Resubmissions
03-02-2024 13:00
240203-p8th5shhb2 1002-02-2024 22:27
240202-2dbfashgb4 302-02-2024 22:21
240202-19pr5abfgn 602-02-2024 22:15
240202-16f1tabecp 1002-02-2024 20:09
240202-yw88hagffq 302-02-2024 19:16
240202-xy8t3sddd4 302-02-2024 19:09
240202-xt4pkadce7 1002-02-2024 19:05
240202-xrlqzadbg5 302-02-2024 19:00
240202-xnt8yafcbj 602-02-2024 18:50
240202-xg5fbsche7 6Analysis
-
max time kernel
296s -
max time network
326s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2024 22:15
Static task
static1
Behavioral task
behavioral1
Sample
wave.png
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
wave.png
Resource
win10v2004-20231222-en
General
-
Target
wave.png
-
Size
10KB
-
MD5
57bd5782b784673f8e3ebd06f95bdf38
-
SHA1
1f55e36180024eb5c8fc066a855287898e6b077a
-
SHA256
986eb45b5d5c04fee9e2bfcbbc15b968870e40feda870eb949ef10c2b7b73c1e
-
SHA512
9f807db1571b942467f61b2d9a7ef11882036f64a6e1347ede55523deb9da193ec8255be0819e16cac65595f67f05bbf80320c9d46c4e1bf944b34dd000ffe51
-
SSDEEP
192:sD2HxgUkULWcH4F4/XZ/g4t688FPhzBfZIYeLhl+1/RNqeyFgbCBQJGSz/2Niq:sDXEicYF4/XZ/HT8FPhzMHNQdql0CBQ2
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral2/files/0x0006000000023465-1118.dat mimikatz -
Executes dropped EXE 3 IoCs
pid Process 4112 96F2.tmp 3620 system.exe 3404 Fondue.exe -
Loads dropped DLL 3 IoCs
pid Process 5408 rundll32.exe 5312 rundll32.exe 4744 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Fondue.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\96F2.tmp rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2468 schtasks.exe 1436 schtasks.exe 4724 SCHTASKS.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 5408 rundll32.exe 5408 rundll32.exe 5408 rundll32.exe 5408 rundll32.exe 4112 96F2.tmp 4112 96F2.tmp 4112 96F2.tmp 4112 96F2.tmp 4112 96F2.tmp 4112 96F2.tmp 4112 96F2.tmp 5312 rundll32.exe 5312 rundll32.exe 4744 rundll32.exe 4744 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 784 firefox.exe Token: SeDebugPrivilege 784 firefox.exe Token: SeDebugPrivilege 784 firefox.exe Token: SeDebugPrivilege 784 firefox.exe Token: SeDebugPrivilege 784 firefox.exe Token: SeDebugPrivilege 784 firefox.exe Token: SeShutdownPrivilege 5408 rundll32.exe Token: SeDebugPrivilege 5408 rundll32.exe Token: SeTcbPrivilege 5408 rundll32.exe Token: SeDebugPrivilege 4112 96F2.tmp Token: SeShutdownPrivilege 5312 rundll32.exe Token: SeDebugPrivilege 5312 rundll32.exe Token: SeTcbPrivilege 5312 rundll32.exe Token: SeShutdownPrivilege 4744 rundll32.exe Token: SeDebugPrivilege 4744 rundll32.exe Token: SeTcbPrivilege 4744 rundll32.exe Token: SeDebugPrivilege 784 firefox.exe Token: SeShutdownPrivilege 3404 Fondue.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 784 firefox.exe 784 firefox.exe 784 firefox.exe 784 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 784 firefox.exe 784 firefox.exe 784 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 784 firefox.exe 784 firefox.exe 784 firefox.exe 784 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 784 2212 firefox.exe 99 PID 2212 wrote to memory of 784 2212 firefox.exe 99 PID 2212 wrote to memory of 784 2212 firefox.exe 99 PID 2212 wrote to memory of 784 2212 firefox.exe 99 PID 2212 wrote to memory of 784 2212 firefox.exe 99 PID 2212 wrote to memory of 784 2212 firefox.exe 99 PID 2212 wrote to memory of 784 2212 firefox.exe 99 PID 2212 wrote to memory of 784 2212 firefox.exe 99 PID 2212 wrote to memory of 784 2212 firefox.exe 99 PID 2212 wrote to memory of 784 2212 firefox.exe 99 PID 2212 wrote to memory of 784 2212 firefox.exe 99 PID 784 wrote to memory of 2764 784 firefox.exe 100 PID 784 wrote to memory of 2764 784 firefox.exe 100 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 2792 784 firefox.exe 101 PID 784 wrote to memory of 804 784 firefox.exe 102 PID 784 wrote to memory of 804 784 firefox.exe 102 PID 784 wrote to memory of 804 784 firefox.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\wave.png1⤵PID:392
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="784.0.1894913766\451349336" -parentBuildID 20221007134813 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {138d4821-a74e-4d7c-b082-d9d65546b35e} 784 "\\.\pipe\gecko-crash-server-pipe.784" 1880 1fee77ce158 gpu3⤵PID:2764
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="784.1.1541478333\184632552" -parentBuildID 20221007134813 -prefsHandle 2268 -prefMapHandle 2256 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4854cf74-4f41-4d5d-8c2f-aa9083094b01} 784 "\\.\pipe\gecko-crash-server-pipe.784" 2280 1fee7132c58 socket3⤵PID:2792
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="784.2.1235214848\1451067855" -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 3148 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25d43fc6-11bc-4794-a23b-7f9cbf495109} 784 "\\.\pipe\gecko-crash-server-pipe.784" 2936 1feebf9e558 tab3⤵PID:804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="784.3.612452644\2107194956" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c2f8a69-d90a-4764-a65b-72146d041e50} 784 "\\.\pipe\gecko-crash-server-pipe.784" 3604 1feea7b9558 tab3⤵PID:4936
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="784.4.846157269\76946118" -childID 3 -isForBrowser -prefsHandle 4472 -prefMapHandle 4564 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cff93159-f3c4-4cd7-a114-4509669c3922} 784 "\\.\pipe\gecko-crash-server-pipe.784" 4576 1feed9d2258 tab3⤵PID:2628
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="784.5.1206515503\1301655480" -childID 4 -isForBrowser -prefsHandle 5068 -prefMapHandle 5092 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef76bdeb-f27a-4df4-8dfd-00f07dad5d8c} 784 "\\.\pipe\gecko-crash-server-pipe.784" 5100 1feeaa2e158 tab3⤵PID:448
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="784.7.1265177114\695594011" -childID 6 -isForBrowser -prefsHandle 5404 -prefMapHandle 5408 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75684c98-59f5-4602-911a-f2b5dcb1a03f} 784 "\\.\pipe\gecko-crash-server-pipe.784" 5396 1feed0e6158 tab3⤵PID:2932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="784.6.891739752\796577190" -childID 5 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0347de78-83e9-46cd-8ce4-3d814c7cd9f4} 784 "\\.\pipe\gecko-crash-server-pipe.784" 5204 1feeaa2ea58 tab3⤵PID:4848
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="784.8.1826357450\636830107" -childID 7 -isForBrowser -prefsHandle 5920 -prefMapHandle 5924 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8babb7e4-5160-4079-a0a2-246c1ef83251} 784 "\\.\pipe\gecko-crash-server-pipe.784" 5944 1feefa77958 tab3⤵PID:5208
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="784.9.2012117343\614206746" -parentBuildID 20221007134813 -prefsHandle 2744 -prefMapHandle 5896 -prefsLen 26381 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc5e1929-af64-4682-bb46-e5a99a5ff8cb} 784 "\\.\pipe\gecko-crash-server-pipe.784" 5664 1fee7a31758 rdd3⤵PID:5692
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="784.10.1875940873\1384265309" -childID 8 -isForBrowser -prefsHandle 5668 -prefMapHandle 3456 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6efbcff0-618a-4b55-b35d-ac637e1591f2} 784 "\\.\pipe\gecko-crash-server-pipe.784" 4336 1fef07c1b58 tab3⤵PID:6072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="784.11.1483095383\983107823" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5164 -prefMapHandle 5112 -prefsLen 26381 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe9f8cf0-302c-4150-963b-d48917821640} 784 "\\.\pipe\gecko-crash-server-pipe.784" 4336 1fee74fc358 utility3⤵PID:5484
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5144
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
PID:2180 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5408 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:1296
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:5684
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 224186381 && exit"3⤵PID:5912
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 224186381 && exit"4⤵
- Creates scheduled task(s)
PID:2468
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:37:003⤵PID:828
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:37:004⤵
- Creates scheduled task(s)
PID:1436
-
-
-
C:\Windows\96F2.tmp"C:\Windows\96F2.tmp" \\.\pipe\{2A241630-15AB-4408-8E81-E2E6CEC2D4C4}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
PID:2832 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5312
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
PID:4072 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\7ev3n.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\7ev3n.exe"1⤵PID:2464
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵PID:4960
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:5624
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
PID:3440
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵PID:2340
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
PID:3288
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵PID:4060
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:4676
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵PID:5656
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:1964
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵PID:1820
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:2860
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:5636
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
PID:5872
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\GoldenEye\GoldenEye.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\GoldenEye\GoldenEye.exe"1⤵PID:1656
-
C:\Users\Admin\AppData\Roaming\{96505e57-053a-430f-8c6d-d40910726e9d}\Fondue.exe"C:\Users\Admin\AppData\Roaming\{96505e57-053a-430f-8c6d-d40910726e9d}\Fondue.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {088E3905-0323-4B02-9826-5D99428E115F} /I {000214E6-0000-0000-C000-000000000046} /X 0x4011⤵PID:5900
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD51f9c7ecc70abe7dfdcff47c91cd0f032
SHA1690c98f394355655a37534e19e321eb188182093
SHA256d026f780fc5672cc20cad561c829286a70696a3cb9a6506e99ac76d06f8701a0
SHA512434903c0e91d470885e6b101be013938bab9fa1d74e4658f959fa384333745bf7b961163f895d2492c558764132f9600862519f45a9c823257129c98b3b0b4d6
-
Filesize
52KB
MD5d62e166b96ba75dc20e50e94f536a978
SHA17a27e4916cafff2b78455e52027e6539174ed3fb
SHA25634360c5d78a1ffcfbda89b5dbb991d82a3d4edcf2c4bd1efbebeb286ee43e3e4
SHA512b68c4dfd641ff7454e5eeb0a97c3eadb23957ff45e01a10d4c18595513bb3594d9586dc528a4b1be0e1c756020f7104f5b68bee68d174eaf0dba2bf3a5a8f391
-
Filesize
52KB
MD5ddaef6ac65d9fa0292ecd7a595f4f209
SHA15f7d515d3035131bbbcc750cedc9242d79840f90
SHA25696fa6f0318b44ba0f5a4ae45cd5a03f7fa30269cd4227637672e7e1623399165
SHA5123cf66c76bb7a16f2560ea4cd2aa05b23119198c6813d26e70cd8c69415aaed3054dac087dc2778f5b525e97b8790fd427dffe9c9846ca767b1f7bde861f917af
-
Filesize
13KB
MD50e4ca6045f69fa8ddad9cfc024738d37
SHA1f4e1fc0b14f4c56d56a6ca34c91595224e28900d
SHA25612bfcb5d5b4c031dfa56109e345192c31aac0cff57eb72b1ddfe8ff35f21861b
SHA5129448d8059f912811df7fc04489530c0f55f7b18581109a98f067755c9ae9cd188a2bc8083de043c2270377a3fedf55612f883117282317f139a700dddabbe07b
-
Filesize
13KB
MD51c9c944ca344127ba68f2b8d6814fdbe
SHA17db4eef58e261a26d86bd67b02850abb2391fb17
SHA25625cbdfd48b2b07edd0e198779fe314e6fb021bb49d7eada598579b84f4f9cde5
SHA5128e8520b2e74969a484b161d16f0873bdf590efda448f8679af9e84313af1af8047505d7d64d8a4e16f77f37a9dd8d3f38a69513c1ac1b56b7b6c9a671a1081b6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\09EDBE0C0AE5CE04868F06A4BC625F286116BA02
Filesize33KB
MD51c2dadfbabfb07a7f7e467841076515e
SHA1ed6c4e05404eee2db4d9205f7ca4e993517e0330
SHA256c37aad590c66c3e9f85c2883eb9410bf4e80473d227911bbad612f5bc6c4be74
SHA51264bf4978e19a02442694f04dc423a5e582e2f3d7eb2b9bc01691b9a1e90ef35580f52386b580b2509343976dda42ab391f98e4db83c4851d7fee83caec666d6b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\1E61518360BA13E897A17737CCDA8D9067374818
Filesize766KB
MD5a5f20525b905b7590a0708c3d8935451
SHA1c0c83f3051c1c1ef0f1e33a1a313a64ca36d03a2
SHA25605839b4b637a6fb0f777c15d57397debae90112ef8b3939e9d10a65660aca195
SHA512ff22047cf1f3dc47b78691a9bfd28bbbeb3e567ef738dfddf8cc59fdbd0dd0dc6c759cf51043140172b99ab3685d03cef4e377bdddc3929b0cb6b61451ac880f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\34231335DC373FC6F959E8D1C1DD1906DAC2A65C
Filesize48KB
MD515f235d3c0894aaf8e645ec491321d5a
SHA10c5b08bbffa3e35b6235cd4b4d4c02be8a95e5b5
SHA256e2240a898cf091de19c71e205708c6d20f57143ce0c47273671da08dae20ccbf
SHA512591fa6ca17b6fa1386c13009fcf8a8bd37412f8606a63bdaf9d95237fe7349fa3c17a7f060e589042d8859646aa5e56e1382683d5327bcace2932e77f80dd22f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\3AE8792A487F90E02C5F59DF2EC9D50F1CB76903
Filesize41KB
MD5a09a2a21ca4c4cfbfb52eccaec454a7e
SHA1765d1bb24652e32d7567d96708871e19ad994219
SHA256e3120ed821714444881526c14f80f5485225544287496bded17765ab71025a3d
SHA512d4f1b92c0c13588f19b05dd40c4db07bba06d24583503564b6fbe0c8af62efdbc341e27edee0e3c10f33ae8d5bcb7022773522c427bfe424ff03cbb8b0c65ebe
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\3D108C07101749AF12ADF5C51788D9B3D38DB17F
Filesize584KB
MD527b09b317de18744bd547b607f89dd53
SHA1fc003659e5c6f7affb4c1736f51882cd13d4ddf2
SHA2565863390d7e7c9ace6c9af1bbde90d2c99a3d9b1056117266eafcdc02d1d5dce0
SHA5129e18bbc9600fd3d39595acf014184f6bc83ea4c559d8b93209e699546be45b3281a6c82a8dee18bed33708f0161b394cb847495a45f23ca71f1839691f0057ac
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\610381FD3C71D594CFA6AFE8B8803962D0EF6779
Filesize67KB
MD5ac03d52042b5132ebd2e4d93a25676fa
SHA12b93315ccbf47b01b24db8a6e6272b3b7ede860b
SHA2569a188733f1022074351fcfd9874e1396380471119cd60ebeeb17b4742be8b74d
SHA5122113c6a5c67c5042daef148418008877e611b21147dc18ef78165a5f95ee3659fb36882c65ddeabe18c560cb0c71f065692a33db7648eca6d661ac0f8af2099f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\634E16DC7AF73196290DC0EEA7EC63EF6B95A520
Filesize40KB
MD52aeaacd042d259ce9d1cfc29cab6a7b4
SHA1cdb1f74c1302e1595edce44da8fdc993f57e2286
SHA256f52a4b1d668fecdefa292809f993497633ff4ee55dfb941835b22c2bbaed294e
SHA512ac3e4deaf3ce414e3071818402ecd9c3fb4145fdfd6a3a071ad9fe56b5a0c855b765135853d0664161897c143a65631e3b91971b5155e11b62dd07537845b3dd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\6FCB1FC70468E5C5DAA9C741710D63CBD0FE1A93
Filesize33KB
MD5adf75494d2426aff9e4a94ccea27176e
SHA1404cbb70baa1b6b801301d38dd01eec2fa2b4cf3
SHA25607cbe35115cc1f0dd8760f97ff8d357ffcbab42db0481d5619b8b94a14ea422f
SHA51230abe021f022c3d11feaf9e49d4ab850d5a3605251792afeb28ad8568029d5dddb75b99a1cf2f41ddd29a8d7552081c3ff1209ec34657e35b492d43a5406e7d9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\74CF8F8A528173430B333A294F41B0AB0333197D
Filesize31KB
MD5340b7f62b7573e25100fe2945dd17bce
SHA187865d1216e3f91b17959dd4f7fd2376738c5868
SHA25695decd2632f718392acc64c436450e0d7f27fbeee4df3546fa420697068fc8cb
SHA512b8a958966d06a1a48d7382f54ed3343ca5fcc60ee77a17dcb69b1e2b17356fbe61696ff903a47c347c975a969eb797b06cba11d2a6dbcbae289bbd0d22ac227d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\8CA2E0E7586DFA0673FF9374189BD72333EEC975
Filesize35KB
MD55881af52699141e5ad0566d640db9bce
SHA143e5f469457d4b088e54dea391f457778c858d67
SHA256ef7e91709f058351289962e67495b1c80ff461793754379e827263e540ca0864
SHA5120082ea92abe5f0347ea546b36628a3b9b09c6623d2bdad37150dd9eb0b806964e585fa2b5ab33a224a5ae500a3202f92b940571866c66d09077f99ccb047aa08
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\8DA4846151E6B4C90531469D8F98CDC35A044D1D
Filesize37KB
MD531f0f2a71ea1ac3d760dd1cd02639d58
SHA1093f2ade257c8c5192aff0938d64b57c9f6fe57d
SHA2560eeb8a91370a34afe06904257e2992448dcb832d9c286ce9858f5beda0dca9f5
SHA5121374f145c551f9fee330f244e187ad811959631f32c3e0b70d2fc562b7341685d09167def11095e4040f0c0d188bf3e990bd8cdcc34d5db5fe509721e6280ca2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\9C2BBC7137762B4CA02A130A09A82F71C29112CE
Filesize327KB
MD5211aae66aa306f7715e3e9f709615e7d
SHA12962ec8951c5ca73b4a6ac106fd0a7d79fdb21c1
SHA256342041fa1d87d2ee184554d90bd3460e444f7aefacba97556f8b477290345bc0
SHA512470f3e01e7b41361851553c5851d804cf3b0ab2aa152c63ace9690bbf7b79cfda2089d034418536c6c0e23a4e663532573ffaa6d6e8783af1e8a479c6315763f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\9D00C2F18FF2DF29C2CBFAD56AE88A9E2CE969A0
Filesize60KB
MD52bd4a8ab754ecc323acb49c03419bd8a
SHA15891dd6c30141bce3945da433fc20e05ca6a7c58
SHA2564cc1cd5db4fd11514a62cd9b7f50871a89632b55779b3f1c59e0c32a0fb3584e
SHA5127e1f8537c2dcaee90df195687879568d3114a7b6b0725e93b79457bdf549c9ed133c9625e95fdac6ac68be002b324863b8bf8cf947ca5734f545ba8b3041e7ab
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\9F596B445897A380F991801AA8C3DBBD30940ADF
Filesize46KB
MD52d88406dc3282dda8189a7453acde1c9
SHA1ef95d6b9413d59dfb866c0163dfd5708c65bf741
SHA256fc5560d5b94989e326f148c1a240f7470dd60060e46fd4476d0e6f443358a887
SHA512d74f7854276c3e132667b344bd177d92938bcfd7f30e165a1d25c8d48b694c19e90a478afc8b3a00a2f2fdbd9b3a519c84f0a0bd6e70e07d45e29346e292033c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\AE04E0BC8EEB702C7E22D403DE96ADF18FA97FB4
Filesize45KB
MD508accdbc868bace787ae3bf4d117a48d
SHA1093ff932ff587151ec58442c05bd486603fa42b7
SHA256990863450ae6fce097d0e25461e4ea039e6e9621034a5c43e17187ded41e52bd
SHA5125228b7c4ec1e2947f7b9b19f39639e26267aa61b96c9d5bfbdec6eb5cc8fab27aac5035a3fedf1d54ce3505574223af12ef8a9654b5c92756a4ba7d981266507
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\AE1BE5C60797ED13E5FD86423A082A53DD4BFD63
Filesize51KB
MD56c9d97f2131abf90b60d6c5f44b37d5c
SHA14f78156e51825024b13c41e72aa1e31349501336
SHA256f98b488b602972a11ab7a365708fdd36e0e680cea18bc252c4595094f70a6edb
SHA512628e3989e078127891a25507bac50c17f4c55d766a13f23422d418781e03d473bbb91714267cc655d440853f305690fa231bf10f6e3a56de543d3347593a45ee
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\B514093AD97EB137639E70982E6CC2877881F842
Filesize33KB
MD59ae7b66f3d2035f32cd6ebb573177529
SHA146c4c018f7723c6293d28a638b57756f1f9d0a20
SHA256e3b90c06bc842fba91ea575acf043045038a602dd51a6a450cd95672d60778bf
SHA512656adb6ad7f6dd17e9f04d3cb1ede2dcaa3d81a74bbc0d6df7ffdfd124b676761d68590f8f5d8b5c37e47ed7b58351ccb9202e4d32f90c7e22bf52a8913868b7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\CAB92D6BFF12C33DC97C7A6782A7B9F26D7596BB
Filesize35KB
MD53532a561c1bfa0237c2c5e9a05df76de
SHA155f2d95d1a64cc38e4e9e4deddd842964ae33d63
SHA256fbe5e77b14bdb7e05681aa3224c3077fecf00ed27af6cea520f84a06fab490e5
SHA51209d1475d9e534643b2dd03cfff941957e9da2cf3c924923d2611e4282bb2fea5508da319ad73c31997554bf285ef6859603128a6f3358cfca9ec18faf2092e4f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\DC6CB4D23713E5F558FEB0D8FBE338CC7797A724
Filesize35KB
MD5be345c955345971171d99e94cb1b2c22
SHA132ef856126d797e820ed667216f336a4096d4c9c
SHA2568314b94147edb4f22cd58fddf867b169a84251976aae7c3c2a13b00f171ca32b
SHA512e8ff650060b988933d9c050e952d2974bb4d5ac0b314a232f9823a276764674c4d4f1610a60543b7a786774e66c8e533b7044752b2029cfd72a0af8d8c0be6ea
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\E530552157B408FA1285AF8C6D7A3C803A79C692
Filesize35KB
MD598b55cbe30e3bb6b936e04859862884e
SHA1c75365cde7b273fbed9f0846530b2c90b8c3e52f
SHA256f3716aa3abb1e49411fa0e70ea7ab3b5019d85c8db07e16864915d4b9b99cb85
SHA512861beb96fc1adad6cde02a9bc54ae30b65b9990ab30a05ddf0c12d76cd903d0e1216659c4574448df2827d61bc3923e9966738ded30585e04e3f3ba9ea7d5a3f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\EE715477A6CC541A25A9EF2025F6E2391D8F1774
Filesize46KB
MD537a251a27b4b98f5ca3580dc158e9193
SHA1bdfe56f0d7b07f8f61bc034ca6f0f136d9d7d493
SHA25638fb145b2790bbeac6cd4a94470175aff21b5942c64e65a89009d314e67e9733
SHA512e40a285dd876e3d87366661aa6cbf05539ce4a86cc63c858f3f3df299c9442521c164adb49fcbacef7e7f48f1905ecc75bd893940f30e832a57552317deefe66
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\F1C49281349CA1EDCC1827D26710CF46014642CC
Filesize109KB
MD519b8178fc1e9bc746fc9ecba1bca7139
SHA1fe5eeed0a1afdf16b6593c7b7ce90e10e7d9017f
SHA2567df2bc7aa25bba05e5e6cb6981a7cbc28700dc006e0057c598790e6259152325
SHA512a785118e57f504aa6cafc6430b3eec3bbf60ab6bee99e1daa6faa1d1c03c2420fadd23ed8ca0ce8b6bf2ca71adec9e6ed1197f4abfeb79a413a36708e0b58dae
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\F8206F3DA430A4D1AB95F056F60E5B6831C3A2B7
Filesize38KB
MD5f3d8383860c38784f2a33708572b0acc
SHA1200409d7103c146b4b0ec7d0fd3b73d94b5f7d0b
SHA2563b57d83d4f0a1f26b1ab2d3c704654c23689aa6a5349dcdcb08f0ae67de93f28
SHA512c9d5d0f0c83f2eee187d3da671e9850492a680b326165532dda87fdb83354f051d5e7a0d28e5e7a14c8227b3732c659cc391169d03059292294bfd3e4fb185eb
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\jumpListCache\NoHDKEXcGV3+EDJPEjveFA==.ico
Filesize25KB
MD56b120367fa9e50d6f91f30601ee58bb3
SHA19a32726e2496f78ef54f91954836b31b9a0faa50
SHA25692c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f
-
Filesize
101KB
MD59bb1f95ef5b355fe226c7a9a1abde4a7
SHA10a630cd251aee5c07e3fe45d526d7df258a0e701
SHA2568da9f27ca821ac1537857adbb243b4e0219ecfc04c47a791f3b233228c701294
SHA51221a79b54f16ad6c054854a14011b252f0ec5d57eb819e353606560cdbae1c4a5baadf1587f203da71469086ef87ac5b694c860ab1226953aee60e6f32c24a593
-
Filesize
1.2MB
MD55ac0cedb79a5d9d1aae81bce335ccae6
SHA1dd865deabf6869c9da43914a9c0f5aa4bf3ddef3
SHA2563ffe6eb0385c9793cb74315f664a23b3569464ddd4b8ec070159b45907a80123
SHA512836541827c564675089c4eecbf519689ebaeed7ab7b4ef8207719edef0d2f6c1ef2292928f15bf7e8de6fe465ccf9f429ba87db9ca69f2e8f6598a353e2f938a
-
Filesize
115B
MD5f3517cbd484198b25b6e67eb202232e2
SHA1bddc5645eca791472ae438f6099459983bb42419
SHA256c7d853927c93ced4b6c6c44d0f2ccbbcfcfd569fddbf1add0505c89358d3b8d9
SHA51244cc42c49d54ab885ed846aca80579bd56e639af9e3f9c8f5fd737e9472197bd53ab5f64cce4145c952035bac382078f0743f918a7b581f2a7758083f94eb06d
-
Filesize
315KB
MD59c0cc758f26bd43f9395517ed919d28e
SHA1b1eff9316adb3370d652ebd74058842490f2bef9
SHA256705a482092f832d13bcf669128a91e71aad22f1cf3a177441fb6ad7a4857cc52
SHA512626cdbad74c7d0c03eb1782b9357eb5d156a142b2b439f2a5050295c161528e540ebd2ad23a024189d1411d4d0160914e2689e11dd55be254091c92be8bc0a82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize19KB
MD5bd40af5548e8fdf27e1e5b02d91cde54
SHA10654bd263672e79c84316d4b8d217ed05cf252ed
SHA256a2f2c4c843afbd5e56dd5df7f01b5494443c47d4e10b91768ec3335fcada3595
SHA5123ce2a3ee54aaa02853566ff22bbfe776eeb3ee30ea2c8f5aca4980a32ff7aaf5f18cbe4319645cd7fd7fd6cda8089f035bf94ccf6891e92649ef58d993380c17
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD533b006c84b63e2706077ae6ec6f3c39f
SHA151d1c5ad2eca6ba40314091f8e4e5c95c358dbf3
SHA25693cbd351c078a6420220094ccd5a5ee773515b2bf3ee7b19a7b0d96b1c7a58cd
SHA51251d6a83c317d83c0576d4aab5f4eeadb5ac5128e79f7b1f68b7abb16e3bdf50553d5d081233d9deed730b3eb8ad16a0de0ca042925610bb99e7259aa913ccc45
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\pending_pings\435e1f85-2764-418d-bd24-694e0ea31e6e
Filesize746B
MD5b33c3321331cf5f6642466890aad21a0
SHA168c95ee63d103842ef8f5014cffa7fe590ef1f90
SHA256e9b19aff415aac9dc3966170fc2cef5c7715a9704905250eb79e8107d311f15f
SHA512e47dcf86d6f8efb5dfd95b96d570151c91f8f35378694fc0bd4e6cfd702cad5f428d92aec23f980712489d74d26474ec3a38b53ad4b2386185cbd8ef5dffa9ba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\pending_pings\f99d29b2-449a-4283-a80a-e46ba709f401
Filesize11KB
MD5d64aafbceae2b4f186ca6261c700f813
SHA1b30c5ce8b5abe6bdd0a6946b9130474e5cc810ca
SHA256b483c58e97bf93d213be0b1d9337e78bc1b742279f62d8707c0972c0b9d68817
SHA5128a5ea389f0f93b3d60e91c4ba31ea63f453f332c2d4ff5701e1175fbf5cfa61d91f04128681ab975d0d81304bffbe662b7f197389d935f36744ccf34e053c70f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize102KB
MD5ad8eb44eb8397ec22bb31eb3f5cbb50f
SHA193aae44a88ae2336d5af39a75d4a606de5ec80c7
SHA25657563bd06c364b0495d95fccb2e3a09186e4f834fdc6a94a0b8ad9e1c58fb503
SHA5129b551a7e2d1c7e95676d7d4b0e07fbb7e923128c43516c05c6fb5577f4e64cb905ab43bd711847e60810d6785a3153ca9e88133b29c4ae0dfae45296763b81fc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize775KB
MD57d1163fbf1cd221e03d977873aef614b
SHA19a58d356367f65088e957a3519f7d016cf053023
SHA25664656fbbf66c1a1369f36c24e1f34723c07290333e87473c7004272ffea7593e
SHA5124075796eaf2472decaaf7b10154618f2650f0f79c0908a35e97bf6ed5d4522154085042fb131e827f3e6144f8276ea8a6954e7467ec5ff54bb73617ae7b6f453
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD51f3f981426ffe27b408852fdaa652110
SHA1cf8f28acfedce64d7ea531ceb2ad8f52833bf3d5
SHA256828a8442faf0c5264f6454b9e935ba7c4e470220e15fbec371a0e9f389909666
SHA512f3a130b4858b4a9389b025ce554d954e5898b575d3731f92bc01b528d9dbd1d53d8778d3be80a89e7b2c5ef726d1010e2e1e3f764d4a88af9d3004748b2c52b4
-
Filesize
7KB
MD5eb18b519ba7d1abcdee38e140926aee3
SHA131331056cc9bed3f15905a90c0bf59c0860ee0ee
SHA256915b98cafa935d1aaadbd735961b6e4fb555b624c26ccf19328687ab278f6ac6
SHA5121977ee90c2d9ef323fae280e3f14a9dee2a87880c5eb5da5c5e42e2eacaf97d64c5d1921b2240974b5b34bdb3953b3ae15a8cf6b25f7ac2dcd05dcb9d7b8ae40
-
Filesize
6KB
MD548d311a60be9e48c40f771ae2d6199df
SHA1a42ab0623f6c1b6ec5d208b13eb3095f0900dd45
SHA256130f26f7fa06619c97d7db7188cbb32cf6b87e2ce77e8c79e999dfc3acef3629
SHA5127051ace332c6fc9fb8743abeefcb9c4b72d7190fe6e1dea68d45031155c08ffa2653b60c718d7a936b3057ce02326e402f12ed9f15fccade603dc07a2f37a0ab
-
Filesize
6KB
MD5decd66b629603ce9779d30b117a20ed3
SHA1c9c6ca4108aaaebb24d350f9a60fa9d2f772a2cd
SHA256a121b8c95d02e2006163b7a7e1c05d4d3af98b1b3e1921712dffcfc4c4b65c29
SHA512c0a1cb62045bd0ac0956823bb47e016b38ff05f02f3adf18039369a9fa0c3620220b60af1922879f45a7d56d34c662e0257d5f3bfff67b5ab82d534129d4e37f
-
Filesize
6KB
MD5d8edf9760a9ea1bfeae3d320c1af1293
SHA1bd310b263f6bd8bad2cbd2d69240270d41fbb4df
SHA256438fa58396aaff34c0809f6b7edfb2737a90ed519b7ae1e619764b725be56be8
SHA51265f988fa038c591cdb1a9a5b81308eddb9f0d1716586e875a05eca5cd74571d40d81f15b0251334596a266a186107e0d319a9ba0cda84a8ada51c97960470b60
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD5db57198dc1004e512e5e6349a9874f4b
SHA1ba0b42003aa711b704262916419b784f18c14793
SHA256759caf08ec21ff7b390e1610156fa5ad3a58b8d55299e07330f2f5847dd095bf
SHA51258e00acb03eaeb29fc290946afc0408b5eaa2dac07a2e0e28e79bda00f8d25caf9f62fa32f424382c141b3870e50de27a50db4dcc7a17707c6212c5e18815dc2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD55d3f400b004c80f932992c680a42055b
SHA1ebf400888a1b45e090536325f5c9e3625465f1dc
SHA256c9afd350d2fbc2c45eb379ff41cf5d9f5bc41226c54c463f81c68a03c4910bac
SHA512713051f2b4f79de0eb6dd1936a8a782dd89a8461c8f725b734888bc3a8780680c48f5b6a873a104a6de9957f1f4922c82c289340b548524088577ec7e63ba773
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5b49a03ad1c806b78ca19551e448e56ab
SHA174e5e5a3b61891ed12f4c8ca078ba4682c5230d5
SHA256c6aced4fb49d0f74709ab671cf296c049ad74874884f49ea01d952b9ea8e861a
SHA512d34ea16a9d41deb51746de1f4c85f548fe7cd96b7b6293c96bb9c331c0598fda677576a64541e3a91478d696744b9b0ad2d174c229caba21c9786040fb4aa00d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5c8495a99d5c7ea56e80555b11c9ed58a
SHA1f9e3397bef9a1654fb59f47c6ff38df3a8d4ce94
SHA2563f9ce78453c157452dde2575fc08a32fa0d07399a786a5bf489b060d4d748f67
SHA512e300598e98fcba22f690459d8c467536f727066b3c95aa4224807b9ac61f8352bf4334c89109db8ac869d70ea9af59ce20fd6af942b9d3c9e6b82a8dec038e3e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD5639ac4da83d6c312ff98b3359fd38ea1
SHA1734ed0cac7212baec59c0191574798a9f501bed2
SHA256d7995010eeb21ad54f1b476c23d70f9e73643419294bba049c1ca9e374d1c66c
SHA512e45f3f12d12c005c5b5491d6f083e877ad6f3c14eff17c2b1cd65dbe3575f2ffeb633e0c47c319519202e380be2fc40bff6d7d74e0dfea1153e9abe24f63ae1c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5e91bd0e1f27aede6ec3915af7e7fb12d
SHA1ce333c3ae2a1d5a67a5230ce32c8fad2765603bb
SHA256eea134b4dfa7a440f895ca0cf7e6ee9a55962defbe3b8a391cd6340a277e28e6
SHA5128b624f81098736f1c9bf899c84094388f122f2cd3b7946bb5d4da86518bc791871f16c9fc0713ec23c316b03991d45c0d46ed865a4388e170df3dbe4e9f821aa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD547a59d98e98158eaf9e9199eacd595c5
SHA141b4a2ed1245df324e0dce1e42a9c280f70028c1
SHA2564f03d2fc67b005b1e51911b815d1608aad0bc5f325621b166413f3135ee83eea
SHA51274de4c81110fe4c7596d25563e134e64a93f5db2b3584404c964f6db0c2cbbcb21e75ae1e79ad3ccc5e044cf6a0ad31af6d606df7db47c374fa9d561fb680d1f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD5e88eceedfe345e1c83cc6f58d70734e5
SHA10e1cfcc64538aa9e0007d1c3f61327a06d98714f
SHA256f755beb9d1599ad6d09fd1dc4e8f38731e15efb1a70517bb8da2354c8dc1cfb1
SHA512002e648678e710fd56860351bd4bf805285d2207d281f6364083033e0033f0c4496c2efcaa104788db62387f858638c397a98ef315d4c0471ee6abfb5db903db
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5d45112043b8107bbf1f8dc6da1a51a67
SHA108a23d281107ec94713d3b40b4266e98685a0086
SHA25658064f9b3273d5de6bd15163dac6a09fc10d6818f40f875eb33da4d4a39f1375
SHA512b254f39751cd31730b241cf2372a90538043cd0724723a2ae0d32aa70f211e56ac42cc5c1d81341bbeb1ee0329f6010774dcb3c8dd1351e05693a29a124e322c
-
Filesize
254KB
MD5e3b7d39be5e821b59636d0fe7c2944cc
SHA100479a97e415e9b6a5dfb5d04f5d9244bc8fbe88
SHA256389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97
SHA5128f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5
-
Filesize
733KB
MD51ec50d7362244c32b4c2e6d941b66440
SHA1746e66a1ff8d0e0faa733e5f50107f0c620bd6c8
SHA2566a00fa2109dcb88cfcc76eaa5366e18bc94b06f03c2a1708e95a566536d9471b
SHA512d77f93180134f56efca8212dc77f836f363827ca0a3202c529ff1a30c45ae3b551fb406c325af9f39625c7735079cc94a304d5ab6406dbfc6d308f5e1c001ac2
-
Filesize
4.2MB
MD517bd4e67216d85c4f21e22828b2a137f
SHA1d8631e16f78d187a2a9caf6ae735452db4a56ea1
SHA25625395c2eb252a8b974ad8b8b689a115b23a9df27fea17feea9fea2460fddfea3
SHA51231beeb82179e79b0d011184776d9d01081554c510f5bfdc5e1dafa1ce2e2b4f358d6009a0c0621b25246bfc00380705482e6f0b3a37cea8c3060a1a167bb9ff8
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
Filesize
401KB
MD5449546d6d9a953b1364147ed0755c3b3
SHA18306721ab3735df6a5e743b289011b04fdb763bc
SHA25650bbb61b89a635adcbef23b498cc5c83bc94d161f816131433eeff9143d830b5
SHA512ed986c6d12deca8d3357d16c976bb1535455c668520f9229f08096c9108a26aa5cc45cfba967e326b3cb1ceb25c97174161800311bdb1a652baf4f0a7c2114c0