file.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.591087909609073
|
Filename: |
file.exe
|
Filesize: |
922112
|
MD5: |
0d9d9ac3aed513438004818f468de528
|
SHA1: |
edd1d1ed6a751917d236495f64b1ef1e3a6420d1
|
SHA256: |
9c5447d7974e1ee08c3bffd8873f103ff7b362e84508c979f6b34c54f44db15b
|
SHA512: |
a8b3eef2675203225b702c17f3bd1a291298e15ca5ddfd9d9a116b2416e25e9f8585160e182ebbc8bea5a78027317b09d91734fc687c3e9d667c86ff9514ec96
|
SSDEEP: |
12288:MqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgavTK:MqDEvCTbMWu7rQYlBQcBiT6rprG8aLK
|
Preview: |
MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Binary is likely a compiled AutoIt script file |
System Summary |
|
Found API chain indicative of sandbox detection |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
Security Software Discovery
|
Machine Learning detection for sample |
AV Detection |
|
Contains functionality for read data from the clipboard |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
Contains functionality to block mouse and keyboard input (often used to hinder debugging) |
Anti Debugging |
|
Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Anti Debugging |
|
Contains functionality to check if a window is minimized (may be used to check if an application is visible) |
Hooking and other Techniques for Hiding and Protection |
Application Window Discovery
|
Contains functionality to communicate with device drivers |
System Summary |
|
Contains functionality to dynamically determine API calls |
Data Obfuscation, Anti Debugging |
|
Contains functionality to execute programs as a different user |
HIPS / PFW / Operating System Protection Evasion |
Access Token Manipulation
|
Contains functionality to launch a process as a different user |
System Summary |
|
Contains functionality to launch a program with higher privileges |
HIPS / PFW / Operating System Protection Evasion |
Exploitation for Privilege Escalation
Extra Window Memory Injection
|
Contains functionality to modify clipboard data |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
Extra Window Memory Injection
|
Contains functionality to open a port and listen for incoming connection (possibly a backdoor) |
Remote Access Functionality |
|
Contains functionality to query CPU information (cpuid) |
Language, Device and Operating System Detection |
|
Contains functionality to read the PEB |
Anti Debugging |
|
Contains functionality to read the clipboard data |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
Contains functionality to retrieve information about pressed keystrokes |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
Contains functionality to shutdown / reboot the system |
System Summary |
|
Contains functionality to simulate keystroke presses |
HIPS / PFW / Operating System Protection Evasion |
Extra Window Memory Injection
|
Contains functionality to simulate mouse events |
HIPS / PFW / Operating System Protection Evasion |
|
Contains functionality which may be used to detect a debugger (GetProcessHeap) |
Anti Debugging |
Extra Window Memory Injection
|
Detected potential crypto function |
System Summary |
Extra Window Memory Injection
|
Found large amount of non-executed APIs |
Malware Analysis System Evasion |
|
Found potential string decryption / allocating functions |
System Summary |
Extra Window Memory Injection
Deobfuscate/Decode Files or Information
Obfuscated Files or Information
|
OS version to string mapping found (often used in BOTs) |
Stealing of Sensitive Information |
|
Potential key logger detected (key state polling based) |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
Extra Window Memory Injection
|
Uses 32bit PE files |
Compliance, System Summary |
|
Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
|
Uses taskkill to terminate processes |
HIPS / PFW / Operating System Protection Evasion |
|
Contains functionality for error logging |
System Summary |
|
Contains functionality to add an ACL to a security descriptor |
HIPS / PFW / Operating System Protection Evasion |
|
Contains functionality to adjust token privileges (e.g. debug / backup) |
System Summary |
|
Contains functionality to check free disk space |
System Summary |
System Information Discovery
|
Contains functionality to create a new security descriptor |
HIPS / PFW / Operating System Protection Evasion |
|
Contains functionality to download additional files from the internet |
Networking |
|
Contains functionality to enum processes or threads |
System Summary |
|
Contains functionality to enumerate / list files inside a directory |
Spreading, Malware Analysis System Evasion |
File and Directory Discovery
|
Contains functionality to instantiate COM classes |
System Summary |
|
Contains functionality to load and extract PE file embedded resources |
System Summary |
|
Contains functionality to query local / system time |
Language, Device and Operating System Detection |
|
Contains functionality to query system information |
Malware Analysis System Evasion |
|
Contains functionality to query the account / user name |
Language, Device and Operating System Detection |
System Owner/User Discovery
|
Contains functionality to query time zone information |
Language, Device and Operating System Detection |
|
Contains functionality to query windows version |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains functionality to register its own exception handler |
Anti Debugging |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
Extra Window Memory Injection
|
May try to detect the Windows Explorer process (often used for injection) |
HIPS / PFW / Operating System Protection Evasion |
|
PE file has an executable .text section and no other executable section |
System Summary |
Extra Window Memory Injection
|
Queries a list of all running processes |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
Reads software policies |
System Summary |
|
Sample is known by Antivirus |
System Summary |
|
Tries to load missing DLLs |
System Summary |
Extra Window Memory Injection
|
PE file contains a valid data directory to section mapping |
System Summary |
Extra Window Memory Injection
|
PE file contains a debug data directory |
System Summary |
Extra Window Memory Injection
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
Extra Window Memory Injection
|
|
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1e7ce8c9-cc96-472f-8064-0b49c9b21500.json
(copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1e7ce8c9-cc96-472f-8064-0b49c9b21500.json
(copy)
|
Category: |
dropped
|
Dump: |
uninstall_ping_308046B0AF4A39CB_1e7ce8c9-cc96-472f-8064-0b49c9b21500.json.tmp.13.dr
|
ID: |
dr_33
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.18122028224209
|
Encrypted: |
false
|
Ssdeep: |
192:PjMXgCdcbhbVbTbfbRbObtbyEl7nMr3JA6WnSrDtTUd/SkDrS:PYBcNhnzFSJsreBnSrDhUd/8
|
Size: |
7813
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1e7ce8c9-cc96-472f-8064-0b49c9b21500.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1e7ce8c9-cc96-472f-8064-0b49c9b21500.json.tmp
|
Category: |
dropped
|
Dump: |
uninstall_ping_308046B0AF4A39CB_1e7ce8c9-cc96-472f-8064-0b49c9b21500.json.tmp.13.dr
|
ID: |
dr_7
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.18122028224209
|
Encrypted: |
false
|
Ssdeep: |
192:PjMXgCdcbhbVbTbfbRbObtbyEl7nMr3JA6WnSrDtTUd/SkDrS:PYBcNhnzFSJsreBnSrDhUd/8
|
Size: |
7813
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41
|
ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41
|
Category: |
dropped
|
Dump: |
mozilla-temp-41.13.dr
|
ID: |
dr_10
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
|
Entropy: |
0.4593089050301797
|
Encrypted: |
false
|
Ssdeep: |
48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
|
Size: |
32768
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\tmpaddon
|
Zip archive data, at least v2.0 to extract, compression method=deflate
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\tmpaddon
|
Category: |
dropped
|
Dump: |
tmpaddon.13.dr
|
ID: |
dr_3
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Zip archive data, at least v2.0 to extract, compression method=deflate
|
Entropy: |
7.997718157581587
|
Encrypted: |
true
|
Ssdeep: |
12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
|
Size: |
453023
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)
|
Category: |
dropped
|
Dump: |
ExperimentStoreData.json.tmp.13.dr
|
ID: |
dr_24
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.925124855287228
|
Encrypted: |
false
|
Ssdeep: |
48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakN69j:8S+OfJQPUFpOdwNIOdYVjvYcXaNLtw8P
|
Size: |
3621
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp
|
Category: |
dropped
|
Dump: |
ExperimentStoreData.json.tmp.13.dr
|
ID: |
dr_18
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.925124855287228
|
Encrypted: |
false
|
Ssdeep: |
48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakN69j:8S+OfJQPUFpOdwNIOdYVjvYcXaNLtw8P
|
Size: |
3621
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)
|
Mozilla lz4 compressed data, originally 27954 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)
|
Category: |
dropped
|
Dump: |
addonStartup.json.lz4.tmp.13.dr
|
ID: |
dr_23
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 27954 bytes
|
Entropy: |
6.623258976790648
|
Encrypted: |
false
|
Ssdeep: |
96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1j2+:JTx2x2t0FDJ4NF6ILPd+Md0k+uj
|
Size: |
6075
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp
|
Mozilla lz4 compressed data, originally 27954 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp
|
Category: |
dropped
|
Dump: |
addonStartup.json.lz4.tmp.13.dr
|
ID: |
dr_17
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 27954 bytes
|
Entropy: |
6.623258976790648
|
Encrypted: |
false
|
Ssdeep: |
96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1j2+:JTx2x2t0FDJ4NF6ILPd+Md0k+uj
|
Size: |
6075
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)
|
Category: |
dropped
|
Dump: |
addons.json.tmp.13.dr
|
ID: |
dr_28
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
3.91829583405449
|
Encrypted: |
false
|
Ssdeep: |
3:YWGifTJE6iHQ:YWGif9EE
|
Size: |
24
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp
|
Category: |
dropped
|
Dump: |
addons.json.tmp.13.dr
|
ID: |
dr_2
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
3.91829583405449
|
Encrypted: |
false
|
Ssdeep: |
3:YWGifTJE6iHQ:YWGif9EE
|
Size: |
24
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite
|
SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database
pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite
|
Category: |
dropped
|
Dump: |
content-prefs.sqlite.13.dr
|
ID: |
dr_11
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database
pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
|
Entropy: |
0.04905391753567332
|
Encrypted: |
false
|
Ssdeep: |
24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
|
Size: |
262144
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)
|
Mozilla lz4 compressed data, originally 56 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)
|
Category: |
dropped
|
Dump: |
store.json.mozlz4.tmp.13.dr
|
ID: |
dr_32
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 56 bytes
|
Entropy: |
4.837595020998689
|
Encrypted: |
false
|
Ssdeep: |
3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
|
Size: |
66
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp
|
Mozilla lz4 compressed data, originally 56 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp
|
Category: |
dropped
|
Dump: |
store.json.mozlz4.tmp.13.dr
|
ID: |
dr_6
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 56 bytes
|
Entropy: |
4.837595020998689
|
Encrypted: |
false
|
Ssdeep: |
3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
|
Size: |
66
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)
|
Category: |
dropped
|
Dump: |
extensions.json.tmp.13.dr
|
ID: |
dr_27
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.185924656884556
|
Encrypted: |
false
|
Ssdeep: |
768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
|
Size: |
36830
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp
|
Category: |
dropped
|
Dump: |
extensions.json.tmp.13.dr
|
ID: |
dr_1
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.185924656884556
|
Encrypted: |
false
|
Ssdeep: |
768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
|
Size: |
36830
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm
|
Category: |
dropped
|
Dump: |
favicons.sqlite-shm.13.dr
|
ID: |
dr_13
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
data
|
Entropy: |
0.017262956703125623
|
Encrypted: |
false
|
Ssdeep: |
3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
|
Size: |
32768
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)
|
Category: |
dropped
|
Dump: |
gmpopenh264.dll.tmp.13.dr
|
ID: |
dr_30
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
Entropy: |
6.648417932394748
|
Encrypted: |
false
|
Ssdeep: |
12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
|
Size: |
1021904
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp
|
Category: |
dropped
|
Dump: |
gmpopenh264.dll.tmp.13.dr
|
ID: |
dr_4
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
Entropy: |
6.648417932394748
|
Encrypted: |
false
|
Ssdeep: |
12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
|
Size: |
1021904
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)
|
ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)
|
Category: |
dropped
|
Dump: |
gmpopenh264.info.tmp.13.dr
|
ID: |
dr_31
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
ASCII text
|
Entropy: |
4.968220104601006
|
Encrypted: |
false
|
Ssdeep: |
3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
|
Size: |
116
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp
|
ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp
|
Category: |
dropped
|
Dump: |
gmpopenh264.info.tmp.13.dr
|
ID: |
dr_5
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
ASCII text
|
Entropy: |
4.968220104601006
|
Encrypted: |
false
|
Ssdeep: |
3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
|
Size: |
116
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite
|
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database
pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite
|
Category: |
dropped
|
Dump: |
permissions.sqlite.13.dr
|
ID: |
dr_19
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database
pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
|
Entropy: |
0.07332092981394918
|
Encrypted: |
false
|
Ssdeep: |
12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
|
Size: |
98304
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
|
Category: |
dropped
|
Dump: |
places.sqlite-shm.13.dr
|
ID: |
dr_14
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
data
|
Entropy: |
0.035371733770153645
|
Encrypted: |
false
|
Ssdeep: |
3:GtlstFQ0GCF7I8FIltlstFQ0GCF7I8fD89//alEl:GtWtSqBJYtWtSqBDD89XuM
|
Size: |
32768
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
|
SQLite Write-Ahead Log, version 3007000
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
|
Category: |
dropped
|
Dump: |
places.sqlite-wal.13.dr
|
ID: |
dr_15
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite Write-Ahead Log, version 3007000
|
Entropy: |
0.03957158023510353
|
Encrypted: |
false
|
Ssdeep: |
3:Ol11rNulfPSKmmLTVHX7l8rEXsxdwhml8XW3R2:KTNudShCRrl8dMhm93w
|
Size: |
32824
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js
|
ASCII text, with very long lines (1809), with CRLF line terminators
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js
|
Category: |
modified
|
Dump: |
prefs-1.js.13.dr
|
ID: |
dr_8
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
ASCII text, with very long lines (1809), with CRLF line terminators
|
Entropy: |
5.494492911722028
|
Encrypted: |
false
|
Ssdeep: |
192:enaRtLYbBp6/hj4qyaaXp6KPjN9D5RfGNBw8d/Sl:beVqPc59cw40
|
Size: |
13254
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)
|
ASCII text, with very long lines (1809), with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)
|
Category: |
dropped
|
Dump: |
prefs-1.js.13.dr
|
ID: |
dr_21
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
ASCII text, with very long lines (1809), with CRLF line terminators
|
Entropy: |
5.494492911722028
|
Encrypted: |
false
|
Ssdeep: |
192:enaRtLYbBp6/hj4qyaaXp6KPjN9D5RfGNBw8d/Sl:beVqPc59cw40
|
Size: |
13254
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite
|
SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database
pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite
|
Category: |
dropped
|
Dump: |
protections.sqlite.13.dr
|
ID: |
dr_12
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database
pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
|
Entropy: |
0.04062825861060003
|
Encrypted: |
false
|
Ssdeep: |
6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)
|
Category: |
dropped
|
Dump: |
sessionCheckpoints.json.tmp.13.dr
|
ID: |
dr_22
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.194538242412464
|
Encrypted: |
false
|
Ssdeep: |
3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
|
Size: |
90
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp
|
Category: |
dropped
|
Dump: |
sessionCheckpoints.json.tmp.13.dr
|
ID: |
dr_9
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.194538242412464
|
Encrypted: |
false
|
Ssdeep: |
3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
|
Size: |
90
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)
|
Mozilla lz4 compressed data, originally 5861 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)
|
Category: |
dropped
|
Dump: |
recovery.jsonlz4.tmp.13.dr
|
ID: |
dr_29
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 5861 bytes
|
Entropy: |
6.332442735149169
|
Encrypted: |
false
|
Ssdeep: |
24:v+USUGlcAxSnDk050LXnIgf0/pnxQwRlszT5sKt0j3eHVQj6TPamhujJF6tOsIow:GUpOxkkDnMnR6K3eHTP4JF6tIKPR4
|
Size: |
1567
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)
|
Mozilla lz4 compressed data, originally 5861 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)
|
Category: |
dropped
|
Dump: |
recovery.jsonlz4.tmp.13.dr
|
ID: |
dr_26
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 5861 bytes
|
Entropy: |
6.332442735149169
|
Encrypted: |
false
|
Ssdeep: |
24:v+USUGlcAxSnDk050LXnIgf0/pnxQwRlszT5sKt0j3eHVQj6TPamhujJF6tOsIow:GUpOxkkDnMnR6K3eHTP4JF6tIKPR4
|
Size: |
1567
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp
|
Mozilla lz4 compressed data, originally 5861 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp
|
Category: |
dropped
|
Dump: |
recovery.jsonlz4.tmp.13.dr
|
ID: |
dr_0
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 5861 bytes
|
Entropy: |
6.332442735149169
|
Encrypted: |
false
|
Ssdeep: |
24:v+USUGlcAxSnDk050LXnIgf0/pnxQwRlszT5sKt0j3eHVQj6TPamhujJF6tOsIow:GUpOxkkDnMnR6K3eHTP4JF6tIKPR4
|
Size: |
1567
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite
|
SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database
pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite
|
Category: |
dropped
|
Dump: |
storage.sqlite.13.dr
|
ID: |
dr_16
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database
pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
|
Entropy: |
2.0836444556178684
|
Encrypted: |
false
|
Ssdeep: |
24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
|
Size: |
4096
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)
|
Category: |
dropped
|
Dump: |
targeting.snapshot.json.tmp.13.dr
|
ID: |
dr_25
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.033037894333622
|
Encrypted: |
false
|
Ssdeep: |
48:YrSAYH6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycHyTEr5QFRzzcMvbw6KkCrrc2Rn27
|
Size: |
4537
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp
|
Category: |
dropped
|
Dump: |
targeting.snapshot.json.tmp.13.dr
|
ID: |
dr_20
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.033037894333622
|
Encrypted: |
false
|
Ssdeep: |
48:YrSAYH6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycHyTEr5QFRzzcMvbw6KkCrrc2Rn27
|
Size: |
4537
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|