33eee5f66a38fc66f52d7346251d1017d9a02aac7cc4c7a9cb367549d577b886

Analysis

max time kernel
852s
max time network
784s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kav21.3.10.391en_26074.exe
Size

2.6MB
MD5

db7a22234425b05bb4a1f560e112ce24
SHA1

efac3e678234ac987c7f206f9f65b7de283307bb
SHA256

33eee5f66a38fc66f52d7346251d1017d9a02aac7cc4c7a9cb367549d577b886
SHA512

39ab0d09cd0dcb442c4fc12a07da92351f3e12a63307064573722aba02a7d2cce5d5b46dde4d3f158b96b80efb95ddf7f9e6219b979eb501b95051394a948ce8
SSDEEP

49152:u47Nlau3ZHJvDrOV9Gcwb/alTe/iXMNLdcE/EBSDre/2jX8oa:ueNlau3RJOV9GvZbRDe/2zU

Score

7^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

node.exenode.exenode.exenode.exenode.exenode.exenode.exe

pid process

468 node.exe
4132 node.exe
6596 node.exe
5520 node.exe
4660 node.exe
6300 node.exe
2376 node.exe
Loads dropped DLL 8 IoCs

Processes:

kav21.3.10.391en_26074.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exe

pid process

2960 kav21.3.10.391en_26074.exe
3748 MsiExec.exe
3748 MsiExec.exe
2300 MsiExec.exe
2300 MsiExec.exe
2300 MsiExec.exe
64 MsiExec.exe
5584 MsiExec.exe
Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

176 2464 msiexec.exe

pid	process
468	node.exe
4132	node.exe
6596	node.exe
5520	node.exe
4660	node.exe
6300	node.exe
2376	node.exe

flow	pid	process
176	2464	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 45 IoCs

Security Software Discovery

T1518.001

Processes:

kav21.3.10.391en_26074.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Script Debugger	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\CSS_Compat	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Expand Alt Text	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Cleanup HTCs	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Settings	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\3	kav21.3.10.391en_26074.exe
Key queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\KasperskyLab\IEOverride	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XMLHTTP	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Move System Caret	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\SmoothScroll	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Q300829	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DOMStorage	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Styles	kav21.3.10.391en_26074.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseSWRender = "1"	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\RtfConverterFlags	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Anchor Underline	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Animations	kav21.3.10.391en_26074.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Print_Background	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\MenuExt	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseHR	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XDomainRequest	kav21.3.10.391en_26074.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Images	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable AutoImageResize	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Videos	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Show image placeholders	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\International	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Background_Sounds	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Text Scaling	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Viewport	kav21.3.10.391en_26074.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab	kav21.3.10.391en_26074.exe
Key queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no"	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\KasperskyLab\IEOverride\Larger Hit Test	kav21.3.10.391en_26074.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

kav21.3.10.391en_26074.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kav21.3.10.391en_26074.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

636 raw.githubusercontent.com
637 raw.githubusercontent.com
638 raw.githubusercontent.com
639 raw.githubusercontent.com
640 raw.githubusercontent.com

flow	ioc
636	raw.githubusercontent.com
637	raw.githubusercontent.com
638	raw.githubusercontent.com
639	raw.githubusercontent.com
640	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-correct\node_modules\spdx-expression-parse\parse.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\validate-npm-package-license\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\lifecycle-cmd.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\content\write.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\defaults\test.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\exponential-backoff\dist\jitter\no\no.jitter.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-correct\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-profile.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\dist\commonjs\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\path-key\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\dist\npm.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\custom\trap.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tufjs\models\dist\base.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmexec\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\cmake.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\satisfies.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\which\node_modules\isexe\dist\mjs\options.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\cliui\node_modules\ansi-regex\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\has-magic.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\MSVSToolFile.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\system\supports-colors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\foreground-child\dist\mjs\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\ansi-regex\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\dist\mjs\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\build\common\constants.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\logging.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\diff\array.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\log.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-access.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\read\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\patch\parse.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ip-address\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\yarn	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\profile.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\tables\cp950.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\.release-please-manifest.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\cli.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\CONTRIBUTING.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-expression-parse\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\which\node_modules\isexe\dist\mjs\posix.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-search.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\dependency-selectors.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\prune.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\LICENSE-MIT	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmaccess\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\node_modules\lru-cache\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\explain.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-query.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\redact\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\clone\clone.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\find-node-directory.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-retry\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-explain.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\tlog\intoto.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\which\bin\which.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-unpublish.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\redact\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\lib\reporters\json.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmteam\LICENSE	msiexec.exe

Drops file in Windows directory 15 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{C46EC983-913A-4416-B426-9F16D3473F1B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5AB7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7351.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7621.tmp	msiexec.exe
File created	C:\Windows\Installer\e59a476.msi	msiexec.exe
File created	C:\Windows\Installer\e59a474.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50D2.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5883.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e59a474.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{C46EC983-913A-4416-B426-9F16D3473F1B}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{C46EC983-913A-4416-B426-9F16D3473F1B}\NodeIcon	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003d697fb93d0c6eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003d697fb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003d697fb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3d697fb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003d697fb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 56 IoCs

Processes:

msiexec.exeOpenWith.exeOpenWith.exefirefox.exeOpenWith.exeOpenWith.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.luac	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\鰀䆟縀䆁	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\389CE64CA31961444B62F9613D74F3B1\DocumentationShortcuts	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\lua_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\lua_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\389CE64CA31961444B62F9613D74F3B1\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.luac\ = "luac_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\luac_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\lua_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\lua_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\SourceList\Net	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\lua_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\PackageCode = "A31AC3227FAAC8A4CB66BF43C80D59DE"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\SourceList\PackageName = "node-v20.13.1-x64.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\luac_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\389CE64CA31961444B62F9613D74F3B1\npm	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\Version = "336396289"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\lua_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.lua	OpenWith.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\389CE64CA31961444B62F9613D74F3B1\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\lua_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\luac_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\鰀䆟縀䆁\ = "luac_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\luac_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\389CE64CA31961444B62F9613D74F3B1\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\389CE64CA31961444B62F9613D74F3B1\corepack	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.lua\ = "lua_auto_file"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\389CE64CA31961444B62F9613D74F3B1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\luac_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\lua_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\luac_auto_file\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\389CE64CA31961444B62F9613D74F3B1\EnvironmentPath	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\ProductIcon = "C:\\Windows\\Installer\\{C46EC983-913A-4416-B426-9F16D3473F1B}\\NodeIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\389CE64CA31961444B62F9613D74F3B1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\luac_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\luac_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\389CE64CA31961444B62F9613D74F3B1\Language = "1033"	msiexec.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Lua-Deobfuscator-main.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\node-v20.13.1-x64.msi:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

kav21.3.10.391en_26074.exemsiexec.exe

pid	process
2960	kav21.3.10.391en_26074.exe
2960	kav21.3.10.391en_26074.exe
2960	kav21.3.10.391en_26074.exe
2960	kav21.3.10.391en_26074.exe
1632	msiexec.exe
1632	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4164	firefox.exe
Token: SeDebugPrivilege	4164	firefox.exe
Token: SeDebugPrivilege	4164	firefox.exe
Token: SeDebugPrivilege	4164	firefox.exe
Token: SeDebugPrivilege	4164	firefox.exe
Token: SeDebugPrivilege	4164	firefox.exe
Token: SeDebugPrivilege	4164	firefox.exe
Token: SeShutdownPrivilege	2464	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2464	msiexec.exe
Token: SeSecurityPrivilege	1632	msiexec.exe
Token: SeCreateTokenPrivilege	2464	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2464	msiexec.exe
Token: SeLockMemoryPrivilege	2464	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2464	msiexec.exe
Token: SeMachineAccountPrivilege	2464	msiexec.exe
Token: SeTcbPrivilege	2464	msiexec.exe
Token: SeSecurityPrivilege	2464	msiexec.exe
Token: SeTakeOwnershipPrivilege	2464	msiexec.exe
Token: SeLoadDriverPrivilege	2464	msiexec.exe
Token: SeSystemProfilePrivilege	2464	msiexec.exe
Token: SeSystemtimePrivilege	2464	msiexec.exe
Token: SeProfSingleProcessPrivilege	2464	msiexec.exe
Token: SeIncBasePriorityPrivilege	2464	msiexec.exe
Token: SeCreatePagefilePrivilege	2464	msiexec.exe
Token: SeCreatePermanentPrivilege	2464	msiexec.exe
Token: SeBackupPrivilege	2464	msiexec.exe
Token: SeRestorePrivilege	2464	msiexec.exe
Token: SeShutdownPrivilege	2464	msiexec.exe
Token: SeDebugPrivilege	2464	msiexec.exe
Token: SeAuditPrivilege	2464	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2464	msiexec.exe
Token: SeChangeNotifyPrivilege	2464	msiexec.exe
Token: SeRemoteShutdownPrivilege	2464	msiexec.exe
Token: SeUndockPrivilege	2464	msiexec.exe
Token: SeSyncAgentPrivilege	2464	msiexec.exe
Token: SeEnableDelegationPrivilege	2464	msiexec.exe
Token: SeManageVolumePrivilege	2464	msiexec.exe
Token: SeImpersonatePrivilege	2464	msiexec.exe
Token: SeCreateGlobalPrivilege	2464	msiexec.exe
Token: SeCreateTokenPrivilege	2464	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2464	msiexec.exe
Token: SeLockMemoryPrivilege	2464	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2464	msiexec.exe
Token: SeMachineAccountPrivilege	2464	msiexec.exe
Token: SeTcbPrivilege	2464	msiexec.exe
Token: SeSecurityPrivilege	2464	msiexec.exe
Token: SeTakeOwnershipPrivilege	2464	msiexec.exe
Token: SeLoadDriverPrivilege	2464	msiexec.exe
Token: SeSystemProfilePrivilege	2464	msiexec.exe
Token: SeSystemtimePrivilege	2464	msiexec.exe
Token: SeProfSingleProcessPrivilege	2464	msiexec.exe
Token: SeIncBasePriorityPrivilege	2464	msiexec.exe
Token: SeCreatePagefilePrivilege	2464	msiexec.exe
Token: SeCreatePermanentPrivilege	2464	msiexec.exe
Token: SeBackupPrivilege	2464	msiexec.exe
Token: SeRestorePrivilege	2464	msiexec.exe
Token: SeShutdownPrivilege	2464	msiexec.exe
Token: SeDebugPrivilege	2464	msiexec.exe
Token: SeAuditPrivilege	2464	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2464	msiexec.exe
Token: SeChangeNotifyPrivilege	2464	msiexec.exe
Token: SeRemoteShutdownPrivilege	2464	msiexec.exe
Token: SeUndockPrivilege	2464	msiexec.exe
Token: SeSyncAgentPrivilege	2464	msiexec.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exemsiexec.exe

pid	process
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
2464	msiexec.exe
2464	msiexec.exe
2464	msiexec.exe
4164	firefox.exe
4164	firefox.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

firefox.exe

pid	process
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

kav21.3.10.391en_26074.exefirefox.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

pid	process
2960	kav21.3.10.391en_26074.exe
2960	kav21.3.10.391en_26074.exe
2960	kav21.3.10.391en_26074.exe
2960	kav21.3.10.391en_26074.exe
2960	kav21.3.10.391en_26074.exe
2960	kav21.3.10.391en_26074.exe
2960	kav21.3.10.391en_26074.exe
2960	kav21.3.10.391en_26074.exe
2960	kav21.3.10.391en_26074.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
5276	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
3008	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
7340	OpenWith.exe
4164	firefox.exe
4164	firefox.exe
4164	firefox.exe
5972	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4792 wrote to memory of 4164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 4164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 4164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 4164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 4164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 4164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 4164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 4164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 4164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 4164	4792	firefox.exe	firefox.exe
PID 4792 wrote to memory of 4164	4792	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 2640	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 4952	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 4952	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 4952	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 4952	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 4952	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 4952	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 4952	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 4952	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 4952	4164	firefox.exe	firefox.exe
PID 4164 wrote to memory of 4952	4164	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
"C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4792

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.0.1584062612\1439981968" -parentBuildID 20230214051806 -prefsHandle 1812 -prefMapHandle 1804 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7b82976-81d2-457d-8e13-601813087da2} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 1884 215ef00e058 gpu
3⤵
PID:2640

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.1.292567541\1096144705" -parentBuildID 20230214051806 -prefsHandle 2456 -prefMapHandle 2444 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9b05111-f554-4e48-9caa-c6723ccdf667} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 2468 215e2289f58 socket
3⤵
PID:4952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.2.1714512174\1266161888" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 3088 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b2d9d23-dbd9-47d4-bb19-b60ee37fb0c3} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 3108 215f18e3d58 tab
3⤵
PID:1692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.3.2093186344\1427018900" -childID 2 -isForBrowser -prefsHandle 4008 -prefMapHandle 4004 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cbf4cc0-452c-460a-a690-b330a3ab5641} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 3680 215f4070858 tab
3⤵
PID:764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.4.1085164958\761662090" -childID 3 -isForBrowser -prefsHandle 5124 -prefMapHandle 4012 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf40c831-98f3-4aa9-b6bc-927bd468a3af} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 5132 215f6551858 tab
3⤵
PID:3996

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.5.1614039846\89855402" -childID 4 -isForBrowser -prefsHandle 5280 -prefMapHandle 5284 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00a021fe-d287-4dce-b0de-6793d16174f1} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 5268 215f6553358 tab
3⤵
PID:2560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.6.264084845\468057284" -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5552 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c0ecad3-f389-49ec-84b3-16b33fde08a4} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 5564 215f6551b58 tab
3⤵
PID:4892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.7.2031474632\1849335617" -parentBuildID 20230214051806 -prefsHandle 5868 -prefMapHandle 5876 -prefsLen 27776 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {639a9d6f-b8a7-4f3a-a389-41ad922a45be} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 5860 215ee2bb858 rdd
3⤵
PID:5648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.8.1101341939\1142041836" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 5932 -prefMapHandle 5928 -prefsLen 27776 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bd38c9a-4624-423d-b5e1-f03f2b3dd286} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 1520 215ee2bbb58 utility
3⤵
PID:5656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.9.1129880356\728778849" -childID 6 -isForBrowser -prefsHandle 6272 -prefMapHandle 6276 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e46442e7-0020-4d11-b70b-c49b71e7e33a} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 6284 215f7718b58 tab
3⤵
PID:3752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.10.1149097760\416911178" -childID 7 -isForBrowser -prefsHandle 6504 -prefMapHandle 6424 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f0ff15d-1608-4d3d-9d7d-b7310bd1f829} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 5892 215ee277558 tab
3⤵
PID:216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.11.1298712389\1462497608" -childID 8 -isForBrowser -prefsHandle 6900 -prefMapHandle 4676 -prefsLen 28217 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ae456e0-b358-43ff-93a4-380f865d2192} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 6896 215f2612858 tab
3⤵
PID:5524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.12.2012748632\86078351" -childID 9 -isForBrowser -prefsHandle 7392 -prefMapHandle 7372 -prefsLen 28217 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bbcfb8c-a2d8-449b-8662-0ccd07addcba} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 7408 215e2279658 tab
3⤵
PID:4980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.13.1418618904\615022692" -childID 10 -isForBrowser -prefsHandle 4276 -prefMapHandle 8052 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {198b0173-ff2e-4b45-b461-45a30e412e34} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 6940 215f2610a58 tab
3⤵
PID:4968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.14.1836990108\1842284896" -childID 11 -isForBrowser -prefsHandle 8160 -prefMapHandle 8164 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43abd9b8-d724-4639-9075-36ab98f84ae7} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 8068 215f6514758 tab
3⤵
PID:3008

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.15.674018369\1606756005" -childID 12 -isForBrowser -prefsHandle 12148 -prefMapHandle 12152 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5bcebff-9b2e-4166-bb1a-8028a7027b25} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 11564 215fc554658 tab
3⤵
PID:864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.16.942654076\1466216061" -childID 13 -isForBrowser -prefsHandle 12020 -prefMapHandle 12152 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8238b059-facc-41d8-9f18-ea8d9e2b8eca} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 12008 21600641658 tab
3⤵
PID:5584

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.17.1595648151\1048651494" -childID 14 -isForBrowser -prefsHandle 11980 -prefMapHandle 12008 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71a9aaf7-e171-4dbd-894b-38d9a8a3492d} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 11972 215f7792e58 tab
3⤵
PID:4436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.18.1263532198\260398942" -childID 15 -isForBrowser -prefsHandle 11212 -prefMapHandle 11204 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af364e91-02a1-46b8-97e7-8a016eab4070} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 11220 21600ae2858 tab
3⤵
PID:4592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.19.617289228\1262781962" -childID 16 -isForBrowser -prefsHandle 11056 -prefMapHandle 11324 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24ffeb03-cd9e-4a6a-a3f5-db765f010c13} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 11396 21601c63158 tab
3⤵
PID:5024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.20.457081391\1057767097" -childID 17 -isForBrowser -prefsHandle 11896 -prefMapHandle 11892 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1106b56-240f-4565-9588-9f3e19394ca5} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 8200 21600641658 tab
3⤵
PID:6180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.21.2143295189\1920998903" -childID 18 -isForBrowser -prefsHandle 11724 -prefMapHandle 11720 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {552471d8-c72b-4ec1-83da-9702f9975a04} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 11812 215f59d1a58 tab
3⤵
PID:6356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.22.275195338\1128385414" -childID 19 -isForBrowser -prefsHandle 10880 -prefMapHandle 10876 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71000537-41e0-4cc5-9499-be7e6db8ab0f} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10796 215ff52a558 tab
3⤵
PID:6488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.23.2001609555\1668613129" -childID 20 -isForBrowser -prefsHandle 10592 -prefMapHandle 10588 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc29223a-f667-44e9-bf24-7a3d3dad11be} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10756 21601d55d58 tab
3⤵
PID:6624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.24.341725690\746142010" -childID 21 -isForBrowser -prefsHandle 10516 -prefMapHandle 10512 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d7510e0-7b24-4983-be9f-d467b850e45a} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10528 21601d55458 tab
3⤵
PID:6760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.25.1484512732\1143376185" -childID 22 -isForBrowser -prefsHandle 10356 -prefMapHandle 10352 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b75a876-651d-4610-8a0c-f6e286bafb8a} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10360 215f2614d58 tab
3⤵
PID:6892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.26.537856267\579048316" -childID 23 -isForBrowser -prefsHandle 10212 -prefMapHandle 10272 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7f55010-02c7-4a9a-8e8b-a83d925bd46d} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10228 215ffb17258 tab
3⤵
PID:6900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.27.1241654460\1522997147" -childID 24 -isForBrowser -prefsHandle 10052 -prefMapHandle 10048 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76aa0994-3c23-4c3c-8f74-c8a4a864c5bf} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 9968 215ffb19358 tab
3⤵
PID:6908

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.28.1605526629\103459494" -childID 25 -isForBrowser -prefsHandle 9832 -prefMapHandle 9824 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a918c11-9453-4af4-99c4-27135df1470e} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 9840 215fd0ecb58 tab
3⤵
PID:6916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.29.2135622029\1066473096" -childID 26 -isForBrowser -prefsHandle 10268 -prefMapHandle 10224 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a567a488-1cd7-48fb-a19c-646085be6aa1} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 11736 215f59d3858 tab
3⤵
PID:2084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.30.1415149650\606712724" -childID 27 -isForBrowser -prefsHandle 9952 -prefMapHandle 9956 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2ec4190-4935-44e2-ae52-c9ad749d2bd7} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 9536 215f2615c58 tab
3⤵
PID:6632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.31.1509089339\989875010" -childID 28 -isForBrowser -prefsHandle 9956 -prefMapHandle 9952 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bccc599d-38f8-4090-a83e-993dce11b8e6} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10068 215faf34e58 tab
3⤵
PID:6736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.32.2137801975\495726467" -childID 29 -isForBrowser -prefsHandle 10332 -prefMapHandle 10512 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05fe60e5-59a5-4c96-80fb-2cc6f3532f0b} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 11948 215fe273458 tab
3⤵
PID:6456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.33.839081679\306099404" -childID 30 -isForBrowser -prefsHandle 11328 -prefMapHandle 11980 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84110ad6-10f6-447e-9c8d-d62bbb875a5f} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 11396 215fe272558 tab
3⤵
PID:6396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.34.1964175468\237479258" -childID 31 -isForBrowser -prefsHandle 1600 -prefMapHandle 4452 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bca34fc7-78b0-4ca1-b64e-e99499fa9162} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 11360 215fe273758 tab
3⤵
PID:6404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.35.168166546\438601918" -childID 32 -isForBrowser -prefsHandle 10464 -prefMapHandle 10480 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ff19fc0-27f5-436f-a360-6dcdf96575e0} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 11436 215faf5b558 tab
3⤵
PID:5116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.36.1158002473\745199537" -childID 33 -isForBrowser -prefsHandle 11272 -prefMapHandle 11288 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5d42020-cf37-48e8-a739-23a698b84549} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10616 215fe9f9e58 tab
3⤵
PID:3100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.37.889407250\976044003" -childID 34 -isForBrowser -prefsHandle 10744 -prefMapHandle 10876 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {861bcf66-cac9-446a-bb06-246a211e4628} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 6284 215fdc0eb58 tab
3⤵
PID:4272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.38.1042337791\526937355" -childID 35 -isForBrowser -prefsHandle 11748 -prefMapHandle 11916 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1eec779-d716-48e2-8c5f-9da4de7df086} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10984 215fdc11558 tab
3⤵
PID:5888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.39.1304477051\1591239807" -childID 36 -isForBrowser -prefsHandle 12140 -prefMapHandle 12136 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f19514d-840b-4ee1-af02-9d99a833eaac} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 11160 215ff7be558 tab
3⤵
PID:6256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.40.908193662\956738853" -childID 37 -isForBrowser -prefsHandle 12128 -prefMapHandle 10812 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bf28443-b8e1-4093-938e-07a08d15e6bb} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 8088 215ff7bf458 tab
3⤵
PID:5344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.41.1209696653\1067946704" -childID 38 -isForBrowser -prefsHandle 3592 -prefMapHandle 2780 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cc5b358-a36e-470e-a67c-d69e553ee6c0} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 6272 215ff7c1e58 tab
3⤵
PID:6640

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.42.1907408426\650871833" -childID 39 -isForBrowser -prefsHandle 9620 -prefMapHandle 9624 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {608d0692-05ca-411f-9ab6-cc6e3404fea0} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 9612 215ff9b2358 tab
3⤵
PID:3004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.43.1471771820\2133301498" -childID 40 -isForBrowser -prefsHandle 8120 -prefMapHandle 7340 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6522c909-5249-4de4-87e8-17736e4b5a97} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 9432 215fc424358 tab
3⤵
PID:7172

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.44.77647809\1743752883" -childID 41 -isForBrowser -prefsHandle 9660 -prefMapHandle 11444 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {590cf4aa-be1c-41b4-9aff-b984bd99f1c4} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10488 215fe274658 tab
3⤵
PID:7432

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.45.1986914\1417623451" -childID 42 -isForBrowser -prefsHandle 10248 -prefMapHandle 11376 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4823528b-596c-4cbb-8442-ae7733ab4d7d} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10228 215f79afc58 tab
3⤵
PID:7904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.46.1402955402\799091530" -childID 43 -isForBrowser -prefsHandle 8124 -prefMapHandle 10896 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff134b57-a971-474d-8120-003e9820eecc} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10952 215fc424658 tab
3⤵
PID:7916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.47.1448374156\1798107872" -childID 44 -isForBrowser -prefsHandle 11924 -prefMapHandle 11932 -prefsLen 31358 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba583d04-25c0-44db-a9fb-b38dcf2dc3df} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10392 215fe80c258 tab
3⤵
PID:8176

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.48.775410275\891071662" -childID 45 -isForBrowser -prefsHandle 7352 -prefMapHandle 9752 -prefsLen 31429 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eebb2e82-cb62-4ca6-b5c5-4b94987bcc35} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 7440 215f3607d58 tab
3⤵
PID:6316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.49.1388337749\1512561128" -childID 46 -isForBrowser -prefsHandle 5524 -prefMapHandle 8312 -prefsLen 31429 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c302be1-7741-4bfb-ac5f-19a75e064aae} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 7356 215f2612b58 tab
3⤵
PID:7784

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.50.1578084221\848453987" -childID 47 -isForBrowser -prefsHandle 9752 -prefMapHandle 8148 -prefsLen 31438 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f110d94-01b3-48bb-9be1-c77c1799f05b} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 9992 215ef746158 tab
3⤵
PID:5704

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.51.1431867847\1398962332" -childID 48 -isForBrowser -prefsHandle 12176 -prefMapHandle 8116 -prefsLen 31438 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c958192-1f8c-48e9-b64f-640d720729e9} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10404 215ee275158 tab
3⤵
PID:7556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.52.321146265\1601463196" -childID 49 -isForBrowser -prefsHandle 12172 -prefMapHandle 10248 -prefsLen 31438 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5c8c1b5-b90c-4848-8953-bdb091e00208} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 12016 215f22f5058 tab
3⤵
PID:7568

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.53.571306431\1616380715" -childID 50 -isForBrowser -prefsHandle 10304 -prefMapHandle 10364 -prefsLen 31438 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df85abfd-62e9-43c5-b624-ed90679b8867} 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 10408 215f3541f58 tab
3⤵
PID:1028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Lua-Deobfuscator-main\run.bat"
1⤵
PID:5928

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\node-v20.13.1-x64.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2464

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding C87C228140AAEE3E9B32FE6BCFA0EAEC C
2⤵
- Loads dropped DLL
PID:3748

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1876

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 8E79C461AD5951E2ACE3C877C448C2A2
2⤵
- Loads dropped DLL
PID:2300

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 7DD4C82D45067E0454D0B2278173CA07 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:64

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 360E4ACC4182DC374FDA2A3DB0A7E654
2⤵
- Loads dropped DLL
PID:5584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Lua-Deobfuscator-main\run.bat"
1⤵
PID:5500

C:\Program Files\nodejs\node.exe
node index.js
2⤵
- Executes dropped EXE
PID:468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Lua-Deobfuscator-main\run.bat"
1⤵
PID:3832

C:\Program Files\nodejs\node.exe
node index.js
2⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5276

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Lua-Deobfuscator-main\input.lua
2⤵
PID:3216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7340

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Lua-Deobfuscator-main\output.luac
2⤵
PID:6932

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Lua-Deobfuscator-main\input.lua
1⤵
PID:6800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Lua-Deobfuscator-main\run.bat"
1⤵
PID:6364

C:\Program Files\nodejs\node.exe
node index.js
2⤵
- Executes dropped EXE
PID:6596

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Lua-Deobfuscator-main\input.lua
1⤵
PID:6856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Lua-Deobfuscator-main\run.bat"
1⤵
PID:6344

C:\Program Files\nodejs\node.exe
node index.js
2⤵
- Executes dropped EXE
PID:5520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x310 0x49c
1⤵
PID:3456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5972

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Lua-Deobfuscator-main\output.luac
2⤵
PID:3296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:6840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Lua-Deobfuscator-main\run.bat"
1⤵
PID:6712

C:\Program Files\nodejs\node.exe
node index.js
2⤵
- Executes dropped EXE
PID:4660

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Lua-Deobfuscator-main\output.luac
1⤵
PID:4424

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Lua-Deobfuscator-main\input.lua
1⤵
PID:5536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Lua-Deobfuscator-main\run.bat"
1⤵
PID:6548

C:\Program Files\nodejs\node.exe
node index.js
2⤵
- Executes dropped EXE
PID:6300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Lua-Deobfuscator-main\run.bat"
1⤵
PID:7684

C:\Program Files\nodejs\node.exe
node index.js
2⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Lua-Deobfuscator-main\input.lua
1⤵
PID:7144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59a475.rbs

Filesize
827KB

MD5
ec7babb9b6ea6729a42e55f64922d3b6

SHA1
5bb15ba7d7b68896ade6101b7dcd40b1237216c0

SHA256
e706ba7a04fc34a09f9db46a6833d4049900add12e73a1f9f5ddcabb7c73bebc

SHA512
51f8fe4f21259621afdfe0024a6c7852470fabd185e0192294f178e737c3364e81057d1721db4763867331836a1e7de461703f4c68357f285934220e90ecbeca

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE

Filesize
11KB

MD5
dfc1b916d4555a69859202f8bd8ad40c

SHA1
fc22b6ee39814d22e77fe6386c883a58ecac6465

SHA256
7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9

SHA512
1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js

Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\license

Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\path-scurry\dist\commonjs\package.json

Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\path-scurry\dist\esm\package.json

Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js

Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js

Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
e75b78589c97a634fbca77f7462627ee

SHA1
9c03da7715cda1c0180dd2f1706933f712c2503a

SHA256
ab843b7a803d4b3a243308ffba462f8b11c3c2fcde43b328d073f25418232421

SHA512
60baf2b415d9ee73ee434faf581f8308ac7bc6d715afdc4a7c9203d6a7e34c7ab51fb5a07185eca5c01bf19098157af50f320eca939178b4b47a59caf6592bbe

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
5dbd4a4510dcd2c68275980a5b527adc

SHA1
970dda49274c0844685feac3da96d8fa53ab0b2a

SHA256
cf16822789eedcf356166607099331f50f1528c07fc3bec2bd6293e6358a821c

SHA512
1cde6855d97787624d45fd57a30c53f803e7a069d46240f502173e4f090590743b8d295d20407af47e2c29d1367292255d9cc003c5fe87392691560602c9e90a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
727B

MD5
07e7fd6b0f30dcb393d0c26171dcd82d

SHA1
56114bbd9ac4a688fec1d93af1fed8e96607ff66

SHA256
256e0ce9cd4cf00b24a6d1a931c2929a3d4273a3655e0f392f1d8248c2fabf4e

SHA512
b7fae9a4ee57cc681e1d8fde68f068f0d17c3a15f52580e18b40287ff18a8e61abf1d290eba76119ab043b575be3899e7eebf3781612f5f84be9161065332bfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
48fdca9ddf6cf9b7aa0526eb071aa5e2

SHA1
22ecfa5a04fc7796164c13b4df6311c9505a3509

SHA256
09494c6a93dcdc374d1c31357320cf7c5321ddcbea14d22104da055d194ca807

SHA512
853c6f8dfff7b87f8de3b991492734ac0cd59bd716351befc73c9e72da200a09d0f6af71650a7697ea0b676d8c410570ca87e1ec9ab853d812571ea8551b2f42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
98b7077f38fd1331c790457f2f2c6cc9

SHA1
5359cca856eb01ad1c538e4d270f8ca14eac1014

SHA256
7d8c45c0402176ee36383eade5d1f42cb5070d598d525a19cc00a38e723f668b

SHA512
83ee528246f8b7e30af1aa0f827c9f5c3aa2987087850ebcfd8937bafee9a4863636c432d44c3838f8363df688d4a1bde43c43f9953034f55fdbd790f0a19482

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
404B

MD5
2b90d3eaa8a429b2d21803ef7e075e81

SHA1
6800e0b4eee15aca5763cede8c9e6a7c2e86d538

SHA256
adab4c6d339b69d7743c86a71a8062fc00d1d26f2626c58d1858f3e6d055cbb1

SHA512
73259f2c46b7e7d9951e97479e9bafe7807ec5e9f0162e67611e2e2efce3ef6de39efcaf764535ce3517b00f39064b17077f5a1928f116f685b0c43e14682a15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
7a8e72feef651e42ee9bfc4c9281c377

SHA1
6ad72ab57f690d7e52fc67509b304144cecdb6aa

SHA256
d352c1658335647924b4f7f7991032b330b265773d9f5f3c37ba630168f6c70e

SHA512
7ef3993ea417dd0e96f1748954b677301b6e4117fc2dee6dc11ff912bf959101c9be7f6bd0cffe024b9740771310c2b0375aa47b54b95e5fa9848c0be39abcaf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
82621cf76c9fc0b462ff9a0112c1b268

SHA1
fd83c04225ac03da50e13073ee7fd1f2504fb678

SHA256
ffffb157d684618a84465580290b1c5e95aff37ff3e567b7d32e3b5347acaae9

SHA512
4c57297e10d2da9745ab11fef65593e3933e8a6bdadf357e6c48e5c681755d8d77259008f6a0f14056c646ba7ee1d2455332011a46977012582606bab9778d02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\doomed\1325

Filesize
40KB

MD5
efbfe851709431f1b3720d1d80040f55

SHA1
36ffd5a962e7e2cb59a198613092fcb81be8fd4f

SHA256
9bba3c0470b7836483b71ae3683f844c3205efb0f8c4161f3bcbfc6e68b15bec

SHA512
b923adf7a04414259ecb6ee2c38aa0c752ee092a14bc093d7449d3a35ce316db3884d440f2cda33d592a610fd7e70ed3838b894e1753a4ad068c8817cb8e7fa2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\doomed\15961

Filesize
20KB

MD5
2ef6afc63a04db15fd9df75fc7eb2b82

SHA1
a6fdee098023a323d0092b1847dfbc91e0c34a91

SHA256
948930963ffeb955034b9b78749effc10cbc16053b83dc8f422d7f69f829a5df

SHA512
1630111329a1e77ba5a547b2d1c0e521ed932a4ebb3d319e740d9053441d65c3bdfee00a1126a1d7b09ff4791c87152ead671011d10158a0174f1aa9781730d8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\doomed\24945

Filesize
11KB

MD5
d0d267518a77a3551a4f995f1b6d6e7c

SHA1
f5894573002c3722ed2940a3bd9ca1b76465f2a0

SHA256
2fe2125d19059ceac7add90a3771ab7add94e1f8d6ab8bb632548e3f907d98b6

SHA512
9242fb59164ff1d16c745eb1d78dbe02d7ed9105fee567ddd1d964c686216a86168c2e08db3d859cd502cb5b44297d9fb173d68b855f08ac22f127287c0ca025

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\entries\1F9D26AE2DDE06F97527B1198D88E6F0F0116739

Filesize
26KB

MD5
c66a41cf18c749477421435aa32be856

SHA1
f94d81d883a253d9c839bf7c6d29a815838bd400

SHA256
d4c0329e5a09ff010aeed5102dd736b583e87004f13810d863bb42ada5f7d9d2

SHA512
64f4d28b221f6c5135436c6dd13a8308e0939196c3d5169a4d3e8b9af04ae598bbb21798f5e2d9c07abc887069f80b38cd4ed032908bdf40c5401b7ac5e5030a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\entries\48CF3EED74631A4C4AE8CAC0A7EF91B77FD69DC6

Filesize
192KB

MD5
da1a7fc1c7a8cef35d39b9cba157bff7

SHA1
5fe73be8ec87a325a14685fcc8a4ebda3adefaad

SHA256
3e48fbdf57cfa7b1d3a52c09d202f433da72b73c4f6cfb2348af8b226764e6b7

SHA512
ceafeca7214402b6e12b389179c781c5e64c3c31369d672967c1d7ec578c8648366600ec24ac4962f4e1cbc16c7ca1eefe959cf4bcd3d99f4d824b3e9a324b79

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\entries\92A283FE888F559978836244035073FB062EF9F3

Filesize
75KB

MD5
db88c913d0245ae925adbddca281050e

SHA1
723734e5c14f55c804e8b7543294bed3c57ea8ba

SHA256
aa65c0c57713523b1837bf773699216088a13d76f38a31e75e7bf13131648824

SHA512
d2f12740db9f031dd6545276922cb9e04cfb75c5e63a837d035828b920b2c51926c6d927e0a9727b92f1e1654d5f77f13f9173fcc0cc40796921bb915e8921fa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\entries\C1E78A4F3B26266D96FADFC9A320E20A809E979B

Filesize
1.8MB

MD5
c0a1dfca32a53386e9a5fc0600a04147

SHA1
0fa15e1036bbb038bb5e1dba75afc921af933281

SHA256
1ab5067442ccef6b61d6b34beef904ec7586b84e8ab62a3c8e9f8480fdc45598

SHA512
3e3cb7ca77595ed8483cc7e283b1c15c6f153be69bf30c8ae9c3a3fe5a2570baa79cd67f452a13143e3d64596b9edfd90df9e09c2bbcc2ceb168c80a6382c1a0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\entries\DCF1EC3CAC2A866C2DE0CB9CCBB772E5F5407A40

Filesize
37KB

MD5
367498babdc3333250614ef707715caa

SHA1
fb2892b77cd71cd96a6e69d62352f3315a732e96

SHA256
fb6c90e92525e42fb58018b30fef78b65f6f4c1a75dfe812cb8eef5cb74dc8cb

SHA512
f01282905d6a491282ee9d2a4d54c3c1e7d28f302a5bae764bfe95ee851e55a5b9254803481ec9d8898e479e99afb4d847be325bc6b6dccc4ec40d6f7be53ec9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\entries\E31CF7798ED2D3D7745E3A1EDAC89D9A29F9E07D

Filesize
214KB

MD5
219e99dc18370e0808f4dd294131c6c7

SHA1
134075c5346e0c9b94f0088f2d3e8de3217f0559

SHA256
ed4fc8d7bd7f4d7a17df539164f05c2a0c5e6f62969e1e644916e9e84693d3ee

SHA512
26528ef71f4a5034c5434974fa95a0d107ce0d5367bcf7f088de40a8cd28719d67c825357250dfad71d7c63c6be3a22fb1be229451640afa07ab56b2d3dfd29d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\entries\E3F6C3514660D4ED7E2AB7638C28B2CFF285136F

Filesize
259KB

MD5
ddfba390a672981b2b1549300c471acb

SHA1
28d15dbaccf708d510cc8518c33d99ec5ef91ba1

SHA256
6ee6ce3ed2f997f1bbf5dbde61f46151430a78c0d8613f391458809c344eba06

SHA512
54ccdad0137ae633e822b68a79259edeaacfe2f666a22b5b4b06612a6da71defe38edc12eb3072e801c3e1dfbc18d028b61d253663708b7c4fc38062a203b278

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

Filesize
13KB

MD5
e4a73dc0d285513f743b65b4a04477c7

SHA1
887b90d92bb800e12465bc0ced4652ae094f0d9a

SHA256
6c399331fafaa15c4eb4f2ea6b6a0ff324fb658490470b0df989b3a3677ba632

SHA512
e93a1c460bc525f962e2a41665c287f25b94490187930a675bdbf57ba1df6a02131a1a031286638a5735bf1adc6795e413266df196ad3b3fa204df56ee8d301a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\thumbnails\90d776f42daa3bb177d8efd7d1e9e46f.png

Filesize
17KB

MD5
ce33258c22185ff2064a5bb704002a07

SHA1
2db8a0717894320e08da3784a61f8c1983b1b39f

SHA256
ce3c1f63bacbc028d038ba87533f143e9b5617c1f937f0b4c6a1003c9dcad21d

SHA512
ce6d1c70a6cf423bea171d09afdef02976cda79f14328a7f2b6872c236055c3533a1436a8cf346e48c5c32a5dbacf7d0631d37f46ab243593ef9311eb0d272dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A863613E871FE118B566CBA9DE9CE50\setup.dll

Filesize
5.1MB

MD5
7c0418acfb24086ede591a7e1d3df7ac

SHA1
9bee27188d04bf44fa2e95a8fcb575497396f2b0

SHA256
d7b6905661d364be51bdb7e8e2ef9832ed0c33f056c4f40368f9ae6c1b4e608a

SHA512
e2c45aad07d5db230c9758fde258ab5589160d81a8723a5d246fe3287fca1a192b162c33f35144a44d16dd655e4a86694acd55c9279a15b795777ede2b14f71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\316368A2-178E-11EF-B865-C6ABD99EEC05\check_new_version.html

Filesize
1KB

MD5
b79ab8145423e4714f4d3623a7913eef

SHA1
0f17053bd76724cb244866c537de47ea6124331a

SHA256
59a439debcea1f039382e258a337031f9878450afbce19a2a52a37783009fafe

SHA512
239663617d89722d8c4187804901436c456444b92655ade83c1fbf04231467693869efdc689123724dcc58d63665efb5dbb2a835fe49144facbea361c8ae9151

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7015.tmp

Filesize
125KB

MD5
80b740c16875916f8214bc702cee3945

SHA1
24a3d644ab5314bc1d3fd51949858a131167989f

SHA256
4f16718152fc3eae6d3c3108a2312fddbee41bbc2a43c6526731e1efd3ec9ce1

SHA512
b9a0aa1a0ea44d295119a64c960866c45bcf97aa554989464b38a8a956d2f17c6cfcb3f8a4ad9392f9e2d0ae27d082db8785c3737a630eef453c123e4a6e1636

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI70F1.tmp

Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
7810e2132ef76fce05fd0bfd55c3154c

SHA1
31c6c8c55884f0759316f37b1007a04029c51270

SHA256
6e4d04aa1b6763a0c91fc79f51c1fd5c7c351c8e5e605adceabe843a59d198d8

SHA512
88ad772d4605f24f2ec145b0f62404d2806381c03a66723996b17246607cda572efe030c44243c3105746eacddf0fe0cb22c1253db7a0fd560449664e0665132

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
db9ecaa3f8833f85a08e0f72089b73f7

SHA1
d97d20833003759722720bd50a383a8d6ae005d8

SHA256
c2d0ce6aa22c582fb40669c8ccdfa497ee200c95c15aa3639ddb8180da860836

SHA512
27fd5e1492214d36f8dda278f20ba345f7a7eabba83ddbc6f6f11feac0c7ad0f63a53f4e2f2852a8a19921a25fa1447d09b6002272bffaf6bb2bf0fc554af094

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
17KB

MD5
f97dd5e8152021af6356830d9693cd87

SHA1
15f04664398ae56537225951b73719e3f1e0363b

SHA256
a012ac4e549a0509e979a9c2b3b49de0e145a69f4bec482455ff9f710d2c8624

SHA512
4e82c3391fda5f15795375c4b66570bedab76f8225a1ac1f2a52e15064681467a09e0ddfd178d51e8216cabc1156a1dbffe3e5579d04a1b23e64ff41a202d58e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
6b6b17c737acc6ffa0e7be66c873151c

SHA1
3180b05fc07fd992eac9a7884397d2e5270c1001

SHA256
17a33aab81217557f376246d2c3c0950ce663cc4381f3de1bb4cb050c27d3567

SHA512
0dfaad9248b831062402408cd82ee2c314d4f9103f45ada034c1ee2f8e92aa38049bdbddafc0949e4175e89c323ffe9c897182c5a5042b78450de4f3106d1312

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
a06f9e19790b8c862a32775c53fc1839

SHA1
448a9a0a7abf84ecb87785f2a2c437c5435f69cc

SHA256
4a69ede232554245c5ac9c3bba1dbdb3e3fe736fe2b970964b4cf33bd4fd0a63

SHA512
69f53277ef0ca5e22414bc97a66a94988d2e8379046ace38a9c93c50cbd57b1b121ea12a819431c213f7dbb29114534c807761318ba65a431e79c7ebb8654164

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
26ba7305083b0e71b1fa749cc0f7f3c7

SHA1
3b9c81ec59be17a46e5984d559a5c67101a8fcf4

SHA256
dae0a2e703eca5783a7e7e2122d3d62a16ca2ed66ab3fe859b7e806a9baa9bcc

SHA512
f750637787bcdaf234ea680ae2bbdb765d210cc936470a1987c9d065cce4501e0dd02011456d267ca75e61ea86209b98fc352e58063f5bb5cce2fba2ab7fdc9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
7d3d11283370585b060d50a12715851a

SHA1
3a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3

SHA256
86bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9

SHA512
a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js

Filesize
10KB

MD5
8d943b5468d3b4ec96297136cf876625

SHA1
ac538e1a110e95cf99d5ad9a3f6fb0179125a52b

SHA256
9ee20b97678082e610ee93b53379e2e8c8081faad4c706d8ad3aebd9cc6d4856

SHA512
7777660a9974cee248b41003c03770776eae4d6409122a4febc206c3c59eb685894eae6eb6d47ea65c0e8a90be0e7514da91d3cc171bf64c701fc870e15c3992

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js

Filesize
6KB

MD5
e9c29f2aaa839064b3e0a2419e87be09

SHA1
bf3c081899378b7eaf80a084a31e5d40ec0e6ebc

SHA256
a1580203d8ba06e6c38d95650e5abe35bfa9406a67a6498cf6b84b8ba5f33247

SHA512
ce92aef0d8af7b5293c9a8e143eda19991d6352883f32fe6c72e9cb4e907391275eaeeb5f1396b9c4053641bdffb720db5eef8977a5914f5f69151d94ad7e36f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js

Filesize
9KB

MD5
e3b89bf676b03bd4685729585c436198

SHA1
313bc867d7b3148d45597195d114000c83873ff8

SHA256
9149e931d683eaaf2a08b687997e788ef1b7f32c2d6668cd66531b67bc5fdc68

SHA512
3b8328739da06ff9cd4a644bdb47e2f55b33b88a623edbdcf48ca4ff6408d8c28c2ee97064fea1bdd6776c6361914c9959800534634698afb3ec1f3d46812257

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js

Filesize
7KB

MD5
7eafbff26ab79f099df1e21899d032ba

SHA1
3e4112ee4f1200f696577c3e398e1b4e0e138678

SHA256
65bf05e33a1a3bf0f37ab1f7c3d0f05499d63d39d433a643c4dfc409ea1581ac

SHA512
c4a0d0b0bef04d9ea1f9fee8223afb9f409ebe542ee6924cfb1ed99355fea829372447bb7ca3ab89f8954e3a0ba8902e15da431496504a88c5fe5f4c82216448

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
37b2bb093b68a14ac4ff05ecf65c6ff9

SHA1
99fcd7c3a5b1816f67ff029de463ba33e4f6bd49

SHA256
4db97fa2e3d42212f60a694f936e98a85f25a06a4c0a68c0116722def76eac12

SHA512
cef8e2d1b75aa06dee493bcd8230d02ddd19a0394dc9bffbfac1780c62d233a8d43a8655e5ad82198af433703911b4e7d119e54b7d81f5890c71316d911453f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
6de30dda2c210e70eb9939aa1cf0b612

SHA1
09d47fabfb0244a045aeb3aeb66acf629db3e5dd

SHA256
0bdb39f7f55a4586966bdbb5dcdc4d62d757e5c4809afd5a951089e9b3b9a06c

SHA512
7661e4d3c86d5a15f71f6f4e4d5f4c016a884ee9f8087a4be4b77345d2f3f21f888a531e1064ce74f2ec1cf5f65b641c22e000a2e820d0f4aab21bd7701c1a1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
27c077f5cca367b964614af225974cbf

SHA1
bd09c9ae8d14926546268b18fba1bd89da6b2c0d

SHA256
a368fc59558737b2c45e5ace7362782564e306553513d86e1fd721012aebd702

SHA512
34aeca140214368682a3f1d70a9a78da62852ed2cabf79118656ad5f69876e17193cc46ee5935f25c82b732389afd227b6f367810a3e8c3e828a247d119f83e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
9f4f2bb5860698654d5b882c7f3f1a4c

SHA1
1b71d4f05a1e507a5d03d7b8cce2937a64cc8cec

SHA256
249c90052dde6f60c2e2add461d7c297e2b6cc3fb334e650ab74f24e4d44f089

SHA512
b343742f1e860d11343aafb6bda5770884ff7f2e68055c3a9e6e4ae5ae324b808999ae344daa7e243e28ff9fc3d1c242910118166c08fdbb8f276e4fc0ee55ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
99959aa047d809e3f3606b32eb8d6891

SHA1
fd1041d4f96a6bd64da14100ae29243274d5da61

SHA256
f7eb9537b88490a30afde6508be17818079b5a9bcc2370a5f5e46090fa7f58e1

SHA512
6a59f51388cccefd03166d2dab4123e4340fe67381af5ec5416ec7ecf74a61a9b2971290d6bc4241c37b2f840e202edf823f03b4565860664832482171fc8866

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
8e4c45b64791674d58ab0c8b1ebf26fc

SHA1
ce187359c95a661bd7c20a6d0a158ee852d49177

SHA256
29837b7998286c7e05f43034d9c9db93676713d08508774eb98465fcf1755ec2

SHA512
9f2117aba9ff37a95f7bbbe0f1aedfa6c80d9eb41e5c810e12a43c16f894adc3cbcedf272291096cd04e62e4abd5098abd43456ba223ee80d6758cc2a6adbd26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
249b595b5cf48020d72f946fbbc09675

SHA1
a07c433dbd5af9f8cb3d390a2e2b037b4a12ab7f

SHA256
7662295aeb6e3f4afdcd14c316b1050e0e9dbb2036b597fc7c6d5567517cf69b

SHA512
d2ba94c0d2f1dd8b09b4d16e9c20a641984b03bea313a91cfba7c8264652ba966e7bbca3264b22f35623c83b45a784c6c4c22fd3c650694b2b4db867c12e04cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
dce5ba055d7bc31d6fb6cf85a28ad458

SHA1
4d37551b73bcce76029a69692e8e33eddebb0049

SHA256
2b27b3fad245fab6510e83af018a4625b6841e20bb5fc94883e58c2aa5e9d2a5

SHA512
ad133090c8e4efbe69210a05872fa906ad538b23041b23803128f50343e834c9326a5259d1f30d3a7df9820d0934dd4eb2dd858a4900a53c112e0609fe4a8115

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
3085165850009a732d2864b0ffa35348

SHA1
fbacf06909d8cf0e1444fc6ec54e3c77ecc36fa0

SHA256
182e962c5c3f4ed0e8977bac5ece06c21e2c888f245b15198e9f8c5ac0588de1

SHA512
35eb3498bc2c71201023e47142562ac0e766d38eee53f7dbab8b4d2f16aa1e52b1252effdce1d4065349bc0049d3a5bc3dd7039374a5329e59c56ff168af8490

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
0fc938cea3f794877ef94d7baa0f96c6

SHA1
b8e57c71ba24bac9e34b527000f7b447784ef370

SHA256
c47485b74dfed86be652aba96f03f56e2d22900820e551265e0d7fcc739056fe

SHA512
839f5503c529f41706a6b8a9d21612192b0d835cb11b50b422f1b56b5712d9e90acdb69c06107146decf93e6b02cedb867b5645ed1e2c4b9fec0776f81721b09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
33KB

MD5
4878bf7abd92d0d76a93d0ac0f3087ae

SHA1
6bd0f8e7e6f9b2fa004952bef2f8cc8cc785ac89

SHA256
780dd82a3c3772e93930a5312fe4845fc2f293d9bb172f37c3f4a1b13cb095bd

SHA512
8441cb244b9e2a794f3462c4c7f894d5643e5d15cd2af67de1ee718d157f01100610dd33ec0eee9ae1e47c6333f49f53833708b5366b12b63768b631e4a243e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
33KB

MD5
ae69df21121302113eee588cde8811b3

SHA1
ddf3e148d2e4bbc715b9befd4bed7f65cdc84227

SHA256
aa5e90c03b452f6f30d7fe7a9011656689e668d282207e4772e886ecd9b847b2

SHA512
ba490feb3430ad03c2f2433a7fff63557404e470727fdb415250705f6103999e787a0371b1c9f6e8200585d4c9ec5ec137ca749ce5f2c6ff52b298ec439b663c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
e2259659113ae82bbe41c732fec87c33

SHA1
7fb05a82e2712cbafd2f0c7fb5e89aded66ae39d

SHA256
7c486984cfe53cb00bcf6218bb249d06d4445243066fb438da50179a320a2da9

SHA512
1fb71f27a4cf0097961c60c9969671a1f623db258e66398ad615da8f494ede7b7fc81934c14afe9804b36a3a30b489ad8076206e6446c5344ff1a6671b48bd35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
33KB

MD5
d958daacc998defdd5f1442ee02985d3

SHA1
b61f2e9894cf80eee67191dd13fc7ecb86be8703

SHA256
7f00fd13f26e27bbbdd3d3c8d137169bdc0c70613379d37aa79b385c240cb305

SHA512
b6d8ab7e09470d7880af2a21b3614c713ad057493955ef2a0ecb8dc750ee697e972d6c52fc87a179282c26e31fbcca16ade2aeb3debca9ddedc1f6c7ad54a9e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
cdac1be259b3193bd5e5454029f0cca9

SHA1
ecc7773b762fb15aa643b735400e30c7e5d462d6

SHA256
35725bdb404253caa124d0e8f1ba71a2caab747c9c834e6d14f1d833a0c86591

SHA512
a6bd448c28f5df908abc26877e2a2a0d431f8bff4ffb813984ab792a3467e64fbfde1178d53fc92d95251d3ce60a141cac68d73eda863f9a5fd1e28f12cccb43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
33KB

MD5
0dcf4f6d519099e5a139f15cad737645

SHA1
87a814f7862a58db2c2d9ec0f5e9a4629cca3431

SHA256
8b688983d680f080dbf6f6e7efc64df85100bf6d3a913486b628155a9c5d6796

SHA512
6d3cc4107390603d305ddb7da1f805bf1b672585281b83ef62978d7e1c3f72247bd066a07a55717fc4c033d956fc27c2c7291e256df512a551ac8428e3a29990

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
745d0f7719fb824b8ed669db1f8f0509

SHA1
bbaae2d928787cc19c163b79c45889e869187401

SHA256
2359450a4cb6df63a80c68c0643845e9ee028b6c179759603aefe8cc13e750a4

SHA512
b0e78192f1539aa468735885cf3b6d5bcd3229e04786654e1daabac2f0d87a67efcf2c1fe67a781cf87d74dab616acaf398dc63f283246714497647723dfa2e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
65cabd265e68958f089c3b133336e7ed

SHA1
229c9c1ab8a43d8231a659e20563a90158b29f9b

SHA256
e86ee5ca730769406f6bab68af82166ca984ddaa697b4ce52730c1d3eb7749d1

SHA512
1714f991f58d38411d6d061380d6d1fe76f3476a78f2a2fa78207e95c12dca03aa8e7056016c7efe009e1e834e52891bd12cd33fe4eb819254eba293e0a3182c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
33KB

MD5
9d8dfd0345f1a57c5e7ebc8d7b1a8c53

SHA1
ebd0fb78931c88e5a745a0a11ced8694efa88f04

SHA256
583c45f12e2706779cd1b8491ce6c45d4d4294f43645970ec6bb72696c7fafec

SHA512
0b7149e94cdcc0ba0ee8958c796e7945ba905219c266584012a0944c451308e75a246f51fbed2e1f6953b91ae5b38b30a1ea9bd01122f30ec779d2661cb62bd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
33KB

MD5
b0f2142bab096e74b61077a38d6d1a0b

SHA1
dc93e55f51fb000076dc6c0c19c9709c22cbd7ad

SHA256
cacc92547493d01f21cbf23dec419cc646a79ca7d8ec06e46fe6f26c4455450e

SHA512
0c20bd529f96723f1b2cc79b080921ecf83a915ab679fc590eca375eb70828537654c71d15d715650eadfd3161cc8b269d14ac3991bdfd153a96d62797a1ddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
33KB

MD5
b543607caeab454cabedb1a0bbcb6324

SHA1
b63f1b231081420ef4aecea23ebf3d1439e0f328

SHA256
b9f9e7182fc0b020b284826476096451117e0bacb36cc8512fa3a39eaacf47eb

SHA512
86e004c814b2a9e0b88713b0ebd81b96120a1b6ee1d0bb7bd013cc48001282281f0733d1412b1e68a661adb7cad83fc4c94c25205388ae99c5aa23314a0c81fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
34KB

MD5
20528590b24a6cf3646b986a88beed46

SHA1
65ddb48ae7d9f48cca42d2d1d58d03604fe650f2

SHA256
4b7a9b8e110fd1d87d0390c002598da8551e6a06260d8231530e1edb37081382

SHA512
c3d500304e481b5d420a3e3d2523bb34888f6ad61b34cb75c05178c03498261c1529ac208d9404d8e81dd02d14fcf85d093c85987f2636f7ba02a67c426b4bac

Download Submit
C:\Users\Admin\Desktop\Lua-Deobfuscator-main\input.lua

Filesize
19KB

MD5
ea16204169fba3055baa20b1bf124330

SHA1
b7a6046ea229c34884888b952ae9c72f905219c6

SHA256
27c8486244880239efa405fda78551b20d35134f306d96f531cefb5dc171540e

SHA512
ba006fb9147d2b6bfc0c5ac016079994cd3ef2e000204097fdf46b9cc003e48a2b660e70e74ee3a24ba97fb42867f88a760a893bfa8a8af31474fa06c4adf0d7

Download Submit
C:\Users\Admin\Desktop\Lua-Deobfuscator-main\input.lua

Filesize
167KB

MD5
29d82a8ee5b34bf5a825ec67f6d45995

SHA1
c91c2587e6472868b991af5b62c295835b88a37f

SHA256
0389fbf3fdc3d365289c689f54227daad48736e3e77153eba5ef1cd86da00fd8

SHA512
b8eb1b6f8f29a82d89f1ce5ee47cd0a5cb4b7a1b5ff69199f9653e911851ffc84af6276c6379af62a1f0c6764333b5234cddefd14a46fc01a32808f5e3aad6bd

Download Submit
C:\Users\Admin\Desktop\Lua-Deobfuscator-main\output.luac

Filesize
28KB

MD5
0ffec8bc254bb0bf25ab9b6a6f1aa157

SHA1
9b2771ea5795868d4fd5c3a5837cc18efc369ab4

SHA256
fddddd5c9f7e5f5335c8e438c157bed067b54ff7ac77de4bc63999f9ebfc0c02

SHA512
1abb2311137491c0568d820f63abdd75ec072814603949c0060e2be50fea9897f9db3bae33df6bd25c7411c5fdce51f28a7bbcd0ec7ea14194b7081a48468769

Download Submit
C:\Users\Admin\Downloads\Lua-Deobfuscator-main.sg3AnrlG.zip.part

Filesize
226KB

MD5
d1df9314bb3423a9016e9b407f4dd0f2

SHA1
058b90e63709377022fdfd7a57ed2924ea0289ab

SHA256
8073d9c793dd9f3293792707392780ba1f24d849d59eb363cb65d16a658ed04f

SHA512
f0fbdff5ec177f4f2387f0920e10893a1c678dc24eec01960fc116c3e100c9d31d102124227144c1f1c365928f64b802235548bf91c768d0425cd973a02ace11

Download Submit
C:\Users\Admin\Downloads\node-v20.13.1-x64.msi

Filesize
25.4MB

MD5
bc3362fb53b8ede3f3ab7182f966027f

SHA1
11e045e3b3389eeac8a1aa6e29a177f391131489

SHA256
695eb534992f0d4aa10ab024aef596664493e19e0e1581c41eefe33050811c52

SHA512
abcab3ae98be016142f58ab61051dd17a23e5a19ada68c6ba0c0e34b1a8bf48e29d38bed0f823ebd9e60856e8f4e7015e02bb96f17c965789b4a1e6b957ec4db

Download Submit
C:\Users\Admin\Downloads\node-v20.8Ug8YGRO.13.1-x64.msi.part

Filesize
176KB

MD5
ee1636177019244334853a57f348a811

SHA1
15355391c607a861e358814f1cf32d318adc03e0

SHA256
702432b0621ac8c36d9a7aec45c63ed436d4ab1ab7c6394e2b19cc68d8f2b20b

SHA512
99900bd185fb8b5f1b53cbaa986ce6dbb39c8254bf44d856bf93894d59f46130ee716dc5ff7c7d3472ff148998b4da175844c6bf8e46a2c6b330bb047a60c8e2

Download Submit
C:\Windows\Installer\MSI7621.tmp

Filesize
341KB

MD5
74528af81c94087506cebcf38eeab4bc

SHA1
20c0ddfa620f9778e9053bd721d8f51c330b5202

SHA256
2650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34

SHA512
9ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
1f25ea8d4352c6e656e51c26cc1bd80a

SHA1
f1202983d4868ab909a1ad65d9fde3548e780938

SHA256
a1c103805d73778d2f89f92fccfc8d4166caa77b1b5d29e233f8edce7c4b2b55

SHA512
da4c1553753c83150e83b7ea1050a538c54d4158655f4d8fe67914b1c9c93b1a2ab5ea4fe151c9b7a228d2fe29771c6a26ebf9d85578b948f2937590734a24cd

Download Submit
\??\Volume{b97f693d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dda4a285-ba7b-449b-8657-32abb4d899b1}_OnDiskSnapshotProp

Filesize
6KB

MD5
88a0e7459c91fc7669ac84159583783b

SHA1
60268ddb390c71130ea16abd3d5abae0509509c5

SHA256
653f4fcb5aa11ea83301a7d21456c26ed70f0401d67d52071701dc4ef82cade0

SHA512
337f987db72e6bc6d10e3fa9b3b9c176050805f3cc1fae85bbc4f3ce93e11a2520aa2ee71f05eb2cc10439693ee494f4b9064d713ba1aa8fdddf11178028f007

Download Submit
memory/2960-1-0x0000000077540000-0x0000000077550000-memory.dmp

Filesize
64KB

Download
memory/2960-0-0x0000000077540000-0x0000000077550000-memory.dmp

Filesize
64KB

Download
memory/2960-2-0x0000000077540000-0x0000000077550000-memory.dmp

Filesize
64KB

Download
memory/2960-3-0x00000000773F2000-0x00000000773F3000-memory.dmp

Filesize
4KB

Download

pid	process
2960	kav21.3.10.391en_26074.exe
3748	MsiExec.exe
3748	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
64	MsiExec.exe
5584	MsiExec.exe