Analysis Overview
Threat Level: Known bad
The file https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa was found to be: Known bad.
Malicious Activity Summary
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Checks BIOS information in registry
Reads user/profile data of web browsers
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
NTFS ADS
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies system certificate store
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-11 13:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-11 13:37
Reported
2023-11-11 13:40
Platform
win10v2004-20231023-en
Max time kernel
158s
Max time network
164s
Command Line
Signatures
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Archive.7z:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\Archive(1).7z:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Archive\rbxgen.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.0.365464597\1105341842" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc1cdf5f-369e-4b1a-9c88-3f9ae146f263} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 1944 1ddafd15b58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.1.654678349\1740768646" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d8cfa2-db34-43c5-859d-f13f2b0c2463} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 2368 1ddaeaf0a58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.2.592354202\770753706" -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 2980 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74a8c7f8-558a-4884-adc5-d2f618071469} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 3068 1ddb2e27d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.3.1718297424\853477937" -childID 2 -isForBrowser -prefsHandle 3756 -prefMapHandle 3744 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3db3a3db-a4ac-4d69-9f36-59dca15dcb48} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 3780 1dd9b16c858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.5.1102786328\1181814385" -childID 4 -isForBrowser -prefsHandle 4992 -prefMapHandle 4996 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {051b3ca6-52de-40d7-8f60-ab04f0f818b2} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 4988 1ddb5087a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.6.145596445\1221511835" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5136 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7de369be-aa77-4442-bef1-10cc3ca1ffc1} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 5252 1ddb50bb058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.4.977141970\1705630305" -childID 3 -isForBrowser -prefsHandle 4788 -prefMapHandle 4796 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8be740a9-72fe-4864-a11a-9de42bcb0489} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 4832 1ddb4e56d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.7.949519804\1260576102" -childID 6 -isForBrowser -prefsHandle 5876 -prefMapHandle 5872 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b297f46-d0a8-47af-838e-138ad2919f8a} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 5760 1ddb7098c58 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Archive\" -spe -an -ai#7zMap1869:74:7zEvent30926
C:\Users\Admin\Downloads\Archive\rbxgen.exe
"C:\Users\Admin\Downloads\Archive\rbxgen.exe"
C:\Users\Admin\Downloads\Archive\rbxgen.exe
"C:\Users\Admin\Downloads\Archive\rbxgen.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:62464 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1cvyl2-my.sharepoint.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 13.107.136.10:443 | 1cvyl2-my.sharepoint.com | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | dual-spo-0005.spo-msedge.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.136.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | dual-spo-0005.spo-msedge.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 35.167.95.175:443 | shavar.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 93.243.107.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.95.167.35.in-addr.arpa | udp |
| US | 35.167.95.175:443 | shavar.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | shell.cdn.office.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | e19254.dscg.akamaiedge.net | udp |
| NL | 104.81.140.174:443 | e19254.dscg.akamaiedge.net | tcp |
| US | 8.8.8.8:53 | e19254.dscg.akamaiedge.net | udp |
| US | 8.8.8.8:53 | res-1.cdn.office.net | udp |
| NL | 104.110.240.43:443 | res-1.cdn.office.net | tcp |
| US | 8.8.8.8:53 | e40491.dscd.akamaiedge.net | udp |
| NL | 104.110.240.43:443 | res-1.cdn.office.net | tcp |
| NL | 104.110.240.43:443 | res-1.cdn.office.net | udp |
| US | 8.8.8.8:53 | 174.140.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:62474 | tcp | |
| US | 8.8.8.8:53 | mobile.events.data.microsoft.com | udp |
| US | 20.42.65.91:443 | mobile.events.data.microsoft.com | tcp |
| US | 20.42.65.91:443 | mobile.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | onedscolprdeus17.eastus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | onedscolprdeus17.eastus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | onedscolprdwus03.westus.cloudapp.azure.com | udp |
| US | 20.189.173.4:443 | onedscolprdwus03.westus.cloudapp.azure.com | tcp |
| US | 20.189.173.4:443 | onedscolprdwus03.westus.cloudapp.azure.com | tcp |
| US | 8.8.8.8:53 | onedscolprdwus03.westus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mobile.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | onedscolprdeus04.eastus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | onedscolprdeus04.eastus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | e40491.dscd.akamaiedge.net | udp |
| US | 8.8.8.8:53 | mobile.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | onedscolprdeus07.eastus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | onedscolprdeus07.eastus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | mobile.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | onedscolprdeus17.eastus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | onedscolprdeus17.eastus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | mobile.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | onedscolprdcus09.centralus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | onedscolprdcus09.centralus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 141.64.128.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\err804pm.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 248b6361dfd560480f44610e43ed847d |
| SHA1 | 4874d418c9e9ff5dc00ecc1eb2135f7b665d7a71 |
| SHA256 | 014b64121ecd232bb5c39bae5fa8383b09db0e0dc9cf31fb3bfdc52b46b29043 |
| SHA512 | b2470cea300c021603eb88b85e8d7079937529d53a90e22f4c731ab7848983d70a210265e7c585f4cbbe371be8d08d8701e9a00fac61c4e9893ececfcf4dca0a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\prefs-1.js
| MD5 | e53a6734a92b567c525097c8b7e8b009 |
| SHA1 | f88c0147f2fa284952198b15df774f7d95744371 |
| SHA256 | 8e938c3a9ee6c6a939ca6fe8cc58365baf5f62ca1d622ee5e0e61471606494ee |
| SHA512 | 2823ed66dfb1bc30b44707ed446ca84e023cf812472aaaf03f5a50108decaf661626f0fe7f5f209940f79db31dc8111c2d9cf1584bf2a9b75aa51e4eb9098b66 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\storage\default\https+++1cvyl2-my.sharepoint.com\cache\morgue\73\{ec16874b-1a1c-4a2b-a15c-5fd650f49f49}.final
| MD5 | 6a992e9294a845a4331501eb759c0039 |
| SHA1 | 3cd2061b7792f2584735bdf144866662968131de |
| SHA256 | 745ddd45bd380f03d3cd13a5267e051ea1f98337cc9059bc1a3afebb0c757d5c |
| SHA512 | cf4b98e1c4beed09cbf41ddd0c94178ab37a7099d570a075db1a86ef4d2c4cf9348c425b45a7c1584293f2ef0bf2612be2bb2e9f552e1d5c3d4b00f77aaddcd4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\storage\default\https+++1cvyl2-my.sharepoint.com\idb\3217723701OBDDS_P.sqlite
| MD5 | 062a69a186f75831215cfb20fcc870db |
| SHA1 | fc92d46bb0a0355fb7f1c63084a41c086606849c |
| SHA256 | b2b429164afbd3e611cf7e5665b79ba2e3c0d321c342b6748087182374d9de9e |
| SHA512 | fb45d90ff95d4ef2aa52743d6c9ccb8abc4ae5cbd6cb9193a0ab372c7b7ddb27426fa0f8067466be4a7f610ca3b69bf315f3877062dd20ebd126e7bc9d6fb234 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\storage\default\https+++1cvyl2-my.sharepoint.com\idb\276181416SyWr.tTeemle.sqlite-wal
| MD5 | e203fdbb05ac350641c72cd957baab7b |
| SHA1 | 2378b2d87c9ff574df9ba900b26c6d00832269df |
| SHA256 | 47d4325a5fab7f571da9ff466e8149c05b6512220af8223b77d69d7ac81d1cbf |
| SHA512 | 0cf10f868c867b62fda56d988e25b3071f00f63a2646ef8603a94246de6f53f265d6ece062f052f666018ef9ba3e7b7a109acd6ac64844159c847948e2113d46 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 0acdd6893775f4f973db634880f96199 |
| SHA1 | 78ee570c855a08bf6db8143ba2c0db88946bd0ba |
| SHA256 | 3aae3fcf6498f844da94bc8421d9e2347274261bbb8848eee5848c870cd6bf76 |
| SHA512 | be22cecb24f09a726ef2c204f320885e02106d05e2811506744759403ef0b93bb5e1aff79d5fb7e2504494c500f3e25e9ac783e4a79997b7016e04cc0ad4a282 |
C:\Users\Admin\Downloads\iK_2y4xl.7z.part
| MD5 | 50db46bdb3624dc6eade9d0fcbfe602c |
| SHA1 | 8d52e704d39213065155354cca5d52aef5408ed0 |
| SHA256 | bdf6a8895a935714cd03fcc3b2a96dda4d5794b60bf0bfe8139cd6a2d7262fa9 |
| SHA512 | e6bc9231286e78eacaf4e433a0661c4158addd01808a58be5f68d52322b098cd49d5884c10caf5f9de5e47c4fc081b917f1b0a2c9d2a34fb5f1f968818abe4dd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 5200240cafb83f3b9a8c37a50edced1d |
| SHA1 | 1994a117db0ce4e5d1ecdaebcb01d0174186d2e2 |
| SHA256 | e71e2eca9446ea56ff153cef1928b6d90f48a38a17dab454f51a5f738b90431d |
| SHA512 | 8c293a39fe0730bff52217709b3ca808959bf382415d7e5e82ea0728a1c22cfe1f3b42cf706f0d5634e4543276ed9ce74540699484da5925cbd7ee908c6e725f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | f10d634663436ef0e53cef0e03ed81d3 |
| SHA1 | eb8bc6aee3fc8edfe4aa7a8cd5f4c74320e038a3 |
| SHA256 | 1ae98b497426f65b8a61a7732934c5db1a05026d62c948c44c4ef00fe0eca58f |
| SHA512 | 6e71cf5c9baf25feee2c99a504b3f615e7185c345375a2759f8182c735896661ddba3e5d3e66ccc8486b9ef8257714286e2f52fb37ba99a238da49ba163965e5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionCheckpoints.json.tmp
| MD5 | e6c20f53d6714067f2b49d0e9ba8030e |
| SHA1 | f516dc1084cdd8302b3e7f7167b905e603b6f04f |
| SHA256 | 50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092 |
| SHA512 | 462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore.jsonlz4
| MD5 | 3d580a7d2708230799a7c734016805e3 |
| SHA1 | b7b015467d08a725a1d16751a3cb637b205dd554 |
| SHA256 | e4cae90b6333d0c17e948feb103e8a23046b62066391f24ee81b578709494fce |
| SHA512 | 8aa20fae0e3cf031919b27ef1893a205922db5fa79a60ee90bf0720daaed9369d7a780a32b1d04222562051c8064ec2452dba33223df86803f723c862d3251c2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\prefs-1.js
| MD5 | 671022480aa40a352614634e2c8c8425 |
| SHA1 | 5b29bc014c45ab3f48e46b06abc8223136e617b4 |
| SHA256 | 3f1a33dfe63d378c1605c1738acda372e281680836dd17f39c125e8cb6bc0ac7 |
| SHA512 | a169cb47ceb1e99f48b5449ccab1d093dcd33bf144d32f55ef98347b8c30bc80e0e3d1878007679fd715a941c54b7b355988636c4adcfedc0c7138c73c2a5c2d |
C:\Users\Admin\Downloads\Archive(1).7z
| MD5 | 50db46bdb3624dc6eade9d0fcbfe602c |
| SHA1 | 8d52e704d39213065155354cca5d52aef5408ed0 |
| SHA256 | bdf6a8895a935714cd03fcc3b2a96dda4d5794b60bf0bfe8139cd6a2d7262fa9 |
| SHA512 | e6bc9231286e78eacaf4e433a0661c4158addd01808a58be5f68d52322b098cd49d5884c10caf5f9de5e47c4fc081b917f1b0a2c9d2a34fb5f1f968818abe4dd |
C:\Users\Admin\Downloads\Archive.7z
| MD5 | 50db46bdb3624dc6eade9d0fcbfe602c |
| SHA1 | 8d52e704d39213065155354cca5d52aef5408ed0 |
| SHA256 | bdf6a8895a935714cd03fcc3b2a96dda4d5794b60bf0bfe8139cd6a2d7262fa9 |
| SHA512 | e6bc9231286e78eacaf4e433a0661c4158addd01808a58be5f68d52322b098cd49d5884c10caf5f9de5e47c4fc081b917f1b0a2c9d2a34fb5f1f968818abe4dd |
C:\Users\Admin\Downloads\Archive\rbxgen.exe
| MD5 | 4b5098e511b13ff333b0c9bf4aeda73d |
| SHA1 | 0d87e54d39ace7fc85fbe4aecad754c5d536a94b |
| SHA256 | 8e05f7cdce16a1af53997297375327b66c83d5145797863d6ddea243efe8f371 |
| SHA512 | b251d68217e2e4a768be100a0af895ff58243c603fa7dadbfdb8f562992f7736ec024cb00353d4d587e113691858bd736af7b97e7da832ff86442f3c27e7b54a |
C:\Users\Admin\Downloads\Archive\rbxgen.exe
| MD5 | 4b5098e511b13ff333b0c9bf4aeda73d |
| SHA1 | 0d87e54d39ace7fc85fbe4aecad754c5d536a94b |
| SHA256 | 8e05f7cdce16a1af53997297375327b66c83d5145797863d6ddea243efe8f371 |
| SHA512 | b251d68217e2e4a768be100a0af895ff58243c603fa7dadbfdb8f562992f7736ec024cb00353d4d587e113691858bd736af7b97e7da832ff86442f3c27e7b54a |
memory/3580-1228-0x0000000000580000-0x00000000005A6000-memory.dmp
memory/3580-1229-0x00007FF91B650000-0x00007FF91C111000-memory.dmp
memory/3580-1230-0x000000001B2D0000-0x000000001B2E0000-memory.dmp
memory/3580-1234-0x00007FF91B650000-0x00007FF91C111000-memory.dmp
C:\Users\Admin\Downloads\Archive\rbxgen.exe
| MD5 | 4b5098e511b13ff333b0c9bf4aeda73d |
| SHA1 | 0d87e54d39ace7fc85fbe4aecad754c5d536a94b |
| SHA256 | 8e05f7cdce16a1af53997297375327b66c83d5145797863d6ddea243efe8f371 |
| SHA512 | b251d68217e2e4a768be100a0af895ff58243c603fa7dadbfdb8f562992f7736ec024cb00353d4d587e113691858bd736af7b97e7da832ff86442f3c27e7b54a |
memory/4744-1236-0x00007FF91B650000-0x00007FF91C111000-memory.dmp
memory/4744-1237-0x000000001BBC0000-0x000000001BBD0000-memory.dmp
memory/4744-1241-0x00007FF91B650000-0x00007FF91C111000-memory.dmp