pipe.4264" 2860 1e0743cf158 tab
3⤵
PID:6024

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa399f055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
fb26f3b61401b5dd2d820aeca8997ed3

SHA1
5700b879beb0e80a5c29d5dbe29231f7f9c85bde

SHA256
38aff709d3275e242e831ef80e0b9f744f2034c8fb1d8b6566020eff225b9372

SHA512
f484d314f44f118ae72e1df9899843f07e54a8cf8ba54f45729ad7ceb0b7acdedec293bd3a1d2bd02f643a486261665cdb565f526c1ec03c181373658c461c43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\1c87b0b1-a38e-427f-87d3-ba665806e456
Filesize
10KB

MD5
173f86d884706a08972f6d136537e842

SHA1
9619d4e0fd4de15abcd1069b20b433fcd38b8875

SHA256
7b1d4413f1421f5aee4e8a5e9db8836a62dffea23a47478798b12caea56927ea

SHA512
3c2b098351e405ae871e1c7b6c9681662c1e4f3fa079c56cd2e076f7b81bc51d968d7820f0ba1f754426d280502c5bbff10222e08b3cfab5d9bfa273ab96ba49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\3e7a9d15-ee3c-49c2-ad1e-315df13c9ccf
Filesize
746B

MD5
f5251a7f65cfb8c9d9a9f8ccfc567a68

SHA1
f23d71d56946b9cf1ff961438718f044ed9adc27

SHA256
b48cfc54f6aa547c4fdaeed7d67c992b215d07c431cff072e8c3beda62eed2d2

SHA512
75a70eabd1171e02b78bd9f79eb280719e73bd7c7922704fe1193c37efda2434c7b7521d052dcaaabc86bdd8bc34ca5072b36d60cede5276f81efed8741afab0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
Filesize
6KB

MD5
536132c8ce7b4666eb771476cf9de1a5

SHA1
a3bafd36d28047cc28bca886fc0d89cf60ed4156

SHA256
1eedd133b1969e2bd5cb266af40b9fc6029faa9230dffaf5e5195d187c84da3e

SHA512
fbb6115764cae9c294088d6c19a4a973f13d98202352c623d0b25b57200fbb8f2523fb8908ef33f41dcc01ded0fbb1b0e1923e43045c7d45fc6426820923dfed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
Filesize
6KB

MD5
47dc22ad3708aa81c68789456445fa47

SHA1
1f4eb738a368f5c25ddaf3ff7018c5373296db9c

SHA256
130e760e8a1d9386dab4d826ea7a9090cf2cb817b1ecace443521003c7dbb642

SHA512
95b12bfc2591c02dd632f66b8a44191f03c20827449fa309191a129ac7c6230236d30edb0881defe498d25ae0a8734e6d0df3f020594c25183b663cd2d9917d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
Filesize
6KB

MD5
b6a3fd8647feb063aad0529d954d0c4d

SHA1
1f5223c7c43c54d6cb93bbf327903d9f2bb9ef8f

SHA256
244203f88124321feb3d0c5227b4d3ee65854f02901aab666e66888e88d28a93

SHA512
7d5e8cc65d8f09b3c5bf4472ff11d266f4f01a7460650e2847f9eab6b704db17edc447f4407a1716e71afcb51a1e820b87f61809adc178fb2a2117b3a6871459

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
e085e05c602488a79d301e1566b080e2

SHA1
a70599dad9799e98c4b0156873b06a1bbefcc0fd

SHA256
f63becb1c56c320508be35fe3bfff4c658ec477cde4e3638bc307a5faafc4a2d

SHA512
57285a552fa65363db3c96515929053d814483369c586ae63ada93855eaf67b86adc423fa2d45f49e18a1943a5d43e9911fbe277a4e73b68ddc1bc9847744f6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4
Filesize
2KB

MD5
4d4e0a2aea9d4c0189e861a512cab53e

SHA1
d8d42d4abae06e8ec2f0ebac9d0e4a3c7e2eb884

SHA256
527b2602078d1d09c23059284f4d779850d36d24dee36877870fcd8fc62ee366

SHA512
516a27b8c7375465f1f0480332325323f04d564fe7985490dcf9d88b3c2870339e0c4c858c45327573e435945e55426b5df60c610f900f0528e6c3728bd90396

Download Submit
memory/4644-4-0x0000000002450000-0x0000000002850000-memory.dmp

Filesize
4.0MB

Download
memory/4644-3-0x0000000002450000-0x0000000002850000-memory.dmp

Filesize
4.0MB

Download
memory/4644-2-0x0000000002450000-0x0000000002850000-memory.dmp

Filesize
4.0MB

Download
memory/4644-0-0x00000000021E0000-0x00000000021E7000-memory.dmp

Filesize
28KB

Download
memory/4644-1-0x0000000002450000-0x0000000002850000-memory.dmp

Filesize
4.0MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads