file.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.59131047180261
|
Filename: |
file.exe
|
Filesize: |
922112
|
MD5: |
a9e989ef5eb79aeeb328a104849f4a85
|
SHA1: |
2350a9ecc6c9012f34a1206487d96f9912b6b2a9
|
SHA256: |
b5c318e6f3e8af90f8d3bcd87bfd270195d238dba7ab2fe277c0bf9d57e6fdd0
|
SHA512: |
f8b7685846b3efdb253b1c3ef5e45b308a240f9ee56f2f30b07777628b573247291b654b43d8029bada68896b456aeba3c98865914d9f96b3eb8db3cdb1e8ba3
|
SSDEEP: |
24576:2qDEvCTbMWu7rQYlBQcBiT6rprG8aNhK:2TvC/MTQYxsWR7aN
|
Preview: |
MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Binary is likely a compiled AutoIt script file |
System Summary |
|
Found API chain indicative of sandbox detection |
Malware Analysis System Evasion |
Access Token Manipulation
Virtualization/Sandbox Evasion
Security Software Discovery
|
Machine Learning detection for sample |
AV Detection |
|
Contains functionality for read data from the clipboard |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
Contains functionality to block mouse and keyboard input (often used to hinder debugging) |
Anti Debugging |
|
Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Anti Debugging |
|
Contains functionality to check if a window is minimized (may be used to check if an application is visible) |
Hooking and other Techniques for Hiding and Protection |
Application Window Discovery
|
Contains functionality to communicate with device drivers |
System Summary |
|
Contains functionality to dynamically determine API calls |
Data Obfuscation, Anti Debugging |
|
Contains functionality to execute programs as a different user |
HIPS / PFW / Operating System Protection Evasion |
|
Contains functionality to launch a process as a different user |
System Summary |
|
Contains functionality to launch a program with higher privileges |
HIPS / PFW / Operating System Protection Evasion |
Exploitation for Privilege Escalation
Extra Window Memory Injection
Access Token Manipulation
|
Contains functionality to modify clipboard data |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
Extra Window Memory Injection
Access Token Manipulation
|
Contains functionality to open a port and listen for incoming connection (possibly a backdoor) |
Remote Access Functionality |
|
Contains functionality to query CPU information (cpuid) |
Language, Device and Operating System Detection |
|
Contains functionality to read the PEB |
Anti Debugging |
Access Token Manipulation
|
Contains functionality to read the clipboard data |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
Contains functionality to retrieve information about pressed keystrokes |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
Contains functionality to shutdown / reboot the system |
System Summary |
Access Token Manipulation
|
Contains functionality to simulate keystroke presses |
HIPS / PFW / Operating System Protection Evasion |
Extra Window Memory Injection
|
Contains functionality to simulate mouse events |
HIPS / PFW / Operating System Protection Evasion |
|
Contains functionality which may be used to detect a debugger (GetProcessHeap) |
Anti Debugging |
Extra Window Memory Injection
|
Detected potential crypto function |
System Summary |
Extra Window Memory Injection
Access Token Manipulation
|
Found large amount of non-executed APIs |
Malware Analysis System Evasion |
Access Token Manipulation
|
Found potential string decryption / allocating functions |
System Summary |
Extra Window Memory Injection
Deobfuscate/Decode Files or Information
|
May sleep (evasive loops) to hinder dynamic analysis |
Malware Analysis System Evasion |
File and Directory Discovery
|
OS version to string mapping found (often used in BOTs) |
Stealing of Sensitive Information |
Access Token Manipulation
|
Potential key logger detected (key state polling based) |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
Extra Window Memory Injection
|
Uses 32bit PE files |
Compliance, System Summary |
|
Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
Obfuscated Files or Information
|
Uses taskkill to terminate processes |
HIPS / PFW / Operating System Protection Evasion |
Access Token Manipulation
|
Contains functionality for error logging |
System Summary |
Access Token Manipulation
|
Contains functionality to add an ACL to a security descriptor |
HIPS / PFW / Operating System Protection Evasion |
|
Contains functionality to adjust token privileges (e.g. debug / backup) |
System Summary |
Access Token Manipulation
|
Contains functionality to check free disk space |
System Summary |
|
Contains functionality to create a new security descriptor |
HIPS / PFW / Operating System Protection Evasion |
Access Token Manipulation
|
Contains functionality to download additional files from the internet |
Networking |
|
Contains functionality to enum processes or threads |
System Summary |
Access Token Manipulation
|
Contains functionality to enumerate / list files inside a directory |
Spreading, Malware Analysis System Evasion |
File and Directory Discovery
|
Contains functionality to instantiate COM classes |
System Summary |
Access Token Manipulation
|
Contains functionality to load and extract PE file embedded resources |
System Summary |
|
Contains functionality to query local / system time |
Language, Device and Operating System Detection |
Access Token Manipulation
System Information Discovery
|
Contains functionality to query system information |
Malware Analysis System Evasion |
|
Contains functionality to query the account / user name |
Language, Device and Operating System Detection |
System Owner/User Discovery
|
Contains functionality to query time zone information |
Language, Device and Operating System Detection |
Access Token Manipulation
|
Contains functionality to query windows version |
Language, Device and Operating System Detection |
|
Contains functionality to register its own exception handler |
Anti Debugging |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
Extra Window Memory Injection
|
May try to detect the Windows Explorer process (often used for injection) |
HIPS / PFW / Operating System Protection Evasion |
|
PE file has an executable .text section and no other executable section |
System Summary |
Extra Window Memory Injection
Access Token Manipulation
|
Queries a list of all running processes |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
Reads software policies |
System Summary |
Access Token Manipulation
|
Sample is known by Antivirus |
System Summary |
Access Token Manipulation
|
Tries to load missing DLLs |
System Summary |
Extra Window Memory Injection
|
PE file contains a valid data directory to section mapping |
System Summary |
Extra Window Memory Injection
|
PE file contains a debug data directory |
System Summary |
Extra Window Memory Injection
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
Extra Window Memory Injection
|
|
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_45fcd96f-7d16-4a2c-b54a-73b2ba21a852.json
(copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_45fcd96f-7d16-4a2c-b54a-73b2ba21a852.json
(copy)
|
Category: |
dropped
|
Dump: |
uninstall_ping_308046B0AF4A39CB_45fcd96f-7d16-4a2c-b54a-73b2ba21a852.json.tmp.13.dr
|
ID: |
dr_34
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.181497849653027
|
Encrypted: |
false
|
Ssdeep: |
192:djMXxtmcbhbVbTbfbRbObtbyEl7nMrmJA6WnSrDtTUd/SkDrO:dY6cNhnzFSJsrlBnSrDhUd/A
|
Size: |
7813
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_45fcd96f-7d16-4a2c-b54a-73b2ba21a852.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_45fcd96f-7d16-4a2c-b54a-73b2ba21a852.json.tmp
|
Category: |
dropped
|
Dump: |
uninstall_ping_308046B0AF4A39CB_45fcd96f-7d16-4a2c-b54a-73b2ba21a852.json.tmp.13.dr
|
ID: |
dr_6
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.181497849653027
|
Encrypted: |
false
|
Ssdeep: |
192:djMXxtmcbhbVbTbfbRbObtbyEl7nMrmJA6WnSrDtTUd/SkDrO:dY6cNhnzFSJsrlBnSrDhUd/A
|
Size: |
7813
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41
|
ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41
|
Category: |
dropped
|
Dump: |
mozilla-temp-41.13.dr
|
ID: |
dr_7
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
|
Entropy: |
0.4593089050301797
|
Encrypted: |
false
|
Ssdeep: |
48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
|
Size: |
32768
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\tmpaddon
|
Zip archive data, at least v2.0 to extract, compression method=deflate
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\tmpaddon
|
Category: |
dropped
|
Dump: |
tmpaddon.13.dr
|
ID: |
dr_2
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Zip archive data, at least v2.0 to extract, compression method=deflate
|
Entropy: |
7.997718157581587
|
Encrypted: |
true
|
Ssdeep: |
12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
|
Size: |
453023
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)
|
Category: |
dropped
|
Dump: |
ExperimentStoreData.json.tmp.13.dr
|
ID: |
dr_25
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.927344996982228
|
Encrypted: |
false
|
Ssdeep: |
48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakN+9j:8S+OfJQPUFpOdwNIOdYVjvYcXaNLt08P
|
Size: |
3621
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp
|
Category: |
dropped
|
Dump: |
ExperimentStoreData.json.tmp.13.dr
|
ID: |
dr_19
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.927344996982228
|
Encrypted: |
false
|
Ssdeep: |
48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakN+9j:8S+OfJQPUFpOdwNIOdYVjvYcXaNLt08P
|
Size: |
3621
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)
|
Mozilla lz4 compressed data, originally 23432 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)
|
Category: |
dropped
|
Dump: |
addonStartup.json.lz4.tmp.13.dr
|
ID: |
dr_24
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 23432 bytes
|
Entropy: |
6.615424734763731
|
Encrypted: |
false
|
Ssdeep: |
96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
|
Size: |
5312
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp
|
Mozilla lz4 compressed data, originally 23432 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp
|
Category: |
dropped
|
Dump: |
addonStartup.json.lz4.tmp.13.dr
|
ID: |
dr_18
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 23432 bytes
|
Entropy: |
6.615424734763731
|
Encrypted: |
false
|
Ssdeep: |
96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
|
Size: |
5312
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)
|
Category: |
dropped
|
Dump: |
addons.json.tmp.13.dr
|
ID: |
dr_29
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
3.91829583405449
|
Encrypted: |
false
|
Ssdeep: |
3:YWGifTJE6iHQ:YWGif9EE
|
Size: |
24
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp
|
Category: |
dropped
|
Dump: |
addons.json.tmp.13.dr
|
ID: |
dr_1
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
3.91829583405449
|
Encrypted: |
false
|
Ssdeep: |
3:YWGifTJE6iHQ:YWGif9EE
|
Size: |
24
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite
|
SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database
pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite
|
Category: |
dropped
|
Dump: |
content-prefs.sqlite.13.dr
|
ID: |
dr_11
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database
pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
|
Entropy: |
0.04905391753567332
|
Encrypted: |
false
|
Ssdeep: |
24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
|
Size: |
262144
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)
|
Mozilla lz4 compressed data, originally 56 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)
|
Category: |
dropped
|
Dump: |
store.json.mozlz4.tmp.13.dr
|
ID: |
dr_33
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 56 bytes
|
Entropy: |
4.837595020998689
|
Encrypted: |
false
|
Ssdeep: |
3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
|
Size: |
66
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp
|
Mozilla lz4 compressed data, originally 56 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp
|
Category: |
dropped
|
Dump: |
store.json.mozlz4.tmp.13.dr
|
ID: |
dr_5
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 56 bytes
|
Entropy: |
4.837595020998689
|
Encrypted: |
false
|
Ssdeep: |
3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
|
Size: |
66
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)
|
Category: |
dropped
|
Dump: |
extensions.json.tmp.13.dr
|
ID: |
dr_28
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.185924656884556
|
Encrypted: |
false
|
Ssdeep: |
768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
|
Size: |
36830
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp
|
Category: |
dropped
|
Dump: |
extensions.json.tmp.13.dr
|
ID: |
dr_0
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.185924656884556
|
Encrypted: |
false
|
Ssdeep: |
768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
|
Size: |
36830
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm
|
Category: |
dropped
|
Dump: |
favicons.sqlite-shm.13.dr
|
ID: |
dr_13
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
data
|
Entropy: |
0.017262956703125623
|
Encrypted: |
false
|
Ssdeep: |
3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
|
Size: |
32768
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)
|
Category: |
dropped
|
Dump: |
gmpopenh264.dll.tmp.13.dr
|
ID: |
dr_31
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
Entropy: |
6.648417932394748
|
Encrypted: |
false
|
Ssdeep: |
12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
|
Size: |
1021904
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp
|
Category: |
dropped
|
Dump: |
gmpopenh264.dll.tmp.13.dr
|
ID: |
dr_3
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
Entropy: |
6.648417932394748
|
Encrypted: |
false
|
Ssdeep: |
12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
|
Size: |
1021904
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)
|
ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)
|
Category: |
dropped
|
Dump: |
gmpopenh264.info.tmp.13.dr
|
ID: |
dr_32
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
ASCII text
|
Entropy: |
4.968220104601006
|
Encrypted: |
false
|
Ssdeep: |
3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
|
Size: |
116
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp
|
ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp
|
Category: |
dropped
|
Dump: |
gmpopenh264.info.tmp.13.dr
|
ID: |
dr_4
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
ASCII text
|
Entropy: |
4.968220104601006
|
Encrypted: |
false
|
Ssdeep: |
3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
|
Size: |
116
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite
|
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database
pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite
|
Category: |
dropped
|
Dump: |
permissions.sqlite.13.dr
|
ID: |
dr_17
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database
pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
|
Entropy: |
0.07334727757666264
|
Encrypted: |
false
|
Ssdeep: |
12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkimW:DLhesh7Owd4+ji
|
Size: |
98304
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
|
Category: |
dropped
|
Dump: |
places.sqlite-shm.13.dr
|
ID: |
dr_14
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
data
|
Entropy: |
0.035577876577226504
|
Encrypted: |
false
|
Ssdeep: |
3:GtlstFGstsNxuK9HIttlstFGstsNxuKlllllJ89//alEl:GtWtEsts5IttWtEstsTD89XuM
|
Size: |
32768
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
|
SQLite Write-Ahead Log, version 3007000
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
|
Category: |
dropped
|
Dump: |
places.sqlite-wal.13.dr
|
ID: |
dr_15
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite Write-Ahead Log, version 3007000
|
Entropy: |
0.03998118428817617
|
Encrypted: |
false
|
Ssdeep: |
3:Ol1+Nlt/y3oFgO69llia7l8rEXsxdwhml8XW3R2:KIpC5Ywl8dMhm93w
|
Size: |
32824
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js
|
ASCII text, with very long lines (1809), with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js
|
Category: |
dropped
|
Dump: |
prefs-1.js.13.dr
|
ID: |
dr_9
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
ASCII text, with very long lines (1809), with CRLF line terminators
|
Entropy: |
5.496171098023503
|
Encrypted: |
false
|
Ssdeep: |
192:ZnaRtLYbBp63hj4qyaaX16Kf6N9f5RfGNBw8dvVSl:Ee9qnk2tcwi0
|
Size: |
13254
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)
|
ASCII text, with very long lines (1809), with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)
|
Category: |
dropped
|
Dump: |
prefs-1.js.13.dr
|
ID: |
dr_22
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
ASCII text, with very long lines (1809), with CRLF line terminators
|
Entropy: |
5.496171098023503
|
Encrypted: |
false
|
Ssdeep: |
192:ZnaRtLYbBp63hj4qyaaX16Kf6N9f5RfGNBw8dvVSl:Ee9qnk2tcwi0
|
Size: |
13254
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite
|
SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database
pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite
|
Category: |
dropped
|
Dump: |
protections.sqlite.13.dr
|
ID: |
dr_12
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database
pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
|
Entropy: |
0.04062825861060003
|
Encrypted: |
false
|
Ssdeep: |
6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\bcdaee9a-4819-42be-85cc-d4aac6b371e9
(copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\bcdaee9a-4819-42be-85cc-d4aac6b371e9
(copy)
|
Category: |
dropped
|
Dump: |
bcdaee9a-4819-42be-85cc-d4aac6b371e9.tmp.13.dr
|
ID: |
dr_35
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.944164831645922
|
Encrypted: |
false
|
Ssdeep: |
12:YZFgl58SaDIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YbSUSlCOlZGV1AQIWZcy6Z2d
|
Size: |
493
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\bcdaee9a-4819-42be-85cc-d4aac6b371e9.tmp
|
JSON data
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\bcdaee9a-4819-42be-85cc-d4aac6b371e9.tmp
|
Category: |
modified
|
Dump: |
bcdaee9a-4819-42be-85cc-d4aac6b371e9.tmp.13.dr
|
ID: |
dr_8
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.944164831645922
|
Encrypted: |
false
|
Ssdeep: |
12:YZFgl58SaDIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YbSUSlCOlZGV1AQIWZcy6Z2d
|
Size: |
493
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)
|
Category: |
dropped
|
Dump: |
sessionCheckpoints.json.tmp.13.dr
|
ID: |
dr_23
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.194538242412464
|
Encrypted: |
false
|
Ssdeep: |
3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
|
Size: |
90
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp
|
Category: |
dropped
|
Dump: |
sessionCheckpoints.json.tmp.13.dr
|
ID: |
dr_10
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.194538242412464
|
Encrypted: |
false
|
Ssdeep: |
3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
|
Size: |
90
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)
|
Mozilla lz4 compressed data, originally 5861 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)
|
Category: |
dropped
|
Dump: |
recovery.jsonlz4.tmp.13.dr
|
ID: |
dr_30
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 5861 bytes
|
Entropy: |
6.3292474438360165
|
Encrypted: |
false
|
Ssdeep: |
24:v+USUGlcAxSqLXnIgQR/pnxQwRlszT5sKt0q3eHVQj6T0amhujJF6tOsIomNVr0l:GUpOxbYrnR6v3eHT04JF6tIquR4
|
Size: |
1569
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)
|
Mozilla lz4 compressed data, originally 5861 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)
|
Category: |
dropped
|
Dump: |
recovery.jsonlz4.tmp.13.dr
|
ID: |
dr_27
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 5861 bytes
|
Entropy: |
6.3292474438360165
|
Encrypted: |
false
|
Ssdeep: |
24:v+USUGlcAxSqLXnIgQR/pnxQwRlszT5sKt0q3eHVQj6T0amhujJF6tOsIomNVr0l:GUpOxbYrnR6v3eHT04JF6tIquR4
|
Size: |
1569
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp
|
Mozilla lz4 compressed data, originally 5861 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp
|
Category: |
dropped
|
Dump: |
recovery.jsonlz4.tmp.13.dr
|
ID: |
dr_21
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 5861 bytes
|
Entropy: |
6.3292474438360165
|
Encrypted: |
false
|
Ssdeep: |
24:v+USUGlcAxSqLXnIgQR/pnxQwRlszT5sKt0q3eHVQj6T0amhujJF6tOsIomNVr0l:GUpOxbYrnR6v3eHT04JF6tIquR4
|
Size: |
1569
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite
|
SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database
pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite
|
Category: |
dropped
|
Dump: |
storage.sqlite.13.dr
|
ID: |
dr_16
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database
pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
|
Entropy: |
2.0836444556178684
|
Encrypted: |
false
|
Ssdeep: |
24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
|
Size: |
4096
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)
|
Category: |
dropped
|
Dump: |
targeting.snapshot.json.tmp.13.dr
|
ID: |
dr_26
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.034089298937135
|
Encrypted: |
false
|
Ssdeep: |
48:YrSAYt6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yctyTEr5QFRzzcMvbw6KkCrrc2Rn27
|
Size: |
4537
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp
|
Category: |
dropped
|
Dump: |
targeting.snapshot.json.tmp.13.dr
|
ID: |
dr_20
|
Target ID: |
13
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.034089298937135
|
Encrypted: |
false
|
Ssdeep: |
48:YrSAYt6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yctyTEr5QFRzzcMvbw6KkCrrc2Rn27
|
Size: |
4537
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|