IOC Report
https://tibusiness.cl/css/causarol.rar

loading gif

Files

File Path
Type
Category
Malicious
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1076d717-4027-4ef0-8728-ef91ec815ccd.json (copy)
JSON data
dropped
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1076d717-4027-4ef0-8728-ef91ec815ccd.json.tmp
JSON data
dropped
C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41
ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
dropped
C:\Users\user\AppData\Local\Temp\tmpaddon
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 24 04:35:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 24 04:35:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 24 04:35:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 24 04:35:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 24 04:35:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\ExperimentStoreData.json (copy)
JSON data
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\ExperimentStoreData.json.tmp
JSON data
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addonStartup.json.lz4 (copy)
Mozilla lz4 compressed data, originally 23432 bytes
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addonStartup.json.lz4.tmp
Mozilla lz4 compressed data, originally 23432 bytes
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addons.json (copy)
JSON data
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addons.json.tmp
JSON data
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\crashes\store.json.mozlz4 (copy)
Mozilla lz4 compressed data, originally 56 bytes
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\crashes\store.json.mozlz4.tmp
Mozilla lz4 compressed data, originally 56 bytes
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\extensions.json (copy)
JSON data
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\extensions.json.tmp
JSON data
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)
ASCII text
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp
ASCII text
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs-1.js
ASCII text, with very long lines (1717), with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs.js (copy)
ASCII text, with very long lines (1717), with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionCheckpoints.json (copy)
JSON data
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionCheckpoints.json.tmp
JSON data
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore-backups\recovery.baklz4 (copy)
Mozilla lz4 compressed data, originally 6086 bytes
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore-backups\recovery.jsonlz4 (copy)
Mozilla lz4 compressed data, originally 6086 bytes
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore-backups\recovery.jsonlz4.tmp
Mozilla lz4 compressed data, originally 6180 bytes
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\targeting.snapshot.json (copy)
JSON data
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\targeting.snapshot.json.tmp
JSON data
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\xulstore.json (copy)
JSON data
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\xulstore.json.tmp
JSON data
dropped
C:\Users\user\Downloads\4fbd8bea-e86e-4a57-8c9b-97361d7823c6.tmp
RAR archive data, v5
dropped
C:\Users\user\Downloads\causarol.rar (copy)
RAR archive data, v5
dropped
C:\Users\user\Downloads\causarol.rar.crdownload
RAR archive data, v5
dropped
There are 29 hidden files, click here to show them.

URLs

Name
IP
Malicious
https://tibusiness.cl/css/causarol.rar
malicious
http://detectportal.firefox.com/canonical.html
34.107.221.82
http://detectportal.firefox.com/success.txt?ipv4
34.107.221.82

Domains

Name
IP
Malicious
tibusiness.cl
186.64.116.245
 malicious
example.org
93.184.215.14
star-mini.c10r.facebook.com
31.13.70.36
prod.balrog.prod.cloudops.mozgcp.net
35.244.181.201
twitter.com
104.244.42.65
prod.detectportal.prod.cloudops.mozgcp.net
34.107.221.82
services.addons.mozilla.org
18.164.154.78
dyna.wikimedia.org
198.35.26.96
prod.remote-settings.prod.webservices.mozgcp.net
34.149.100.209
contile.services.mozilla.com
34.117.237.239
prod.content-signature-chains.prod.webservices.mozgcp.net
34.160.144.191
youtube-ui.l.google.com
142.251.2.136
reddit.map.fastly.net
151.101.65.140
ipv4only.arpa
192.0.0.171
prod.ads.prod.webservices.mozgcp.net
34.117.188.166
www.google.com
142.250.141.105
telemetry-incoming.r53-2.services.mozilla.com
34.120.208.123
www.reddit.com
unknown
spocs.getpocket.com
unknown
content-signature-2.cdn.mozilla.net
unknown
firefox.settings.services.mozilla.com
unknown
push.services.mozilla.com
unknown
www.youtube.com
unknown
www.facebook.com
unknown
detectportal.firefox.com
unknown
shavar.services.mozilla.com
unknown
www.wikipedia.org
unknown
There are 17 hidden domains, click here to show them.

IPs

IP
Domain
Country
Malicious
186.64.116.245
tibusiness.cl
Chile
malicious
44.233.67.78
unknown
United States
1.1.1.1
unknown
Australia
74.125.137.95
unknown
United States
18.164.154.78
services.addons.mozilla.org
United States
192.168.2.16
unknown
unknown
34.149.100.209
prod.remote-settings.prod.webservices.mozgcp.net
United States
34.107.243.93
unknown
United States
142.251.2.84
unknown
United States
74.125.137.113
unknown
United States
142.251.2.94
unknown
United States
34.107.221.82
prod.detectportal.prod.cloudops.mozgcp.net
United States
34.117.237.239
contile.services.mozilla.com
United States
52.25.6.244
unknown
United States
35.244.181.201
prod.balrog.prod.cloudops.mozgcp.net
United States
142.251.2.138
unknown
United States
34.117.188.166
prod.ads.prod.webservices.mozgcp.net
United States
239.255.255.250
unknown
Reserved
23.217.9.75
unknown
United States
142.250.141.105
www.google.com
United States
142.250.101.94
unknown
United States
34.160.144.191
prod.content-signature-chains.prod.webservices.mozgcp.net
United States
127.0.0.1
unknown
unknown
34.120.208.123
telemetry-incoming.r53-2.services.mozilla.com
United States
There are 14 hidden IPs, click here to show them.