Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/04/2024, 20:02
240418-yr4gfsef9v 1018/04/2024, 19:59
240418-yqw1zsef5z 1023/03/2024, 00:07
240323-aearlsag84 1020/03/2024, 19:20
240320-x17psshe51 1020/03/2024, 19:18
240320-xz2gdshe3t 1019/03/2024, 21:09
240319-zzr9tsgd4t 10Analysis
-
max time kernel
211s -
max time network
219s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
18/04/2024, 20:02
Behavioral task
behavioral1
Sample
GH0ST.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
GH0ST.exe
Resource
win10v2004-20240412-en
Errors
General
-
Target
GH0ST.exe
-
Size
127KB
-
MD5
90b828929de1319e5b9bf94f4ae990b3
-
SHA1
8fc41267cfb9f057e78beca15b775d20fb01434b
-
SHA256
14592b6ee58e6c1abe76e8148f087b1da84f54892b1cca31540dd728298bb185
-
SHA512
57e50e8c3e424980bfb96d4d1862e998efd50e45df25478fc80537a67a27b8d7aa8cce00400e0126216395205946a38876a2ff494b74d86043c5e5779a4b5921
-
SSDEEP
3072:oDk4Rq96liXWAPEV9Ue4znvqg2WVrxuF:h4Rq9UCW7WhZx
Malware Config
Extracted
C:\Users\Default\read_it.txt
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/memory/5060-0-0x0000000000F10000-0x0000000000F36000-memory.dmp family_chaos behavioral1/files/0x000900000001a681-6.dat family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4628 bcdedit.exe 960 bcdedit.exe -
pid Process 4240 wbadmin.exe -
Disables Task Manager via registry modification
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 3512 svchost.exe 5620 dismhost.exe -
Loads dropped DLL 5 IoCs
pid Process 5620 dismhost.exe 5620 dismhost.exe 5620 dismhost.exe 5620 dismhost.exe 5620 dismhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu Places\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3998431567-3716957556-781226098-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: systemreset.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\Recovery\ReAgent.xml systemreset.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bg5uf6ewx.jpg" svchost.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Logs\PBR\ResetSession.xml systemreset.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy systemreset.exe File created C:\Windows\Logs\PBR\INF\setupapi.setup.log systemreset.exe File created C:\Windows\Logs\PBR\Panther\_s_612D.tmp systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\_s_6322.tmp systemreset.exe File opened for modification C:\Windows\Logs\PBR\ReAgent systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log systemreset.exe File created C:\Windows\Logs\PBR\Panther\Contents0.dir systemreset.exe File created C:\Windows\Logs\PBR\SessionID.xml systemreset.exe File created C:\Windows\Logs\PBR\Panther\diagerr.xml systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\setup.etl systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\_s_5E8C.tmp systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\_s_612D.tmp systemreset.exe File created C:\Windows\Logs\PBR\INF\setupapi.offline.20170318_140323.log systemreset.exe File created C:\Windows\Logs\PBR\Panther\Contents1.dir systemreset.exe File created C:\Windows\Logs\PBR\Panther\DDACLSys.log systemreset.exe File created C:\Windows\Logs\PBR\BCDCopy systemreset.exe File opened for modification C:\Windows\Logs\PBR\Timestamp.xml systemreset.exe File created C:\Windows\Logs\PBR\Panther\setupinfo systemreset.exe File created C:\Windows\Logs\PBR\Panther\_s_6322.tmp systemreset.exe File opened for modification C:\Windows\Logs\PBR\SessionID.xml systemreset.exe File opened for modification C:\Windows\Logs\PBR\setuperr.log systemreset.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy.LOG1 systemreset.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml systemreset.exe File created C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\setuperr.log systemreset.exe File opened for modification C:\Windows\Logs\PBR\PushButtonReset.etl systemreset.exe File opened for modification C:\Windows\Logs\DISM\dism.log systemreset.exe File created C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que systemreset.exe File opened for modification C:\Windows\Logs\PBR\ResetSession.xml systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\Contents0.dir systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\DDACLSys.log systemreset.exe File created C:\Windows\Logs\PBR\Panther\_s_5E8C.tmp systemreset.exe File created C:\Windows\Logs\PBR\PushButtonReset.etl systemreset.exe File opened for modification C:\Windows\Logs\PBR\CBS\CBS.log systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml systemreset.exe File opened for modification C:\Windows\Logs\PBR\INF systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\diagerr.xml systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\setupact.log systemreset.exe File opened for modification C:\Windows\Logs\PBR\setupact.log systemreset.exe File created C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq systemreset.exe File created C:\Windows\Logs\PBR\Panther\cbs_unattend.log systemreset.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml systemreset.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml systemreset.exe File opened for modification C:\Windows\Logs\PBR\INF\setupapi.setup.log systemreset.exe File opened for modification C:\Windows\Logs\PBR\ReAgent\ReAgent.xml systemreset.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC systemreset.exe File created C:\Windows\Logs\PBR\Panther\setup.etl systemreset.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\cbs_unattend.log systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\Contents1.dir systemreset.exe File opened for modification C:\Windows\Logs\PBR systemreset.exe File opened for modification C:\Windows\Logs\PBR\INF\setupapi.offline.20170318_140323.log systemreset.exe File opened for modification C:\Windows\Logs\PBR\DISM\dism.log systemreset.exe File opened for modification C:\Windows\Logs\PBR\DISM systemreset.exe File opened for modification C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que systemreset.exe File created C:\Windows\Logs\PBR\setupact.log systemreset.exe File created C:\Windows\Logs\PBR\Timestamp.xml systemreset.exe File created C:\Windows\Logs\PBR\CBS\CBS.log systemreset.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4796 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1456 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5060 GH0ST.exe 3512 svchost.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 5060 GH0ST.exe 5060 GH0ST.exe 5060 GH0ST.exe 5060 GH0ST.exe 5060 GH0ST.exe 5060 GH0ST.exe 5060 GH0ST.exe 5060 GH0ST.exe 5060 GH0ST.exe 5060 GH0ST.exe 5060 GH0ST.exe 5060 GH0ST.exe 5060 GH0ST.exe 5060 GH0ST.exe 5060 GH0ST.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe 3512 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1596 systemreset.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5060 GH0ST.exe Token: SeDebugPrivilege 3512 svchost.exe Token: SeDebugPrivilege 3528 firefox.exe Token: SeDebugPrivilege 3528 firefox.exe Token: SeBackupPrivilege 4904 vssvc.exe Token: SeRestorePrivilege 4904 vssvc.exe Token: SeAuditPrivilege 4904 vssvc.exe Token: SeIncreaseQuotaPrivilege 3608 WMIC.exe Token: SeSecurityPrivilege 3608 WMIC.exe Token: SeTakeOwnershipPrivilege 3608 WMIC.exe Token: SeLoadDriverPrivilege 3608 WMIC.exe Token: SeSystemProfilePrivilege 3608 WMIC.exe Token: SeSystemtimePrivilege 3608 WMIC.exe Token: SeProfSingleProcessPrivilege 3608 WMIC.exe Token: SeIncBasePriorityPrivilege 3608 WMIC.exe Token: SeCreatePagefilePrivilege 3608 WMIC.exe Token: SeBackupPrivilege 3608 WMIC.exe Token: SeRestorePrivilege 3608 WMIC.exe Token: SeShutdownPrivilege 3608 WMIC.exe Token: SeDebugPrivilege 3608 WMIC.exe Token: SeSystemEnvironmentPrivilege 3608 WMIC.exe Token: SeRemoteShutdownPrivilege 3608 WMIC.exe Token: SeUndockPrivilege 3608 WMIC.exe Token: SeManageVolumePrivilege 3608 WMIC.exe Token: 33 3608 WMIC.exe Token: 34 3608 WMIC.exe Token: 35 3608 WMIC.exe Token: 36 3608 WMIC.exe Token: SeIncreaseQuotaPrivilege 3608 WMIC.exe Token: SeSecurityPrivilege 3608 WMIC.exe Token: SeTakeOwnershipPrivilege 3608 WMIC.exe Token: SeLoadDriverPrivilege 3608 WMIC.exe Token: SeSystemProfilePrivilege 3608 WMIC.exe Token: SeSystemtimePrivilege 3608 WMIC.exe Token: SeProfSingleProcessPrivilege 3608 WMIC.exe Token: SeIncBasePriorityPrivilege 3608 WMIC.exe Token: SeCreatePagefilePrivilege 3608 WMIC.exe Token: SeBackupPrivilege 3608 WMIC.exe Token: SeRestorePrivilege 3608 WMIC.exe Token: SeShutdownPrivilege 3608 WMIC.exe Token: SeDebugPrivilege 3608 WMIC.exe Token: SeSystemEnvironmentPrivilege 3608 WMIC.exe Token: SeRemoteShutdownPrivilege 3608 WMIC.exe Token: SeUndockPrivilege 3608 WMIC.exe Token: SeManageVolumePrivilege 3608 WMIC.exe Token: 33 3608 WMIC.exe Token: 34 3608 WMIC.exe Token: 35 3608 WMIC.exe Token: 36 3608 WMIC.exe Token: SeBackupPrivilege 4220 wbengine.exe Token: SeRestorePrivilege 4220 wbengine.exe Token: SeSecurityPrivilege 4220 wbengine.exe Token: SeBackupPrivilege 1596 systemreset.exe Token: SeRestorePrivilege 1596 systemreset.exe Token: SeSystemEnvironmentPrivilege 1596 systemreset.exe Token: SeBackupPrivilege 1596 systemreset.exe Token: SeRestorePrivilege 1596 systemreset.exe Token: SeSecurityPrivilege 1596 systemreset.exe Token: SeTakeOwnershipPrivilege 1596 systemreset.exe Token: SeBackupPrivilege 1596 systemreset.exe Token: SeRestorePrivilege 1596 systemreset.exe Token: SeBackupPrivilege 4596 vssvc.exe Token: SeRestorePrivilege 4596 vssvc.exe Token: SeAuditPrivilege 4596 vssvc.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3528 firefox.exe 4788 SecHealthUI.exe 1596 systemreset.exe 5452 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3192 wrote to memory of 3528 3192 firefox.exe 75 PID 3192 wrote to memory of 3528 3192 firefox.exe 75 PID 3192 wrote to memory of 3528 3192 firefox.exe 75 PID 3192 wrote to memory of 3528 3192 firefox.exe 75 PID 3192 wrote to memory of 3528 3192 firefox.exe 75 PID 3192 wrote to memory of 3528 3192 firefox.exe 75 PID 3192 wrote to memory of 3528 3192 firefox.exe 75 PID 3192 wrote to memory of 3528 3192 firefox.exe 75 PID 3192 wrote to memory of 3528 3192 firefox.exe 75 PID 3192 wrote to memory of 3528 3192 firefox.exe 75 PID 3192 wrote to memory of 3528 3192 firefox.exe 75 PID 3528 wrote to memory of 2588 3528 firefox.exe 76 PID 3528 wrote to memory of 2588 3528 firefox.exe 76 PID 5060 wrote to memory of 3512 5060 GH0ST.exe 77 PID 5060 wrote to memory of 3512 5060 GH0ST.exe 77 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 4508 3528 firefox.exe 78 PID 3528 wrote to memory of 1724 3528 firefox.exe 79 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\GH0ST.exe"C:\Users\Admin\AppData\Local\Temp\GH0ST.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵PID:1472
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4796
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵PID:4564
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:4628
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:960
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:5076
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:4240
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1456
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.0.326215572\1643022512" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c14f173a-581b-4ed1-8b72-5463ea126e6b} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 1800 22f373d6a58 gpu3⤵PID:2588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.1.1500268580\1666324317" -parentBuildID 20221007134813 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc037da1-733b-40b8-9db5-7dc14b886888} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 2164 22f251e5a58 socket3⤵
- Checks processor information in registry
PID:4508
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.2.1600050161\139103211" -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2948 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2cdb6ca-ca3c-4c73-904c-bdcaf480c46e} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 2964 22f3b69d058 tab3⤵PID:1724
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.3.592665314\477958844" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cf59885-bbd1-45ab-ad1c-ed08af3d714a} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 3492 22f25162858 tab3⤵PID:1800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.4.1804941241\627965472" -childID 3 -isForBrowser -prefsHandle 4220 -prefMapHandle 4196 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd935d4f-5e7d-41d1-9b7e-984ce706f4ae} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 4240 22f3d0de058 tab3⤵PID:2548
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.5.1597213562\293354862" -childID 4 -isForBrowser -prefsHandle 4760 -prefMapHandle 4432 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ca98365-2d30-40cf-9fd9-4483b004f980} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 4904 22f3d4dff58 tab3⤵PID:524
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.6.145070365\2004329834" -childID 5 -isForBrowser -prefsHandle 5000 -prefMapHandle 5004 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fafab8cd-54c7-4422-b9ba-33c5b668a736} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 4376 22f3dbc5358 tab3⤵PID:4072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.7.1189076637\594625862" -childID 6 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d678c78c-14a6-46aa-bb0b-2429ff681f17} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5280 22f3dbc3b58 tab3⤵PID:3364
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4520
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:5088
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:4564
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵PID:5724
-
C:\Windows\System32\Netplwiz.exe"C:\Windows\System32\Netplwiz.exe"1⤵PID:5860
-
C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4788
-
C:\Windows\system32\systemreset.exe"C:\Windows\system32\systemreset.exe" -moset1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1596 -
C:\$SysReset\Scratch\2B1B2DFE-899F-4425-8A67-F36E3692CB23\dismhost.exeC:\$SysReset\Scratch\2B1B2DFE-899F-4425-8A67-F36E3692CB23\dismhost.exe {043EDAA5-2B36-4C02-9FC9-3354A46F571C}2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5620
-
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4428
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3064
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a87855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42B
MD5af9459ae54815da11918db14933f1823
SHA12af5a8a71e03607746ea0db5c74cf00b9a33e5b4
SHA256382c77297b5aff38c3998f19afacc6b2035b44a6b762c1a2194cc92253afdf07
SHA512e8ce10fbcfac21df4de0407a3f7bf221cc60664d91e212bf539d12d9e3b9864512568224209517c69838038124c7be0313a63314e052b190fa4a31121fa36155
-
Filesize
28KB
MD58d75a07a9ddc517e1205976f5720482a
SHA118448b9c8da4cdea8d546f0ef9a0ed4fa9802e6d
SHA256f5b798ebfdb0fc31763b7fec0a16fa5ced0f6428f852546c0ca3ba44b9679f70
SHA512adb42670eb1357e1642f2d72ce46e975d0c6e56451a01c8de683f84b62189e8f01161b327c625fdf55c350073ea35ad2252227b7b72719905d632bf95989210e
-
Filesize
29KB
MD52066c108fec6817b7ee03a956e85fcad
SHA107d7f3ded519a5725ed3e13a4ada98ceb40ae108
SHA256782dcb1d0891f4028354318dbb49bacb74ff653f9314a7dfeb902b55075aa8e6
SHA51289cf31cf5f3a05482a430c1e9ed72996cea93e445ea041e4b1e3ff2bb70a1df1d2bce12a99e3088d0cf920ca9f087b75fad6e7b65bd4f7dbc3c52ed9b50f9f37
-
Filesize
130KB
MD528b1fd95dd84a09e4b5d098987ebdc0a
SHA10a7af60e5094ffbd8b078d448b68c928aa54c129
SHA256318dd8af22bdf70902bb6dcd6e1cc5c8ac4cfa08573bc5331109679ec1e44eed
SHA512a04746ebceb5a6e0c2b344709deed50d90e1ae9f0c815ee9b7f2ed6bb243b26b40777bbd5c15a70460a7b7fc5f2189d60127e6416ba7858d86eb9ba492c5a570
-
Filesize
504B
MD5c8350cc14095ef49bcde7072efe31ade
SHA15382f54f7c34635a20555cdb27a83d78621036e0
SHA256cf2394a1e04db80a814af467c506c664c726ffab2b6497a5ca7b76b8b86b0e8d
SHA5123cae93f151452d16cb9de7cc2a55fb05f8332926fdf4e3445fe957aeceebeae3bbca1b19901998c2837084524fdc3272e02294ef1d8dba3edc1faa2ba0555363
-
Filesize
160KB
MD54e43afafe9483d72a5838cdb8ea8d345
SHA1779d8c234343da4ca7fbdb16b5861eecb025f6e3
SHA25680e83929245c4377ecc73b7596ebf885d8e919b69ef975701a082d2b5cf2150e
SHA51222267fe42128333940b9574fc5f5a70f0411280bd4e294bb456f987eb30c5ec1be12f4e5ce44e7007d793a3924032315782eaea96ab18da832ce56c1f0a3fe3d
-
Filesize
140KB
MD59ad8d8d2c6126cf9f65f4ba4cd24bcd9
SHA1505e851852228545903c2423afa81039e0bd9447
SHA2563687d79e43b9c3aa9ff31dbaafdd2f4674ce0937c7fe34813f43531f32e7aded
SHA512e38d6af47c7443119fb73fcd6bcb23dd6b96bce19c4a98802af96fd6751e12a8add8c48cc0062ffe315aa7a5ffa6c38787c4f2051a8f6b97ac0dc86b3f8d279e
-
Filesize
389KB
MD5a5661f7b81dc9ed60d9c3300188447e6
SHA19185aae37ad34a4e749de06b1df53d19d5b3aee2
SHA256945ff6d452fd107e81176e28716bb2877a2ca00f3099634f949c795034788f45
SHA51255598e15620699ea115e597783cd128c659d27eb5c18ee813bbeb266b7baf083f9012219b991fefa6b540b46552c73b5e7ca8fefa24e7b124017144b1dff1d8b
-
Filesize
139KB
MD576dccc4bec94a870cb544ea0ac90d574
SHA10e500d42b98d340aadd3e886b0c4abefa8b92bc5
SHA25653637290e64e395a0f07d7423096ccf341ccdf1dcb6e821f4e99d47197ea849e
SHA512ef01adbf1dfb3856d5a84512556f38af291c0938c1267c8d627e1205385f7be56b0a7e2127f18818f987b53f0a3f910bc930d692be2a8429d03728d086e91a0b
-
Filesize
126KB
MD5bb0d5feee5b2f65b28f517d48180ce7b
SHA163a3eee12a18bceec86ca94226171ffe13bd2fe3
SHA256f6c4fd17a47daf4a6d03fc92904d0f9a1e6c68aadf99c2d11202d4d73606dc16
SHA512d1fc630db506ad7174da9565fd658dc415f95bf9c2c47c21fa8fe41b0dbff9a585244a0b7079dfb31697f14edbc1c021fccff60ffd53b447c910c70de117dc5b
-
Filesize
242KB
MD52737782245a1d166a1f018b368815a16
SHA14fd57e0de191c817a733d07138c43ce9a010d64c
SHA256498c301c9b5dfc36f1031988cb4a440ab17effd606345abd506a807f277b1938
SHA5127830d377ae880183a2e51a9d557bf0fa324913df28b12f5d7aca815fb2e8a6b0373d76f36877f28cba4ce8bff32da62309fcdcb8ff3930c5f8a54963b7cfdeff
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pnz8mntc.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD568fa6acb445d68ffd4fc9f4be6c39bb0
SHA10b6f4a441312aff6dca19815f2d80c4a2cf2184e
SHA256148f790d8131fff5eea66c6590ff949cdfa0c2429f73ebf1e8deeb4d94d8083e
SHA51220320f866d4695c5bc0bcf89d0e651fab6811585a672e93f907b1c366b2f736367d96eca68eaf805808c55947e19bd753df79ea4fd67fe689dafad6895b38abd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pnz8mntc.default-release\datareporting\glean\pending_pings\0ce22e04-76cc-44ab-b1e8-278133432167
Filesize746B
MD556378568b07fbc2c713ec3d9aaffc09e
SHA187d987fa5990fd94c5798c3f26628cdc62c10db4
SHA25642274126e0dce469071a10e877ab8412d2fb2be6ffd3676c42098f32cea6b522
SHA51291c1aa6420f1c711a81d9592c9fa4f8e3bb7da9bbd3c7b2eaee978ead1f666f51f8e957bb977ee39a1544e170671b761fabbf7a42bfacc2b3edd3153e4dae888
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pnz8mntc.default-release\datareporting\glean\pending_pings\328ca330-a204-44a3-a929-c08d9edf4038
Filesize10KB
MD5f401bd1403784b2006930952212a2a05
SHA11450d2493bbd94ad848684f962e880a6ea8d836c
SHA256c83a3a87b1e6765ccdd1ad8c4978bd7ddb4b2cf17303d518a83e31eaf14612a4
SHA512d9c92241fd51d46dfbc039ecd3ce0d68deabe70c4232ac923c25aeb1851b2b5e874d5fd0321a1adac8cbca270a5b23b70e67ebd3a9a1774ccf0b971fbe5930a0
-
Filesize
6KB
MD5294b7cc37dcf173abce7ad9362e771dc
SHA192d02ed18a240f55ef55b206a92a4519efe22503
SHA25622631b1227a23b6b2ad422fc6121d8fa78bf6bf1fd8dca7bb2646035c9420825
SHA51288cbb24be8bdc51c6a6ca317c93b0f2f36ffee17311923c66529e5dbd40b841d5c14150cfc813f460fb787c72ad5b257b672ef2a9a6f48562653887ef6e7857d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pnz8mntc.default-release\sessionstore.jsonlz4
Filesize882B
MD54f71854465478da602216692090167b9
SHA1b630ab6d32d35034ff480484f9752c110d41f570
SHA256e68c7a7f5b1dbac985f9dfcf85a549e9184b3d6ddcf564ef16ad5d72de3700e8
SHA512a689d77789206156691b25d0d23d69e355d27ba739a4de94b70839893634dc74a718cc9620888da2a4033818401028d9295642e33a482abb218e001845e4bba1
-
Filesize
127KB
MD590b828929de1319e5b9bf94f4ae990b3
SHA18fc41267cfb9f057e78beca15b775d20fb01434b
SHA25614592b6ee58e6c1abe76e8148f087b1da84f54892b1cca31540dd728298bb185
SHA51257e50e8c3e424980bfb96d4d1862e998efd50e45df25478fc80537a67a27b8d7aa8cce00400e0126216395205946a38876a2ff494b74d86043c5e5779a4b5921
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
582B
MD5ed5cc52876db869de48a4783069c2a5e
SHA1a9d51ceaeff715ace430f9462ab2ee4e7f33e70e
SHA25645726f2f29967ef016f8d556fb6468a577307d67388cc4530295a9ca10fdfa36
SHA5121745aefb9b4db4cdd7c08ee3a7d133db08f35a336fd18b598211519b481ef25ac84a3e8a3da3db06caef9f531288d1cf0ca8d4b2560637945e7953e8b45421f5
-
Filesize
214KB
MD52e5dd7d81e65343ecb59f204b2c257fd
SHA157e9406abc294cbbe231d86dfb1718cbbca56851
SHA2560ef43d98a6ca45af13f05828feceb5de94dbbed854a259406e64279a0380cd04
SHA512f25821b64f170e28492a2b7fc60fc219546fe684b48d5602eae9d9338404f10056b334436019bbee57c67886d62b4b83415ddda00147c4b824e950287018324a
-
Filesize
7KB
MD5ea9a4f236006aa3496779ae71bd1e7fe
SHA10218c3b52bab6834cef7b177ddada74fcc60cfc4
SHA256a26d89a80f82abdd4f4d05cbd33475768014d01fc2165773f3474c4f15b10837
SHA51205e72a55758ae11b33a29556e00bfba1cc811c07a6b322dc217cd81d0e630ab470acdb2ad9ac8350fc890152d963832130a0bf1dcd8b366a98cf2ae72155df7c
-
Filesize
106B
MD50d8f1e482d13a2d8739029e2eed8076f
SHA171c774a44a4ccac0c6fad69ecf525f6c4ceef349
SHA2569ef7ba3d0dc7262763e5d94e4d325465c068615ed69a070b0d55c92ebce3fbf9
SHA512ba1ed62378fdf0624ed5f4784f89554bafaded2a5ff1b80e6bf90952dc7b265c9217338a64b812779a8baf685c9ba0ceb69feb6a8e165747074fc573a19cdd63
-
Filesize
10KB
MD59f2521a2b53561d850a4dd046ee888d9
SHA15e9debeffd7dddfeee8a530de92a1bc6d13032d0
SHA256238543e1a5c742a6b73b4e63b9e62d4711a2ed831ae71a7e27803d02c994578d
SHA5122c4fd480114a860b55500463918591d0538e7b572ac034912972578e45d40c82b8adccee60958b230ed82742fb0ce313327d8f2740285ed4d8c00aa414c33fee
-
Filesize
14KB
MD58cf0083aa83aa0cfb9327c55ff87f3cd
SHA1b96665d8e2a8a9aec3ac3ac655c40a6c7f29bf85
SHA256fb48ae4d847d139b5205c7965bfa523ee7bd79f86e6a1f22fb5f34f9991bbb43
SHA51210ef9c7c0aa11731d604c1917d8fcbe2ef187a52cf393bdc3606757c67ef06e575bc936e3f4adda44a96ebfc21881234db186725157bee42c92c76b4807ca84b
-
Filesize
1KB
MD5c4be85ceb3e1bc1352a3a7660107a8d7
SHA1de967eef23adda940c2b163a5ac6e29f27906bc8
SHA2562bd3b114f0223215ffd7fe1616214f3a47fd70eac0eb6d61dd0689e9b7e3d433
SHA512154bff830a2177e22b20d4fefe2c98757a19bf4faca38b5a40b10592096b1b8cb082f4b27b184e86fa2706347dfef32366e2876d3cea02b689b001d0ea6fccb1