Analysis
-
max time kernel
316s -
max time network
318s -
platform
windows10-1703_x64 -
resource
win10-20231220-en -
resource tags
arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system -
submitted
10-02-2024 09:39
Static task
static1
Behavioral task
behavioral1
Sample
test.txt
Resource
win10-20231220-en
Errors
General
-
Target
test.txt
-
Size
7B
-
MD5
3e47b75000b0924b6c9ba5759a7cf15d
-
SHA1
0feca720e2c29dafb2c900713ba560e03b758711
-
SHA256
1785cfc3bc6ac7738e8b38cdccd1af12563c2b9070e07af336a1bf8c0f772b6a
-
SHA512
1d6c61c1f237e2664f242b96dfaae5feb325771723d76fac41dba6ef22c45cafefb0951f43309fc6bc852b98a5406d3c2909b606688a882d43c6fb905162b10f
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x000700000001ab9d-530.dat mimikatz -
Executes dropped EXE 2 IoCs
pid Process 3456 5FD9.tmp 3388 system.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 109 raw.githubusercontent.com 72 camo.githubusercontent.com 74 camo.githubusercontent.com 75 camo.githubusercontent.com 82 camo.githubusercontent.com 106 raw.githubusercontent.com 107 raw.githubusercontent.com 108 raw.githubusercontent.com -
Drops file in Windows directory 15 IoCs
description ioc Process File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File opened for modification C:\Windows\5FD9.tmp rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File created C:\Windows\infpub.dat [email protected] File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1312 schtasks.exe 4556 SCHTASKS.exe 3160 schtasks.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings firefox.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\7ev3n.zip:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4188 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 4688 rundll32.exe 4688 rundll32.exe 4688 rundll32.exe 4688 rundll32.exe 3456 5FD9.tmp 3456 5FD9.tmp 3456 5FD9.tmp 3456 5FD9.tmp 3456 5FD9.tmp 3456 5FD9.tmp 3456 5FD9.tmp 4792 rundll32.exe 4792 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 5000 rundll32.exe 5000 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 1032 firefox.exe Token: SeDebugPrivilege 1032 firefox.exe Token: SeDebugPrivilege 1032 firefox.exe Token: SeShutdownPrivilege 4688 rundll32.exe Token: SeDebugPrivilege 4688 rundll32.exe Token: SeTcbPrivilege 4688 rundll32.exe Token: SeDebugPrivilege 3456 5FD9.tmp Token: SeDebugPrivilege 1032 firefox.exe Token: SeDebugPrivilege 1032 firefox.exe Token: SeDebugPrivilege 1032 firefox.exe Token: SeDebugPrivilege 1032 firefox.exe Token: SeShutdownPrivilege 4792 rundll32.exe Token: SeDebugPrivilege 4792 rundll32.exe Token: SeTcbPrivilege 4792 rundll32.exe Token: SeShutdownPrivilege 5088 rundll32.exe Token: SeDebugPrivilege 5088 rundll32.exe Token: SeTcbPrivilege 5088 rundll32.exe Token: SeShutdownPrivilege 2832 rundll32.exe Token: SeDebugPrivilege 2832 rundll32.exe Token: SeTcbPrivilege 2832 rundll32.exe Token: SeDebugPrivilege 4992 taskmgr.exe Token: SeSystemProfilePrivilege 4992 taskmgr.exe Token: SeCreateGlobalPrivilege 4992 taskmgr.exe Token: 33 4992 taskmgr.exe Token: SeIncBasePriorityPrivilege 4992 taskmgr.exe Token: SeShutdownPrivilege 5000 rundll32.exe Token: SeDebugPrivilege 5000 rundll32.exe Token: SeTcbPrivilege 5000 rundll32.exe Token: SeDebugPrivilege 1032 firefox.exe Token: SeDebugPrivilege 1032 firefox.exe Token: SeShutdownPrivilege 2148 shutdown.exe Token: SeRemoteShutdownPrivilege 2148 shutdown.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
pid Process 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe -
Suspicious use of SendNotifyMessage 58 IoCs
pid Process 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 1032 firefox.exe 1404 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5088 wrote to memory of 1032 5088 firefox.exe 76 PID 5088 wrote to memory of 1032 5088 firefox.exe 76 PID 5088 wrote to memory of 1032 5088 firefox.exe 76 PID 5088 wrote to memory of 1032 5088 firefox.exe 76 PID 5088 wrote to memory of 1032 5088 firefox.exe 76 PID 5088 wrote to memory of 1032 5088 firefox.exe 76 PID 5088 wrote to memory of 1032 5088 firefox.exe 76 PID 5088 wrote to memory of 1032 5088 firefox.exe 76 PID 5088 wrote to memory of 1032 5088 firefox.exe 76 PID 5088 wrote to memory of 1032 5088 firefox.exe 76 PID 5088 wrote to memory of 1032 5088 firefox.exe 76 PID 1032 wrote to memory of 1208 1032 firefox.exe 77 PID 1032 wrote to memory of 1208 1032 firefox.exe 77 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2592 1032 firefox.exe 78 PID 1032 wrote to memory of 2276 1032 firefox.exe 79 PID 1032 wrote to memory of 2276 1032 firefox.exe 79 PID 1032 wrote to memory of 2276 1032 firefox.exe 79 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\test.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4188
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.0.1674922741\77923838" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27196c98-b1f7-4fd7-95f9-0d26df307bdd} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 1796 16532706158 gpu3⤵PID:1208
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.1.1000807994\724327605" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80e3456e-5e43-49eb-9275-2a110e569114} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 2148 165311f2b58 socket3⤵PID:2592
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.2.1255465308\212319204" -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3112 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {159f13b4-38ad-43ca-8374-dd2cb03fe35e} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 3128 165353fc358 tab3⤵PID:2276
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.3.1901962770\563195593" -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3416 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0591a259-b8d2-4d0b-9c4d-eb925876a9ab} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 3436 16536405158 tab3⤵PID:1612
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.4.1298486808\1705706599" -childID 3 -isForBrowser -prefsHandle 4184 -prefMapHandle 4180 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e39990a-0c0a-421e-819c-4c34fd442525} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 4196 165338be558 tab3⤵PID:1120
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.7.1865183187\503532519" -childID 6 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dbbff73-8242-46b9-bd12-270d121dcfd1} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 5156 16537ba2158 tab3⤵PID:3884
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.6.903488386\2100277238" -childID 5 -isForBrowser -prefsHandle 4964 -prefMapHandle 4968 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5ec6592-eaa5-4807-b022-05fe947bd646} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 4956 16537ba1b58 tab3⤵PID:3556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.5.1028773794\2143165915" -childID 4 -isForBrowser -prefsHandle 2624 -prefMapHandle 4388 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5414382-a494-4f2d-99c3-fa11a08c2511} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 4720 1653534b558 tab3⤵PID:5088
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.8.1998225742\1279019553" -childID 7 -isForBrowser -prefsHandle 5596 -prefMapHandle 5604 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fec93d28-6cbe-4abe-a284-498730744672} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 5616 16539694558 tab3⤵PID:2348
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1032.9.1674476908\2051361579" -childID 8 -isForBrowser -prefsHandle 5244 -prefMapHandle 5332 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da14fc51-3588-4f6b-9cae-bb5679ee69e7} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" 4524 16539923258 tab3⤵PID:3776
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"1⤵
- Drops file in Windows directory
PID:4692 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:540
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:5000
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 428235639 && exit"3⤵PID:4700
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 428235639 && exit"4⤵
- Creates scheduled task(s)
PID:3160
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:00:003⤵PID:3080
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:00:004⤵
- Creates scheduled task(s)
PID:1312
-
-
-
C:\Windows\5FD9.tmp"C:\Windows\5FD9.tmp" \\.\pipe\{26E5F20D-2899-44F4-8F69-0043BFA2086F}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵PID:1060
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon3⤵PID:1128
-
-
-
C:\Users\Admin\Downloads\BadRabbit\[email protected]PID:3656
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
C:\Users\Admin\Downloads\BadRabbit\[email protected]PID:5000
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Users\Admin\Downloads\BadRabbit\[email protected]PID:4220
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4992
-
C:\Users\Admin\Downloads\BadRabbit\[email protected]PID:4416
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Users\Admin\Downloads\7ev3n\[email protected]PID:3432
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵PID:844
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4556
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:1488
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
PID:664
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:3624
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
PID:5004
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵PID:4252
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
PID:1128
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵PID:2700
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:936
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵PID:2812
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:516
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵PID:992
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵PID:3944
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵PID:3716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵PID:4944
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aa2055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1404
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:3400
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5bcbefcdce9964943d9cca8498559e1d8
SHA1fdd6c88e0f8b69aeb9c60e29f42a0dd5524ed7a1
SHA2566ac4f7c712bfc1d059eb8c84f30be000f7dd6a5f5a8066b752af53d5ebfa5812
SHA512d05ad8c2aa5b133e6289ce2270e398ad946104ae152546167628f2be014cb4a1b13c1345577b1aaf6fd336ba59db7f63c8ae18c0ce6ae0a466e5b1eaaacefbff
-
Filesize
15KB
MD53c0452a15136b1772472d53c1ac8ba24
SHA116bffb23a5450940323fdc33b698dbfe9a85f803
SHA25675bf2679c9d252e3092f567ab1dd532bc802fcfaadf32be161191864ecee1d20
SHA51248b54e8ebb2ab0241be4bb6227c3cbd572ea1489bfafc2489abf4c77d2dd47b16aa6d59b238bc3c06ff1dee8bdf567df56bb06779e45e02ca0e61168c2f53d95
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\28jjyjhp.default-release\jumpListCache\GFK6h99n3Fmr+hmWanRulA==.ico
Filesize25KB
MD56b120367fa9e50d6f91f30601ee58bb3
SHA19a32726e2496f78ef54f91954836b31b9a0faa50
SHA25692c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f
-
Filesize
73B
MD5d3c830e076f1218799413e6a2440d0f9
SHA1b66fa7a6aaca9263fb5f80364a52fdaffe725092
SHA256a0dceeff45a8998138fe2d61be9e4ecea705b142a81a91999366e85f24edcb9f
SHA512c7e3bd78d17db59bfe9547d396d2a7569c1ba17a1949cdbaecb09e0a032d616e19e76a1bfb07871f535b37fcfbecc6aa70d2e02c2ad1098a6905415e36fdebcc
-
Filesize
315KB
MD559305057914c668fa7d30a544b974010
SHA19a375ead5fcd2d28c9657f8a3a30a74e7da88ff9
SHA25645db7cc7916d9903b717b636dc3e2b40e4ea8fde948a5ff51416b319e7d1dd58
SHA512a44a6eb2eac8b100c7ed13ba98c1237b235545016be4738247a000ec13e75ca9c6d2e4e65a9e781fa8fc5cef63419866ff8fe26edd44049f7c171bc2abd7b2be
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize20KB
MD5e416cc9dd37903b130229f07936f189e
SHA133d5e526c17ea18fe98bff8851e225afdfdfa4ab
SHA2566f4ad33bd6762d98495ccd2039327ceba7c52e4605a830aaf81225919a73617b
SHA512ec926999fe8762cfeb583e8f788abbf422288385e6a8cd5f04d73c8bf82438b408a198002c78ad64ab84cb6df8eae7bd80af6eaf7e70cdc1ba382d7a7429d1f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD520bddb22ad92032f7efc421bdf0918d8
SHA1e6cd8d10056dd806bcb570275621d71ded0819ee
SHA2566130fa9e9887200554e00dd48d3f3175f9524a44a2a6775e4469c05ea6b9e8e0
SHA512523cbbdc2ca53090fee0513e368bdbdc4bf104b6198aee213131bc757a65a90822fe0e7f3fdf2e8f63be5579efe3ddcf416398dedf5e8564b08b5f069f9d9c48
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\datareporting\glean\pending_pings\203fa3fd-db4e-405e-899c-4fb19e1adb9a
Filesize746B
MD542d83ba2bd15e26894ca2356f425a19d
SHA1b29231d32b514365753e569c3be8f3a4315ed4ee
SHA256990e743894a92214d565027af66d16324039b0b01a462144327b082027af2435
SHA5121a0406367a71e0f0c9fd535fb818f6369af50031c1ffbcf48a91f5a5225d2bfd9149291650d6a0df840d8f5710037979e235be4d2e9afb5797021cd0716eb55c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\datareporting\glean\pending_pings\8ecdd1df-d8f3-448d-a343-cdb648a1f56b
Filesize10KB
MD5250db64ec1745286455354e9690552fb
SHA1751288f047696659710dad213337fcf60f07c831
SHA2565427b9227b826cedabd91486bcdd9aea9b516b358eb5202061a2d3ea51042df5
SHA5123685ef1ed8293b34802a07739e798609e50ac78350bb21a18c363223ff7cc1a5b108dd43091e675f53a64b059a50e46241195b7eedea282e0081affb6f597eed
-
Filesize
6KB
MD50a78674a6b0bdba76a5d083b780e155b
SHA1a700551821048482f7c81be95e644fe45ddb2a0e
SHA25629a4aca5547e1e98837748b170478bb9aa2317b07db5e0bb42114d26229dde47
SHA512d69960bf9f5ed4c1bcc0e71a85410852f64f3f9d2397b4de7e59c11646e3e7d01ca6d6e1c62210e8dbab00643d68499bfe67b164da2b16336e45e632da519bdd
-
Filesize
6KB
MD519193fe212fa16f5c0e3d310cf3a1662
SHA16d9ed46778e77b87d1a6fb17bef0702ad446af14
SHA256891fbb711e7391751edd5f992bcb5881baff5e9b491cc72f563f4d2820434fa8
SHA5129f342fc3592b94b4c478b1092b234572fb4d9b7a57c422a142879c72e07adc15bd86bbf99db0b7f3870f5d19654a1bc66e6482bfe2fc0bf6aecb4010a0a8c2e0
-
Filesize
6KB
MD5d77d4853df4fa582b3bbc9cb43f99b7e
SHA1f6927e0a5c91d3b2a2256b4b9774591c74865bba
SHA256da5754d81c9b55a532629ae608ff8ea43322117d53b8c1c9f50815c9291b4008
SHA512ede2ad477405f56faa5160d064de52eeefb86618f0fcf7d30d4b173f053bd8fe68a38d02bc6cd670397166abed69bd292f52469ad6a339238d7c423d89cde6ff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5af0fa06f8e98af5f57aefbba8a82ff17
SHA1a2a6cb64c60c5b8032f5678023d39483c2be138b
SHA256a64b328f06fad12068ef5aa6af6805cb5a12fad38905325a520a172876e791da
SHA512032e47da69aa03cde8d432c25f0b1a4b457615c13160c09d586fd497c24c8292af13baf1b67ccd53d24ca5f1de7502538d3bbc1941436cb938a360fea1f35f89
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD53adcc0a90a364a0213ae75ee374464e7
SHA15042ced2f705f0fa17b27ec6b279464c6087c0e8
SHA256120de10cf54c972c6e2b622abd6b5cfaefba47e9c0c6fe818d9b9c2966271869
SHA5129d4416fe78896becba54e3e7453578a6e7f24d2000bb0a5310f0d63ad44e7ef1e5b6abc56668f299f475f596d94e693a0058ae6b19cfafde321dc44ebc0e00cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD519a4d03d980026fcff8c1eb1b1df1fb1
SHA19d4a59e43a1c171d81609041e9d88b3ad28d58d3
SHA25697f4f0abf3c952d7eb17b78f372412fdb38ce88025319c3764e320d72107d6bb
SHA512053fc2a41929bf6db8242eebe4c15f4bad8ada824035d7271a1e409b95f12a6ad869516ce54e85ff665058fadf4001027119b99426c06c090b52895a4777fcf0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5a98039cc6db7bd6dd16eb6881604e160
SHA1c5846cd723e2e7fe2bea2a94781fda9d795d1b05
SHA2561d3c8d76f5e4efba726077c30c05b8d1a9de3fc6b87c80785a01b5c8f24f9165
SHA512c753531cd469f4957eed2f4a45a6534a9daa19321b95d7fd3e9c210484d5f5b2673edac58665ebee3d527598fc038c5233f84c3931f9dc9c7169218125961003
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD5b3af55b2ec90d7eed309f199dd389274
SHA19a0f1a0e205cead06a200db684d07b819ea336fd
SHA25662099b959ab29997e122f0a24a508d10ed78c18e704f2b5ec100027618ef707a
SHA512e13461377de979e3fa7aa3c48f59a510d73b7d8004ac2f76aefe31198cfdac135e1b1890cd6ce634842b24533427c39914f6e277280841bfff08c3d094fab397
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD54bb15104ba51ee4af35433503cb3f573
SHA1e73f5b47cc443acefbe1472de5443a85fba21422
SHA2562b1205f0c31f6bd825c724da2c60d09477625288ab3e09345b89991a9506d051
SHA5124fc128891be1df6543f2c2178834e0b16ae82d98adaa2afdc1db52dcd744dbbfa74b849737620764e7a9a05281de4ddb2eb98418f3107749e54d105341ac86d4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD5ff37cf8602d1b15a6855191494e330ec
SHA1b6d547406917958970749943e7cf1f67277200e2
SHA2563add326d5e6ac73d0dab37c82df2e3e1a44e6b85d56a884e63b81ec083b97ad6
SHA512fd87a33cab866a508211e0d173de3e92a5db080f3f70d5db013cde94518f5659cc856296b2304df20439f85f3f9e9440ea5eed0b0ebe474427be6200dd19544a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\sessionstore.jsonlz4
Filesize6KB
MD586a33dfc59f9e177dcb96dd1ec4d7c31
SHA1d5da057dc41ca07ad8400686219baf2ab51d3864
SHA256988d789c65e54962cd6eb4067a4ae84e472c71cf4eaa88676d62dec2450f7b8a
SHA512604e10c68ce6b04ffc29c9a14f299a2f7444b7cab82f54dead11763b5147a3a282849d19da7df2e647e833f75ee0ce3607b13c25dffa10ea7ad933c631fa9105
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD54eda6874c272bffcb52d78ab368c2a95
SHA199b01e289a92aaaf6227ac0488c5f76fe05317c8
SHA25632750c4de1eccb5d40a5689f9bb4eabfe23c04adcb470d761ee44ca88dbd778c
SHA5129fddd56b0b0c80c26e0923dca26a96115f50ae066e8b2c21abc461c64c5b7b3749bf6c56c99804c25462abdd65bd2108d6573abf5eafac89b66f8a237f3bfa31
-
Filesize
393KB
MD551acb487577a77dc3426291d9a5d6c2b
SHA1d06ca86b736e56eb77080dd1bda3615fe42d7b42
SHA256a0efea580063461ec4ce48a797d5f930a1dd793fe1634965935086871f50d132
SHA51201bc214b3659fa13c3e2d4b4adf89ffdb70e8505155f6cb157a138aa2f1fc3df522a7ad78149c1d58ca84af35c7af328d7d38578c10839fd81d7c330fa8c1347
-
Filesize
393KB
MD561da9939db42e2c3007ece3f163e2d06
SHA14bd7e9098de61adecc1bdbd1a01490994d1905fb
SHA256ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa
SHA51214d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e
-
Filesize
139KB
MD5c6f3d62c4fb57212172d358231e027bc
SHA111276d7a49093a51f04667975e718bb15bc1289b
SHA256ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c
SHA5120f58acac541e6dece45949f4bee300e5bbb15ff1e60defe6b854ff4fb57579b18718b313bce425999d3f24319cfb3034cd05ebff0ecbd4c55ce42c7f59169b44
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
Filesize
401KB
MD5c4f26ed277b51ef45fa180be597d96e8
SHA1e9efc622924fb965d4a14bdb6223834d9a9007e7
SHA25614d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958
SHA512afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e