Resubmissions
19-12-2023 11:13
231219-nbvjhaadcp 1019-12-2023 10:58
231219-m2x7msgfbp 1017-12-2023 09:31
231217-lhgj4sfef4 1018-10-2023 12:14
231018-pem49sfg83 10Analysis
-
max time kernel
1044s -
max time network
1060s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
19-12-2023 11:13
Behavioral task
behavioral1
Sample
1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe
Resource
win10-20231215-en
windows10-1703-x64
General
-
Target
1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe
-
Size
14.9MB
-
MD5
97abffeaa7bdfaa81532bd6028498225
-
SHA1
26ab576a0abf7085ecf6321a311a7b3088ee48ae
-
SHA256
1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e
-
SHA512
af271b15a4f64ac4965cc75f7531e28d3ea0abc90d16ae4654251a301d1a3a0b10d80b205dc626b8866c976ffacdace74f71711c73ef1240d867aeb09c47cc75
-
SSDEEP
196608:aMygJ9edfbhSo5Kp8qPKlL8QgYVhqhOM8qTsSqwLM:7XJ9e1wo548qSV5VhKOeTsRwLM
Malware Config
Signatures
-
Azov
A wiper seeking only damage, first seen in 2022.
-
Renames multiple (145) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 4820 chrome.exe 2848 chrome.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\I: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\Q: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\T: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\W: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\A: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\B: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\J: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\R: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\S: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\V: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\E: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\G: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\L: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\M: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\P: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\X: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\Y: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\Z: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\K: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\N: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\O: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened (read-only) \??\U: 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\split.avi 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\System\ado\msadox28.tlb 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\System\ja-JP\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\System\Ole DB\es-ES\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Content.xml 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\System\ado\es-ES\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\System\ado\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\System\msadc\de-DE\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\microsoft shared\ink\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\System\ado\msado20.tlb 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\microsoft shared\ink\el-GR\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\RESTORE_FILES.txt 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1096 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 1096 taskmgr.exe Token: SeSystemProfilePrivilege 1096 taskmgr.exe Token: SeCreateGlobalPrivilege 1096 taskmgr.exe Token: 33 1096 taskmgr.exe Token: SeIncBasePriorityPrivilege 1096 taskmgr.exe Token: SeDebugPrivilege 2236 taskmgr.exe Token: SeSystemProfilePrivilege 2236 taskmgr.exe Token: SeCreateGlobalPrivilege 2236 taskmgr.exe Token: 33 2236 taskmgr.exe Token: SeIncBasePriorityPrivilege 2236 taskmgr.exe Token: SeDebugPrivilege 3788 firefox.exe Token: SeDebugPrivilege 3788 firefox.exe Token: SeDebugPrivilege 3788 firefox.exe Token: SeDebugPrivilege 3788 firefox.exe Token: SeDebugPrivilege 3788 firefox.exe Token: SeDebugPrivilege 3788 firefox.exe Token: SeDebugPrivilege 3788 firefox.exe Token: SeDebugPrivilege 3788 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3788 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 3788 2468 firefox.exe 82 PID 2468 wrote to memory of 3788 2468 firefox.exe 82 PID 2468 wrote to memory of 3788 2468 firefox.exe 82 PID 2468 wrote to memory of 3788 2468 firefox.exe 82 PID 2468 wrote to memory of 3788 2468 firefox.exe 82 PID 2468 wrote to memory of 3788 2468 firefox.exe 82 PID 2468 wrote to memory of 3788 2468 firefox.exe 82 PID 2468 wrote to memory of 3788 2468 firefox.exe 82 PID 2468 wrote to memory of 3788 2468 firefox.exe 82 PID 2468 wrote to memory of 3788 2468 firefox.exe 82 PID 2468 wrote to memory of 3788 2468 firefox.exe 82 PID 3788 wrote to memory of 3480 3788 firefox.exe 84 PID 3788 wrote to memory of 3480 3788 firefox.exe 84 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 4228 3788 firefox.exe 85 PID 3788 wrote to memory of 1880 3788 firefox.exe 86 PID 3788 wrote to memory of 1880 3788 firefox.exe 86 PID 3788 wrote to memory of 1880 3788 firefox.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe"C:\Users\Admin\AppData\Local\Temp\1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
PID:2904
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1096
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Executes dropped EXE
PID:4820
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Executes dropped EXE
PID:2848
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.0.1398614169\874484534" -parentBuildID 20221007134813 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {200ef237-ac8d-480b-96c9-d775791b9cf6} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 1812 25abe5d6458 gpu3⤵PID:3480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.1.1696240267\2109170261" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a2302fc-7a31-4497-adda-b566d577c762} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 2168 25abe4e4858 socket3⤵PID:4228
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.2.44943449\793588424" -childID 1 -isForBrowser -prefsHandle 2856 -prefMapHandle 3068 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecc5b5f5-44c2-44e5-883e-b37186fe7197} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 2676 25ac269b158 tab3⤵PID:1880
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.3.732528057\624937550" -childID 2 -isForBrowser -prefsHandle 3472 -prefMapHandle 3468 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f5203ac-82a4-4b89-8052-5f1d659c8973} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 3484 25ac3650b58 tab3⤵PID:4848
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.4.1979438229\568957436" -childID 3 -isForBrowser -prefsHandle 4412 -prefMapHandle 4408 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fda9b0b-2a98-4c60-8162-f7ace11b252f} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 4424 25ac397fd58 tab3⤵PID:3700
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.5.516641235\275867229" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4896 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60abf547-8089-41b9-b00a-f77608def91d} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 4892 25ac4d4e158 tab3⤵PID:3640
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.7.1511190400\313403317" -childID 6 -isForBrowser -prefsHandle 5232 -prefMapHandle 5236 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2550e6e3-c766-4227-8201-25fe0f27195d} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 5224 25ac4d4de58 tab3⤵PID:4776
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.6.574363073\1225629275" -childID 5 -isForBrowser -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71a35873-0228-4db7-bfe4-2fe7ff6c923b} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 5028 25ac4d4d558 tab3⤵PID:768
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD578ede93114e65f9160fd03d3357c56e6
SHA188d531b101e57655f1d0d26c6b3257aa2468d460
SHA256c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5
SHA512074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d
-
Filesize
2.9MB
MD5a392ae15199a049f4126958d07f661fa
SHA1b081cc8f8b64fc5f0416f4d2ec1f7a4cc9842b4b
SHA2561980feee6fc2237589eb161cdbb4e3ed80e447f8efba2a13836c2a55357f3474
SHA51279d630243a17ee8c4fde7073e657705cc893bde79b45ab6c972beb7b1185dbb08d34cb9c74f3337ce4ba347b9786b249c43de556e2ea8cc69890964f8cfd554b
-
Filesize
101KB
MD5b809fba16e30ef52511403ad449bb51b
SHA195681ff66c8e777429236dfe32b18b641986cd9c
SHA256e1d60ccf0c0312a81cf4be3a638bb1ce2ce9569b0e9b0a614edb750656535bcf
SHA5123a9c2687c7f2b6a008fb9d9b8f11aba4544c1fffa13329fd72255bc6d5fa7c4874ef870cc55659b448eb94fc08dfb5c6f06c93de2cc72a3afeb4a93fc5f85b62
-
Filesize
162KB
MD50d02b03a068d671348931cc20c048422
SHA167b6deacf1303acfcbab0b158157fdc03a02c8d5
SHA25644f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0
SHA512805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358
-
Filesize
2KB
MD5a2942665b12ed000cd2ac95adef8e0cc
SHA1ac194f8d30f659131d1c73af8d44e81eccab7fde
SHA256bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374
SHA5124e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\cache2\entries\7002E71F4F8431A3D59D2158243A0EA278856918
Filesize13KB
MD5866b4e4525f3c7c933f41ba07dc7cfab
SHA1e862b8d4c8288445df4cc8069fad64172add22b1
SHA256ae169a6e0a8d48f5730d8479aaab3ff47130c22f6945bf7b88b6cf94ec5756db
SHA5124abce8a145fb799578dc52de40e44a8b70f94f74b758bc9992bcee79a42ff7993887102792436ac091618a2be02c7a557b7fb5bb4ca6f076b7f20d2bb477eb2b
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize5KB
MD550d8426d1c9aefa358c811a456783746
SHA1ceeff043aba611f5ac77dcc29f177cac87128c01
SHA256052e9e5f5b781c08f834421efd1ca9f828d18fcb01e63f46197a592b89b478f0
SHA5128de1262db8de2708731600f71c8103b34202dd4a6c65ef2b2a6795f7fca020b44c6c23a11bb7ea6795161a251cb5b912098f7e4de29779f43874a650801ec87f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\bookmarkbackups\bookmarks-2023-12-19_11_edqy8ufV3Ib+Okfqx7KzjA==.jsonlz4
Filesize938B
MD5312e47f33bfd3055b260024d6b914e62
SHA170e6914b01893e81c0f2fdd7d8bebd06d7ba5598
SHA25666858600c420b17aba455ecbdb488f66d88b2f66ba93a7550f76b921c6a4c9c2
SHA51295cd2a26eb8fd569e8dfb66700b398315a107a5dde670451bac31c7d141a93940b8c4e97fe24a2b9caa7f9ea2b99fd7301f0d30880610a48ec0598fd33a13d67
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\broadcast-listeners.json
Filesize216B
MD5ff5c398cdf3bc4a383feb374b320b703
SHA1cd811b5b454430e96b1f96eb2320ae76131b8642
SHA256e0ab64d360074be22603c25faaabd53b9943a2630ad91e376f1284e0d9259ba9
SHA5124d31f1766bd6a127af83aa6aac7690c8a4a1751a26d6f562e1164e1697df527561e41d4587aa1986f7aa23c89027dbff53962f22a4dd91591528a2b3fc641a29
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5ce955c42e33dac51ae77d98d16a1d63c
SHA12e40a3f9c7d42af999b8705683b2292920234f13
SHA256c9866b1e3bb0c0e1db0b70ca13ed82e12926c66e700ac7c3d2aeaa1300674aa2
SHA5126e55fb3e28ed1b941d3ded3510687453608e26699dcfdb9cf79b78eaa26441f8bf6f1206094937dddf9acea085dafa04bb0f95a58cce99e255927ea64a4f2d6b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\datareporting\glean\pending_pings\123a381b-5a5f-470d-be0a-c59ba8bfd0bc
Filesize10KB
MD56151444a7984836a910bee55fea54e1d
SHA11a856013af64ae0531e179edb49c147833c5b807
SHA25662f19e7460c0ac28d4ffb444c175c581d4e1bd1b725645da3128e23d273b15fc
SHA5124ba557834ae5828ac8a675018c0b3d626d433685cdbf500864f87f17fac3e48b8ff9cd45ff46735aa652aad9a0b48fb65a0c405f4b8eeeb0dcaa198b63dd5f90
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\datareporting\glean\pending_pings\a3929ca4-5e70-4434-a677-9e5c381a9c71
Filesize746B
MD581d6c9bd5ed51651b0ea4936cb9bd833
SHA1b746e2102c0d506b50abfdba7cd1324ea2b2780c
SHA2562d7d6102bfb06ad267d96f7f2a615df470e6d99a8587ac3fa892c34e6e7d1c7f
SHA5127923ced58f8750776520c0b60fc3d62aa3c8b6e4862ffd1a5b1457b1bd1842b67d0dc8c21e6c3e7ab0b44d22e451fbabb9af899a94aa8ae6e97a1e3408bcb38e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
9KB
MD5c8ed08091ac1b5e4a4f150e50dbdf0bb
SHA1d50ae20c5e7c23bb2b9dd663acc83105816e1432
SHA2566ae27f4bbb6ad72549e12dc780dc028ae7c867c3638b24530e102a7941ac5161
SHA512d0630685aef181e3b5479dec5ea2cfb9f14521eb479418d5e983c5fab29c92611a0c3a75a4834bcbe5072dc51764eff0e54e5a95200319b19e9c4c934d5875c6
-
Filesize
6KB
MD5d2599dff2b7a3b7c9cbb1aec96ec5e9c
SHA18e23e73393cab4396c55d007cc41690ee9c87c14
SHA256aa1d6b97973d5e8e55aa1a7d461783b927c6b05c2c2137457c0d826d15193c1d
SHA51268dbebb7f4c55d2f0b9bc2e088e34d6689cf872854bead5bec5f629299dd0f486856401283af99c8a4146a00a1ff4f3e6718335340f630f214a45345227c8820
-
Filesize
9KB
MD51a150ecc843e8c6b631537d78f4fd748
SHA1d6bdc599696eb3bb0d4f7a58108cb9d5eb89b1a2
SHA256a4ac822e941f3960c17ea6cc9c14c3f1964a7ca63c1d4edf2cde3859c0b4d206
SHA512ca7d1a90b0c82d2a9f4b0bbf511237f9c80c60929bc98b78deef0da9c5240dd747bac64c048ca34bcf26191cec39b267bc2fbf0506d703491b72f0f93bfc57e3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD52e16421a92bf944a3b2417bfb7cbc952
SHA1e8dfa229c0c5941ddb08a0e99c4620ee3dba6b92
SHA2561a99a8be2f260f66d7123b47a7b56c8f279fa2fd96f442f401aaacedb087c3b2
SHA5128bbe1a99f51c8af97f78b16df34b5a9bda42af1ec65dd690848040e904b2b3e60eeb7c7dd5aafa433789fb8dd3ace12ae151388929ca09fbfe90a6520f1a420f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize7.6MB
MD5ee84853d7536ea3809f5dc1de8aa25f8
SHA1074f5650c708af93bd1163c72bdc79687ac572fe
SHA2569164e63205868eb154c9deacb856bc9abf230ee1ebaa63fb0e2fe2e22b7b294d
SHA512311bdd3ee26d9018e7b595466a0aabe4daad814d6838754ac02d91b4572b902c3372fa27e07538e0e8e9c26a2018725eecb410effec486a8238422b5e894d6c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\targeting.snapshot.json
Filesize3KB
MD5604636b2589b7ab97b2c0050dd64b2d1
SHA1150e9a01452269dcd113b7a1d87e710ab205861f
SHA25652bf4ba953bf3d5a4bd0665306f20848cefe40bc86a815ed235392ef5981fe8e
SHA512e7e26ed1b240e2178f2916b48e8e690bbaf55ce2e10f6043d155664ee82137d90c7ca75245cecb405310331d0d9490b19948baa666b3e63baf7d86c876bd7105