Analysis
-
max time kernel
203s -
max time network
202s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-04-2024 13:34
General
-
Target
smss.exe
-
Size
9.2MB
-
MD5
53b92442e012db2fc2ee7dc22ee932a9
-
SHA1
750d3f0ac227ccaa2c2a86859cffa4a2ac7cb1d1
-
SHA256
776217117d4b2ecdb07b8a182581e4fd562c0a5785340f86100cf5c1b4eff62e
-
SHA512
b64301d65f48f76855ad89723a933f6e25478ae3a5bcc35cbef81badd08d6dc565d41b51b46a9ab1ad750f0dfa81bffc3c4e6b3b5708f49fd937c948d674c430
-
SSDEEP
196608:uDL2f4ARa+Yw//FpKv45ZhxE5ckWxoUPTYC39SGVy32idMfeaq6p:2L2f4ARaat64fhuWxjBE2SMfeaq6p
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5608 netsh.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWinst.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion smss.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation winserv.exe -
Executes dropped EXE 7 IoCs
pid Process 4264 winserv.exe 3840 winserv.exe 5476 RDPWinst.exe 1944 winserv.exe 3304 winserv.exe 1964 winserv.exe 340 smss.exe -
Loads dropped DLL 64 IoCs
pid Process 5556 svchost.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4952 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 4640 unlicense.exe 5552 unlicense.exe 5552 unlicense.exe 5552 unlicense.exe 5552 unlicense.exe 5552 unlicense.exe 5552 unlicense.exe 5552 unlicense.exe 5552 unlicense.exe 5552 unlicense.exe 5552 unlicense.exe 5552 unlicense.exe -
resource yara_rule behavioral1/memory/2960-0-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp themida behavioral1/memory/2960-4-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp themida behavioral1/memory/2960-2-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp themida behavioral1/memory/2960-3-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp themida behavioral1/memory/2960-5-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp themida behavioral1/memory/2960-6-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp themida behavioral1/memory/2960-7-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp themida behavioral1/memory/2960-8-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp themida behavioral1/memory/2960-9-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp themida behavioral1/memory/2960-111-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp themida behavioral1/memory/2960-180-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp themida behavioral1/memory/2960-351-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp themida behavioral1/memory/2960-359-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp themida behavioral1/files/0x000900000001acd0-728.dat themida behavioral1/memory/340-1245-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp themida behavioral1/memory/340-1246-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp themida behavioral1/memory/340-1247-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp themida behavioral1/memory/340-1248-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp themida behavioral1/memory/340-1249-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp themida behavioral1/memory/340-1250-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp themida behavioral1/memory/340-1252-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp themida behavioral1/memory/340-1251-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp themida behavioral1/memory/340-1466-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp themida behavioral1/files/0x000700000001ad5a-1732.dat themida behavioral1/memory/340-1741-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 82 camo.githubusercontent.com 85 camo.githubusercontent.com 86 camo.githubusercontent.com 89 camo.githubusercontent.com 81 raw.githubusercontent.com 83 raw.githubusercontent.com 84 raw.githubusercontent.com 87 camo.githubusercontent.com 88 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 37 ip-api.com -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWinst.exe -
AutoIT Executable 20 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2960-4-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp autoit_exe behavioral1/memory/2960-3-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp autoit_exe behavioral1/memory/2960-5-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp autoit_exe behavioral1/memory/2960-6-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp autoit_exe behavioral1/memory/2960-7-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp autoit_exe behavioral1/memory/2960-8-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp autoit_exe behavioral1/memory/2960-9-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp autoit_exe behavioral1/memory/2960-111-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp autoit_exe behavioral1/memory/2960-180-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp autoit_exe behavioral1/memory/2960-351-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp autoit_exe behavioral1/memory/2960-359-0x00007FF6B4F60000-0x00007FF6B5EF8000-memory.dmp autoit_exe behavioral1/memory/340-1247-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp autoit_exe behavioral1/memory/340-1248-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp autoit_exe behavioral1/memory/340-1249-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp autoit_exe behavioral1/memory/340-1250-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp autoit_exe behavioral1/memory/340-1252-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp autoit_exe behavioral1/memory/340-1251-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp autoit_exe behavioral1/memory/340-1466-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp autoit_exe behavioral1/files/0x000700000001ad5a-1732.dat autoit_exe behavioral1/memory/340-1741-0x00007FF79A710000-0x00007FF79B6A8000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2960 smss.exe 340 smss.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWinst.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWinst.exe File opened for modification \??\c:\program files\rdp wrapper\rdpwrap.txt svchost.exe File opened for modification C:\Program Files\RDP Wrapper smss.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini smss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 784 schtasks.exe 2976 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 6072 timeout.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" winserv.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 winserv.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\MIME\Database smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage smss.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings firefox.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\ProgramData\Setup\winmgmts:\ smss.exe File created C:\Users\Admin\Downloads\unlicense-py3.11-x64.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\smss.exe:Zone.Identifier firefox.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 4264 winserv.exe 4264 winserv.exe 4264 winserv.exe 4264 winserv.exe 4264 winserv.exe 4264 winserv.exe 3840 winserv.exe 3840 winserv.exe 3840 winserv.exe 3840 winserv.exe 5556 svchost.exe 5556 svchost.exe 5556 svchost.exe 5556 svchost.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe 2960 smss.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 632 Process not Found -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4192 firefox.exe Token: SeDebugPrivilege 4192 firefox.exe Token: SeDebugPrivilege 4264 winserv.exe Token: SeTakeOwnershipPrivilege 3840 winserv.exe Token: SeTcbPrivilege 3840 winserv.exe Token: SeTcbPrivilege 3840 winserv.exe Token: SeDebugPrivilege 5476 RDPWinst.exe Token: SeAuditPrivilege 5556 svchost.exe Token: SeDebugPrivilege 4192 firefox.exe Token: SeDebugPrivilege 592 firefox.exe Token: SeDebugPrivilege 592 firefox.exe Token: SeDebugPrivilege 5552 unlicense.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 4192 firefox.exe 4192 firefox.exe 4192 firefox.exe 4192 firefox.exe 4192 firefox.exe 4192 firefox.exe 4192 firefox.exe 592 firefox.exe 592 firefox.exe 592 firefox.exe 592 firefox.exe 592 firefox.exe -
Suspicious use of SendNotifyMessage 10 IoCs
pid Process 4192 firefox.exe 4192 firefox.exe 4192 firefox.exe 4192 firefox.exe 4192 firefox.exe 4192 firefox.exe 592 firefox.exe 592 firefox.exe 592 firefox.exe 592 firefox.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 4192 firefox.exe 4264 winserv.exe 4264 winserv.exe 4264 winserv.exe 4264 winserv.exe 3840 winserv.exe 3840 winserv.exe 3840 winserv.exe 3840 winserv.exe 1944 winserv.exe 1944 winserv.exe 1944 winserv.exe 1944 winserv.exe 4192 firefox.exe 4192 firefox.exe 4192 firefox.exe 592 firefox.exe 3304 winserv.exe 3304 winserv.exe 3304 winserv.exe 3304 winserv.exe 592 firefox.exe 592 firefox.exe 592 firefox.exe 1964 winserv.exe 1964 winserv.exe 1964 winserv.exe 1964 winserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1944 wrote to memory of 4192 1944 firefox.exe 75 PID 1944 wrote to memory of 4192 1944 firefox.exe 75 PID 1944 wrote to memory of 4192 1944 firefox.exe 75 PID 1944 wrote to memory of 4192 1944 firefox.exe 75 PID 1944 wrote to memory of 4192 1944 firefox.exe 75 PID 1944 wrote to memory of 4192 1944 firefox.exe 75 PID 1944 wrote to memory of 4192 1944 firefox.exe 75 PID 1944 wrote to memory of 4192 1944 firefox.exe 75 PID 1944 wrote to memory of 4192 1944 firefox.exe 75 PID 1944 wrote to memory of 4192 1944 firefox.exe 75 PID 1944 wrote to memory of 4192 1944 firefox.exe 75 PID 1676 wrote to memory of 220 1676 firefox.exe 77 PID 1676 wrote to memory of 220 1676 firefox.exe 77 PID 1676 wrote to memory of 220 1676 firefox.exe 77 PID 1676 wrote to memory of 220 1676 firefox.exe 77 PID 1676 wrote to memory of 220 1676 firefox.exe 77 PID 1676 wrote to memory of 220 1676 firefox.exe 77 PID 1676 wrote to memory of 220 1676 firefox.exe 77 PID 1676 wrote to memory of 220 1676 firefox.exe 77 PID 1676 wrote to memory of 220 1676 firefox.exe 77 PID 1676 wrote to memory of 220 1676 firefox.exe 77 PID 1676 wrote to memory of 220 1676 firefox.exe 77 PID 2960 wrote to memory of 784 2960 smss.exe 78 PID 2960 wrote to memory of 784 2960 smss.exe 78 PID 4192 wrote to memory of 4408 4192 firefox.exe 80 PID 4192 wrote to memory of 4408 4192 firefox.exe 80 PID 2960 wrote to memory of 2976 2960 smss.exe 81 PID 2960 wrote to memory of 2976 2960 smss.exe 81 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 PID 4192 wrote to memory of 3572 4192 firefox.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:784
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:2976
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4264 -
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" -second3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user John 12345 /add2⤵PID:96
-
C:\Windows\system32\net.exenet user John 12345 /add3⤵PID:3548
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user John 12345 /add4⤵PID:4660
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add2⤵PID:4784
-
C:\Windows\system32\net.exenet localgroup "Администраторы" John /add3⤵PID:4948
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" John /add4⤵PID:1868
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add2⤵PID:4296
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add3⤵PID:4660
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add4⤵PID:4288
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add2⤵PID:912
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного управления" john /add" John /add3⤵PID:5132
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add4⤵PID:5152
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add2⤵PID:3348
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:96
-
-
C:\Windows\system32\net.exenet localgroup "Administrators" John /add3⤵PID:5228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add4⤵PID:5240
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add2⤵PID:5184
-
C:\Windows\system32\net.exenet localgroup "Administradores" John /add3⤵PID:5264
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add4⤵PID:5284
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add2⤵PID:5272
-
C:\Windows\system32\net.exenet localgroup "Remote Desktop Users" john /add3⤵PID:5332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add4⤵PID:5344
-
-
-
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -i2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5476 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow3⤵
- Modifies Windows Firewall
PID:5608
-
-
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE2⤵PID:5840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat2⤵PID:344
-
C:\Windows\system32\timeout.exetimeout 53⤵
- Delays execution with timeout.exe
PID:6072
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.0.891998017\453850084" -parentBuildID 20221007134813 -prefsHandle 1676 -prefMapHandle 1664 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b96ebbc-bc3c-430a-9ba4-ad90503bec16} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 1768 229642d9e58 gpu3⤵PID:4408
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.1.847373211\95117555" -parentBuildID 20221007134813 -prefsHandle 2136 -prefMapHandle 2132 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f52a69a-7594-4126-b95e-e49929094ea6} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 2148 22963a3d158 socket3⤵
- Checks processor information in registry
PID:3572
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.2.2097339022\2098682986" -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 2844 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9cd414d-4472-4abd-bc67-8e3e500c3732} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 2860 22967b8de58 tab3⤵PID:1344
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.3.1042938919\199932139" -childID 2 -isForBrowser -prefsHandle 3604 -prefMapHandle 3600 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11ce7d52-9995-421a-b7c3-68e6063baae1} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 3576 229668c7158 tab3⤵PID:1440
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.4.2069378342\1606757774" -childID 3 -isForBrowser -prefsHandle 4128 -prefMapHandle 4124 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1713ffc7-3894-4e51-a1c0-90a9b97d71af} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 4132 229696e3758 tab3⤵PID:4688
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.5.1026318073\35931150" -childID 4 -isForBrowser -prefsHandle 4884 -prefMapHandle 4880 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec6fa91c-e81b-44a0-b763-9b0c9efc295b} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 4892 229664dd858 tab3⤵PID:2780
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.6.358449067\1818061579" -childID 5 -isForBrowser -prefsHandle 5028 -prefMapHandle 5032 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd48ae89-3f92-41c1-92a1-6116aeedc056} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 5020 229664df058 tab3⤵PID:2740
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.7.1201659837\57869003" -childID 6 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3c048c7-08ba-4d6f-af2b-f6909180f8ac} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 5204 229664e0858 tab3⤵PID:3756
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.8.412785857\853611241" -childID 7 -isForBrowser -prefsHandle 5444 -prefMapHandle 5544 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5259c172-36f1-42d7-b55f-0e96dca5c7e9} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 5600 2296daf7a58 tab3⤵PID:5920
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.9.1538648067\1094082059" -childID 8 -isForBrowser -prefsHandle 5820 -prefMapHandle 4696 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00855260-272b-4c59-9c3e-5466c3cddd8d} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 5628 2296d83d858 tab3⤵PID:5484
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
PID:220
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TermService1⤵PID:5532
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5556
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1944
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5680
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:4728
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:592 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.0.1609021875\1011356475" -parentBuildID 20221007134813 -prefsHandle 1608 -prefMapHandle 1596 -prefsLen 21136 -prefMapSize 233583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76b9a091-e7ba-4d94-8630-c582dffc0dd6} 592 "\\.\pipe\gecko-crash-server-pipe.592" 1684 220590fb958 gpu3⤵PID:5252
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.1.372413620\404570080" -parentBuildID 20221007134813 -prefsHandle 1992 -prefMapHandle 1988 -prefsLen 21181 -prefMapSize 233583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff679904-22e3-46f8-92e7-acdeceaf0d15} 592 "\\.\pipe\gecko-crash-server-pipe.592" 2004 22058d38258 socket3⤵
- Checks processor information in registry
PID:5124
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.2.1452860768\620112170" -childID 1 -isForBrowser -prefsHandle 2768 -prefMapHandle 2764 -prefsLen 21642 -prefMapSize 233583 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54d8605c-54a5-4a0f-9d47-0d10a8ee2487} 592 "\\.\pipe\gecko-crash-server-pipe.592" 2780 2205bac6e58 tab3⤵PID:4432
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.3.1114421050\2046091764" -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 26820 -prefMapSize 233583 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4aef76a-1165-4277-963e-13b0bc0f2aea} 592 "\\.\pipe\gecko-crash-server-pipe.592" 3448 2204e161358 tab3⤵PID:2988
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.4.773776093\574482133" -childID 3 -isForBrowser -prefsHandle 3828 -prefMapHandle 3824 -prefsLen 26820 -prefMapSize 233583 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1ddb5e7-9dda-4ee1-b1a3-1c89e2dfafc4} 592 "\\.\pipe\gecko-crash-server-pipe.592" 3840 2205ed45258 tab3⤵PID:4268
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.5.196178867\664628369" -childID 4 -isForBrowser -prefsHandle 4604 -prefMapHandle 4556 -prefsLen 26820 -prefMapSize 233583 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a13a8d92-ca79-49a8-bf04-c26403dab5e8} 592 "\\.\pipe\gecko-crash-server-pipe.592" 4636 2204e16ae58 tab3⤵PID:5904
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.6.73576644\1649176544" -childID 5 -isForBrowser -prefsHandle 4736 -prefMapHandle 4740 -prefsLen 26820 -prefMapSize 233583 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09217d62-f448-4593-98c9-714673d01de1} 592 "\\.\pipe\gecko-crash-server-pipe.592" 4728 2205f31df58 tab3⤵PID:5924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.7.1741437213\1955617025" -childID 6 -isForBrowser -prefsHandle 4180 -prefMapHandle 4188 -prefsLen 26820 -prefMapSize 233583 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04ef1578-9431-43b0-ac27-5fd457a9cb21} 592 "\\.\pipe\gecko-crash-server-pipe.592" 4204 2205f31eb58 tab3⤵PID:5940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.8.373722652\2051007061" -childID 7 -isForBrowser -prefsHandle 5244 -prefMapHandle 5240 -prefsLen 26829 -prefMapSize 233583 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4271daff-d7d9-4a5b-a67b-7a440e7704bb} 592 "\\.\pipe\gecko-crash-server-pipe.592" 2556 2205dcbcb58 tab3⤵PID:5156
-
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3304
-
C:\Users\Admin\Desktop\maltest\unlicense.exe"C:\Users\Admin\Desktop\maltest\unlicense.exe"1⤵PID:5952
-
C:\Users\Admin\Desktop\maltest\unlicense.exe"C:\Users\Admin\Desktop\maltest\unlicense.exe"2⤵
- Loads dropped DLL
PID:4952 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:4288
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:984
-
C:\Users\Admin\Desktop\maltest\unlicense.exeC:\Users\Admin\Desktop\maltest\unlicense.exe2⤵PID:5860
-
C:\Users\Admin\Desktop\maltest\unlicense.exeC:\Users\Admin\Desktop\maltest\unlicense.exe3⤵
- Loads dropped DLL
PID:4640 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"4⤵PID:5928
-
-
-
-
C:\Users\Admin\Desktop\maltest\unlicense.exeC:\Users\Admin\Desktop\maltest\unlicense.exe C:\Users\Admin\Desktop\maltest\smss.exe2⤵PID:1868
-
C:\Users\Admin\Desktop\maltest\unlicense.exeC:\Users\Admin\Desktop\maltest\unlicense.exe C:\Users\Admin\Desktop\maltest\smss.exe3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5552 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"4⤵PID:3376
-
-
C:\Users\Admin\Desktop\maltest\smss.exe"C:\Users\Admin\Desktop\maltest\smss.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:340
-
-
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1964
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
2KB
MD5bc909d39981af556d07dc67178f61472
SHA1a4e5b1c5bc746435a5baf11b728e83fb8e654da0
SHA25610cf28ab39bf7ba76b91b043a007006d13d4a661fbcaad3d7820c19407b1e6a8
SHA512acf34884a865cdabfbb9a49b948ccc74fe1e158636b23e2f728c2df6fd2fb7bda0929eeddf4bf58d90b034215dafa5e2c697050c51c2f2259ff77fa02d80f51a
-
Filesize
10.2MB
MD53f4f5a6cb95047fea6102bd7d2226aa9
SHA1fc09dd898b6e7ff546e4a7517a715928fbafc297
SHA25699fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98
SHA512de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688
-
Filesize
315B
MD5155557517f00f2afc5400ba9dc25308e
SHA177a53a8ae146cf1ade1c9d55bbd862cbeb6db940
SHA256f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e
SHA51240baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize11KB
MD5d83a64060ff6efade3970bc3a856e94e
SHA10cb8587af36304fded492ec3ba4dd8700fa6d2b0
SHA25657478a2522eaa62a5274972eacaeaa7143d7bb20ac14194e5609c09e0917b99c
SHA512cd5699ec8eeb5fdb581d811aaf12de3a804bab99cc6575d26bd501d6ff6d4c7f28cf155927d53a8c09670d780cd6b3c798ef4d9e7aab482e8cda79244ea8fe4c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\startupCache\scriptCache.bin
Filesize7.7MB
MD54416a36e73889beb3d507c29d4d5d845
SHA1d91f344da82582b9f3c510edddb34c682dcaea97
SHA2566a318705585fdcf619dc71ceae61603ca6e195965a4dc0ff6d06e5e3ab924347
SHA512cc11f7729c6bb13afdc71715f4e6987949fd25426eee9427d86b134fc953a6e575547cc2e88ef2ca1a9f7d59e321329abb65ebca45e1cbc9e306698f1c1ba3a1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\startupCache\urlCache.bin
Filesize3KB
MD50970cd2efcf196597db1786f70d0f569
SHA11da31b2f96518cf5878b434efa3ba57caf186ffc
SHA2568b40d5683a8c45e69e771393e19d81f9dbe41efc4672bdb8d00150ebff631264
SHA512f9c081a5d2c4c04d4634857408041118bc5d0b7f4c340b75b499c89a95dc80e4c4e3c96a1dad0ad7c041253bf9da6307739146f48b482cb8d52ed51fe153dc31
-
Filesize
82KB
MD53859239ced9a45399b967ebce5a6ba23
SHA16f8ff3df90ac833c1eb69208db462cda8ca3f8d6
SHA256a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a
SHA512030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69
-
Filesize
120KB
MD5bd36f7d64660d120c6fb98c8f536d369
SHA16829c9ce6091cb2b085eb3d5469337ac4782f927
SHA256ee543453ac1a2b9b52e80dc66207d3767012ca24ce2b44206804767f37443902
SHA512bd15f6d4492ddbc89fcbadba07fc10aa6698b13030dd301340b5f1b02b74191faf9b3dcf66b72ecf96084656084b531034ea5cadc1dd333ef64afb69a1d1fd56
-
Filesize
155KB
MD5e5abc3a72996f8fde0bcf709e6577d9d
SHA115770bdcd06e171f0b868c803b8cf33a8581edd3
SHA2561796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb
SHA512b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6
-
Filesize
77KB
MD51eea9568d6fdef29b9963783827f5867
SHA1a17760365094966220661ad87e57efe09cd85b84
SHA25674181072392a3727049ea3681fe9e59516373809ced53e08f6da7c496b76e117
SHA512d9443b70fcdc4d0ea1cb93a88325012d3f99db88c36393a7ded6d04f590e582f7f1640d8b153fe3c5342fa93802a8374f03f6cd37dd40cdbb5ade2e07fad1e09
-
Filesize
1.8MB
MD55327287d65cc9ab041ce96e93d3a6d53
SHA1a57aa09afecf580c301f1a7702dbbb07327cf8a9
SHA25673cdfcec488b39e14993fb32a233de4bc841a394092fcac1deb6ee41e24720ea
SHA51268fc996b4809a762b8d44323a5d023ba8a39580039c748bc310da9878c94fe1685709ab959365ecb26a5ee1a82e65f2eb19344f1f03d4dff48eb87a403a57c20
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
194KB
MD59c21a5540fc572f75901820cf97245ec
SHA109296f032a50de7b398018f28ee8086da915aebd
SHA2562ff8cd82e7cc255e219e7734498d2dea0c65a5ab29dc8581240d40eb81246045
SHA5124217268db87eec2f0a14b5881edb3fdb8efe7ea27d6dcbee7602ca4997416c1130420f11167dac7e781553f3611409fa37650b7c2b2d09f19dc190b17b410ba5
-
Filesize
65KB
MD5b711598fc3ed0fe4cf2c7f3e0877979e
SHA1299c799e5d697834aa2447d8a313588ab5c5e433
SHA256520169aa6cf49d7ee724d1178de1be0e809e4bdcf671e06f3d422a0dd5fd294a
SHA512b3d59eff5e38cef651c9603971bde77be7231ea8b7bdb444259390a8a9e452e107a0b6cb9cc93e37fd3b40afb2ba9e67217d648bfca52f7cdc4b60c7493b6b84
-
Filesize
5.5MB
MD55a5dd7cad8028097842b0afef45bfbcf
SHA1e247a2e460687c607253949c52ae2801ff35dc4a
SHA256a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce
SHA512e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858
-
Filesize
29KB
MD5c97a587e19227d03a85e90a04d7937f6
SHA1463703cf1cac4e2297b442654fc6169b70cfb9bf
SHA256c4aa9a106381835cfb5f9badfb9d77df74338bc66e69183757a5a3774ccdaccf
SHA51297784363f3b0b794d2f9fd6a2c862d64910c71591006a34eedff989ecca669ac245b3dfe68eaa6da621209a3ab61d36e9118ebb4be4c0e72ce80fab7b43bde12
-
Filesize
987KB
MD56169dac91a2ab01314395d972fc48642
SHA1a8d9df6020668e57b97c01c8fd155a65218018af
SHA256293e867204c66f6ea557da9dfba34501c1b49fde6ba8ca36e8af064508707b4e
SHA5125f42f268426069314c7e9a90ce9ca33e9cd8c1512dcd5cc38d33442aa24dd5c40fa806cc8a2f1c1189acae6a2e680b6e12fb8e79a3c73e38ae21a154be975199
-
Filesize
15.6MB
MD55944c622c546e88ef73e1bf6cd32d483
SHA147c92dd5c0a335da822768a3ad2daa803d442428
SHA2565adbaeb7f15968d266b5efa53b03fcd8bf022f0391fe684d792a4e74e3a6f88b
SHA5122c4f5fc030139a2e48af09eb50d1d55e5d70a5afcb30c7f6daf08556a7ebd9b2c2a77c68e1cd97294f075ac6ca6ae27155aad446bf0a176ba28774e6910b669f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\AlternateServices.txt
Filesize975B
MD512742d49474ecec15da0c380cdad2dca
SHA16644be5091679987bddb50ab097ab3252b8cf299
SHA256e834c56f2095305dedcd6dbbda40b1cc62c1d51b070bb858664325a15e44b155
SHA51246cbee970de6e8c92f24b02dbe04788043bfd78baf26102f27714c3dfd57fa7fc0207e733691ad9b4cd864fd23a80673eb45506a87c642243be8b6485e28e8f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\SiteSecurityServiceState.txt
Filesize658B
MD5f3f8ac6ad100615d059138142f7973ce
SHA1ca33f6fb37265b88d0e95cf1992faced4b4f3c7b
SHA2569f068baf47e792218c351b2968944edbcc7b31f82e98140701d521dd276bcdc0
SHA5122e20247d04d14049bc084f8c9d8250d5fe0d655e2b4f2f7f56b4f944c139de97c22ea711ada583b4a009071b06bfcfba6aec4643d87240845eade2f177488893
-
Filesize
224KB
MD54b8ff4d6a8e24f42c2824f5c21a4f9ea
SHA19d42bda145b2b186ab0dbc9b910d0fa6c8cdd1fd
SHA25689447784c9b262e7fadcb17fb5c5bfea8218d500f82d533a42a286404c02a198
SHA51247d663900fb3e2f2c140fb3ea8ac138ecafe733bff80c8735cef0664efb4793046648e354fd791628360a5b585c5cfdae4ec2360c4427a7808152a941f5ecc67
-
Filesize
512KB
MD5b408e25dcd89ae78e6cecc67c5660b7a
SHA1880674392d33f929bf9753cf6705945536f5c6d6
SHA2564496be84ba56f21e8b2623089ae2b9edbe993f46e89fdbdecec8b9a4197f3b5e
SHA512bf1eb307676350ffdf4c9da7a3ec98b319493ef01eafa4fc5eb8dfb3fffd9b4fba81c39e46d0effec4d93eea55534d1121fbce7b0cd100b0e7c409fadaeff828
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD58299e063e0ae10b8a5528211061cbc88
SHA133813933a4b16371011cb901d4200de27ddec608
SHA25695e654d17b51b1366a704c8476753b8ab4eedb5f9794c04c404962d6a374b114
SHA512acf78e8606db585fcaa859315332bb8dd77960db3175750aad13b7538f2bea940b3e703ea5706148f90a7a5361bfa19b9b623146fde1119a763de565350cfbe7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD511fa867848340f636e773dcee56ff893
SHA13bc00809af34f13653d7793e65e2681f919bbae7
SHA25614e0c28085f08f98a553962877f28436fe984a5c5eb74a8c5c2f866e0cd2361d
SHA512199acd65eda325115e16d6517dff4ed1a5223baaff8249f7cb76f54241f6bc681f6921f4fb2a2cc1cc456e32ae2a0c4037ddd1fa64d1cb9c7c2fc1e9999bb6dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\events\events
Filesize323B
MD5a7ff2b65723f5e38757d5cfaeb929e38
SHA1a72985ccef467c860db17053a81853afb840fd43
SHA256eee1f6296bb9c3bf2837b820f41cd8afe3a04c3262b84385ed95167751e8f8e4
SHA51299f6cf41540836bd0de8555a1b29e57cd1ff495e85b8e85f5414a06f93b28a2953cce212aa5aaa66025189cd3c7cb5b6ce4ba8bafe942937bb9bbb8bb9c1f280
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\0848148e-d569-48b8-bed8-2e0a96a2ef42
Filesize746B
MD587b8fa630d0b8b6c696c32c136b2a88c
SHA1fa24dd5e8d3957db8871cc2b6de848d71ec99136
SHA25610964b160279ad8aef13edbf8d641b1cfa6231c74a160ce828a9082efd38a5c0
SHA5128f23133fb4f653380b133bb13d9f61df4a5ca3efaad4d49f4187d0689b21db7113c8e131d048ba6a3f54bb1138260a632b8a4beb09952050d2d17ab366c5d228
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\79a3a7f6-0cb3-45b6-82b2-f8d4b3d3e197
Filesize928B
MD5460df402f424e950986391c809415612
SHA130de6e09c6ead5a0b384d7163843160afdee5ce6
SHA256c83bbcd9c08042410e58186b81eeab8d5cf16005ef25d1f95993be4d17b6cdd7
SHA512b4de1d35717f39d0d5e66d77fcfd175eecd0511e499d1aa2269c0b5ba866f5bf9a863c22169564893ac1a6de72d72b1601984139d618e06e528d56bbf5967655
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\adef9982-5810-4b2c-a174-53db788a57d0
Filesize790B
MD52ff7e664e1127aeef13e33430be32a88
SHA16d841707788718ada9d80d17c9ce123d1f95a059
SHA25658695224da767493228f7ffcd81aa3b8a90de3160681a818ed095b37f1e7fe68
SHA51296b5ad43dbacd70039e73c14b78081951f464f0cd197cecdce0e5a80aa31be90e6570aa8ebe77023c1f209c9b2ae80fd4294d9e1dff715b7c17b6d1b635fcdfa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\d06d3291-541e-4a86-82b3-976f5c57f4e4
Filesize9KB
MD5845b96bae22d4dd6c2d75d8ebfb9d599
SHA1d3901ebcf58e5e57515ee564d37a0230982dbab6
SHA2564c5ae88fe900e343727e018a21f31a56940d6afe43c33d8339f4ec67cdfbe807
SHA51276183d6c238103d5036942178f8f4684ab6a3c6ce4c895e15e4598e1faa1b96b1648754fbe41b60c4a342bb1a07e28325fb62ba815cf2ab2971a12de7b005e75
-
Filesize
5.0MB
MD5315bd8fb62aa78d39d5264a1b6d92ecc
SHA13f21e684fb8d3a7d7d8e1a79c3e9ab1071367d12
SHA256c0dc1e90e41f6c7c0b540491bd7352c54fa0c39b951a3da5f1bd9452b225c994
SHA512f33fa4c873e373544799113f726b6fb9fffcc55cf5a5e1d883fc2838e0faff21b32b5104ff524f6f207e6041c2ed4ad90b971dba133e28a258608ec6edc27d3c
-
Filesize
96KB
MD5c73892ce9271b085ce51f78cd5d4af61
SHA123c72621675eef48fb0507c0fb96d425807fdbcc
SHA256268bc04705eb47832b6cb58cbb67ca717dccd78718263e1e6e415237d1ff117f
SHA5122d3c5b2459078d5545101d6a6868d193ca296403657698f59e1b59c34eaefc7096cfcf5b8e1e123d45f07edc7ba4a1073728300bd1800c040eab48ece08df80e
-
Filesize
5.0MB
MD5a8d15f3bbb1cdb82e5223aca5ccea167
SHA16d4b8d11fc1ada907e63d9e7668bacea451d52ec
SHA256a15833e71833a15633950a5b2f43e21ec09091f9a8f471a6a0ad74689b7eb34e
SHA5124ab5621b8409257a6f5f157dc99ebf06f7837c0a62acb94e8120d0a1105dd9d47d13543c4bc2f9868dc8eb6ba2aef65466ef927177f47f72e019bdd43c9e91b8
-
Filesize
5.0MB
MD55098e394b5f39de5c064bcf7cab1e2c7
SHA1ad0532f42231f7f955d3ab2f26b04f7d4e9facb7
SHA2566719b5e95cc47d127023a9a8afb1c229cd330cf3dc498bf35d65d17183676047
SHA5125ce4476c4fa9d9fbb052cabd90a2e100dde397609ed8fd8058eb1e2c31a44e65fd78f16892f8c95ebe51a1c6eacce884fd2c226cda7e71ef94902f443f4c9a4d
-
Filesize
6KB
MD563c93b7333d22d2e097bb841a901a50c
SHA110fd6ad376eba1e68478806ed935471da26dacae
SHA256b115a0de2c34fc2edf5086b273768d056db9fb622c2e07b3b25b181bc389197a
SHA512040a676fb60d95a72c3dc5f9ab1ab2b48a63d7e52781f8e38b64022c820de5da77b878d5d3c2849e481964598a8fb9932a8c8f6a8d480d329b94458f691d027b
-
Filesize
6KB
MD583176ced4bc09c24b655797b5f39d4f2
SHA19f3149bc3ad20a7eb4d5a028c50236e4f80dd476
SHA2567e4ea9833a98312c84884774a715052356a888f6d7c1b918c2cf9c123340aa17
SHA512d1aac514a88c8e2295ba0c9330fa8e0539a65ecdd46d42af31fd91ac673395afc039ae86b19de8340587dca62878f497f0e1631f7b1a91941eeafed899306554
-
Filesize
6KB
MD503848d4c4dda917c0936671971ebb94c
SHA1bd1c966f69e8e7ec52453c943fe6447fc3c1f371
SHA25613ec82e69e65714c00f2cb5931f66cf883374bfefd8ac1ec1f16a63130c250b4
SHA512eec86ead521ed5e28a093f2672b5078403c86b5086fba6a87da677ee80a32334b75a6d4cc3c6f18d7f4135868bd779b739da7e11db26a86c23e9fdd03ae212bb
-
Filesize
6KB
MD5441c1e2cbd2bcdb62b2147f796d580d1
SHA1bfb9f1c382fc1a6d74b7460dbb689f0e70f29dfb
SHA25631e55c83603a0f722bde01b7dace37a416b774bd7444d8a2770b75c2da87c252
SHA5125300d2fa605bd4a6e3edf238dd39e59e1a54c3709d85d7462ffde83e5edac87254508a758faf4d4c9751570f59cf3a2f40f601509b5c33bcd6214b4743d7d8de
-
Filesize
6KB
MD539cd3dc1e637b3da445888e7de34ac8a
SHA1187f107a9206175a58141d0070e2e89486100a33
SHA25695189d5b3e85627aa5b6cceb310b636d34c8010c0f0c6ab7356ee0e5489c88f6
SHA5121abcfffb51f41a0b130150c328f74ee061391e267bfc23c53aacca0bc6b5e4c69cebc6083d2f21cdfbc12a8241059fa0bdd7032a5c55880ddb2f28669690646e
-
Filesize
6KB
MD5edd1249af4605f0f8f2562be5d65be32
SHA1aff3b620ab64a7f0366a9786453ae96557eff96c
SHA256527b502ef133737fa72d44a0d4e734c70e1ebd7e47e2924294c46cc6e9f5656a
SHA51271aa1ad415b34f92c3101b36b092f48a6d206cfdb826e13a7dd06a44522bad0b3a284983068d97e3a94523c1cebf1a069891e50995fdc503ea7914b29cd66858
-
Filesize
6KB
MD572aedd8ce1195ef383f8bb76d7a1cec1
SHA11562ce9bc9b5a7dad89ade1b0927480e9d8c3eb9
SHA256f76f8a9d75cc4680ba6993d744f0dd97f67e60144526fa1b3245277dfce03b14
SHA512a8feb45bf5c85e9b7fb7dc56daf31ea8b6fe3042d323dd17f3f1d71344583cf4c76227b174656ef55f2ddd8e6c3945559657af7c0dc9f822c73bab785a3c923d
-
Filesize
64KB
MD5deeced8825e857ead7ba3784966be7be
SHA1e72a09807d97d0aeb8baedd537f2489306e25490
SHA256b9f022442a1506e592bf51284091a8a7fe17580b165d07e70c06fd6827343a54
SHA51201d303232d6481af322137b44fef6c2a584f0643c48bab2836f9fe3193207015da7f7514fe338500ae4469651e3d9618293858ae507e722198a249257677099e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json
Filesize288B
MD5362985746d24dbb2b166089f30cd1bb7
SHA16520fc33381879a120165ede6a0f8aadf9013d3b
SHA256b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e
SHA5120e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json.tmp
Filesize122B
MD599601438ae1349b653fcd00278943f90
SHA18958d05e9362f6f0f3b616f7bfd0aeb5d37967c9
SHA25672d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a
SHA512ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json.tmp
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json.tmp
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD55a708f0d0b4c0a4176e545d020089fd9
SHA19c43e6df8bb4c79302c382c3857b53bb5871591b
SHA256ddb032b1bf765f96bf1ab21eb6796ad399cd93a1aff99fa8f2146b043ea19a21
SHA512114ca7bd717b1dbdac74947fc146139241c060e153cab3f51c96e78a967cc0d3913fe82d15117fc682670d7a4fc3b0c3ff2e615d0dcef767a06e7fe0d68bccb3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD53601fb1b195c1a7cba15e56c962f9980
SHA168a68eb50595cf3118b14a12c9bd6c385ae18ce2
SHA25661f1fd10876a636219f0dba4b5bbca361583f9a2a5e53248fba0217e0d158fd2
SHA512630a18e763599cfe3c44f6154ce2f536de2eac82b242c5a83a02ae6340d99f297ead371d174a90924d50a36f86e7d50b9293c1cc842ae6bd4a607475eb32cc8a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5c04610e69101250b03976637685ef6f5
SHA1e178b88d95cca7ec4e58982e6bdf7cd882a6937f
SHA256af92cb9439064c8f2cd43c6f1b4da6882cc92c9cec940b3e8dfdd29545ec1914
SHA5127cf44f5da83d88ce9047b1a11497a0d979beb505a24030fbd7957cfcf850c98c7933769fec658872c1a777ff5e34cda3f94196c4b7ee207fa77870eb188173d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD55496f1a84277aef992190fd124443389
SHA19684b406773a643ddea74389692309d1b2c8cbc2
SHA256c8ce80111249fa6fb032e71c7f481484e359f7279a47587050efc1945b91f658
SHA51293da2ee7ae46327971915fe05e95f302f40b9036a9a773d1f5b29bec80fa6fbbfc9ad247faeda3b162f4ced2c01886cee31ccea99e0c16b55b8264ebfd041d17
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5dc3b64065929c679ae5caf080b3d1ff7
SHA137d1a2c82187b05c5f7b8427bfc8054cec2b004e
SHA25692008a524ef717f099708f09eba33e5793d462a19ec3e7a22d20b3b39c8b7394
SHA51239eb03a54a4b3a11f141708e35372d17cc2039abf825102ba29da246d219a0b5a68c4da16b4f34f51d24b423fceadb012ccf003b715120bb2ba0f2dfa1d9276b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5e92f690c1b8094487a3a5af5c95dbdf6
SHA1dce745e615ddc1c6eacb4dc2711bc38d318bbe39
SHA256edd672d09b71bd07f2ec2e73c2acde36af4bd65c5f99b9b32204bceae5abf540
SHA51209205ac36a871ecc60395afa118428f982449f0a9a4695c4ce1d8a63d186417bb67377014c5f1c53ee4b5e10ddab8638e705feea0acecc9337b0f10643f1cdb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4
Filesize4KB
MD5207dba3320e75d146fb9c69aef966bd2
SHA15c0b9855b735d02a1a33bcee049bc355d7aef730
SHA2565174a9e44c0f1b91d8767df613d2362c9d25b81a73ea56ed31d3d98b3df41c7c
SHA512f0fe14f1d11cc7e2c05de74abcc4a4b3f4edaeeb9247582f0d6005c253967ab449d91cd1849fbdee4742d18a0c85ab82004e95c3f0090c2ba979140566bbd18b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4
Filesize5KB
MD5c91aecf64dc04faf64e76ba523ddc4b7
SHA15fdd61a9cd8c94b385f707bc55e93d029bd701f1
SHA256f64c9a8e06f865a2de92b7328a5782ee1e78061e39b52f11ef56eac3f7c883f3
SHA51205b27bd806969fd54eae3136f2aab0a81d28dd34b978aea3408a635fa9f27430397d489daa08826435e122bc4057bf1c8fc5d9a612473002533b231ed4f66193
-
Filesize
4KB
MD5b3b484057d024120865120e80c1efbe1
SHA1fb7f45b730ab52ad70920767bf5376eccac939ea
SHA256e48e3454cf10090738489254020960b4c0a3e7ecb21f08d9bc9f492f872ef282
SHA512bc97a046368bd7611ccf24fa13031ffe08a46877d5ec8acc1ef1bc06f9548c2edb0a2329ed6ddca54bc636c98b98918d2d53eb25589a0bbaa9e6a6295e9fb752
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\default\https+++github.com\.metadata-v2
Filesize58B
MD5afaddd069e06c15dd5423f0e814eb031
SHA1ee46d32db32801c487ccac03d1531988812c9101
SHA256a5a657d104c2eba3a071a341b414620331a23b211965483081c5c078619937d5
SHA512885331ef7068615ec1f548042cc1b99fb7f1bd680c11b143ac3fbdc4f6560064ff780610bf95fc85dc84a0c807c85c941556a6144f87d8fd3bffe52e59eace9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\default\https+++github.com\ls\usage
Filesize12B
MD5def249406762ebf44f925b70b41c06ea
SHA172a7f52da3a119387557f0b693dd7c96099c399a
SHA2564e1936a2cd72c9161caf1894402ef9996b717df49fc16e8dd4d0eb96290098f2
SHA51201c4261a2736cf2e493870c5add4d74b3668d06af156af82cd5cfc9764709f84a93f463b9de410bd85bd8953c90a59441d6121de2dfb9e20c009c3a14e4f89c0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\default\https+++www.google.com\.metadata-v2
Filesize62B
MD5d73752ab39bcf7140bcfe0531c34f914
SHA13e30ee76c221e71b3f36feb158c6bd2a4f8b8d39
SHA256f6a5c79d8fee70afc8d9fdeab2348012c3b8de1ea514478fc260b9d8c6245762
SHA512d93346b18cfb5931cef7a49b62c16d56a001cb79f6bdfaed8ff96a9d363ef59658f844e18931b59a353cc8f9b980cbbf3228f88ffc463bfb06110e4335874462
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\default\https+++www.google.com\ls\usage
Filesize12B
MD53b193b2b64ad7669c32658e533a41614
SHA171d8bbd6d704e14e2cbe55f304325ca59dea4d22
SHA256cccd07e393373205f4773faaf5357494f0277b29ef481af602f8205ad172e83f
SHA51267bb82f21787b7beca791f45c5c69762ef00166c978292ff55d86d3845ae84a847c1c7e346459eb798e5ecd52b1eeb712e43c07fb580275e96d8234c1d7cdbc0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Filesize48KB
MD56fa8d0f74d7c7a360b02fded36d9e211
SHA15264c0adb0bfdea975df31507abf31fbe58e0b5f
SHA2568a647c05566e8ec58281be4eb19a6a12f3af8685894097a186d4ec23b0fe94c0
SHA512a17e73f5ae811a0976ccac72867efe7398532dd4539c55f39c121fe5188c5c351e8144e463b5e69a115a0173b56448fd3b60edde1d6b9d4eb40ca396d938db8a
-
Filesize
217B
MD558e240288763218d12bf235d34e5aee2
SHA189135494b57f590011c09668dec3b90d2c5ee9ae
SHA256615f80e71dfde24711e7fefc1b7959f7592c5e5cf9ad0f3aecb4235b93187176
SHA512caed2638902987aead199e73cffb90881bf245bbb616cb38c46b281d4aaaa54dc20a54e9bfe17a8d6e68847394c113fb7606e94b64f44ab0b52bf7846f26e936
-
Filesize
7KB
MD5cf5ae178781a3300ecbc29a6e9386c93
SHA180161973fd0e212b7ef7f950e49bdf36b1c195ab
SHA25610bd9860c74feaf6fb52c6b2683dec65a02cb471b893d017c44a30ab9d5109b6
SHA51256a90b34bbed5b80ef3c39f0c5ff6d6e8577bed476acfffe0d7ddf58166cc81788afed388b951a36dbbc5f84be00c50c54adaf74dd6711c0b8b14517507d6925
-
Filesize
28KB
MD57aae2b9a03ae58a0b2c3470f6576f793
SHA17e5d53e7ed8ac4d4766fa74cc6535657f7b8c9b8
SHA256d0addea51c9505800fae8475789f8bcb9f6fa2072c356bee57f6cb3d9afb5c82
SHA51294cce5334ecc2ba9cb21ebbd555f456da58df7af1c2416f64ccf00447861d97f2d584377a5a17679d2f50f8fbe02f8af63da1f432f735964fcc1a6864d9f48d4
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286