blackguard | hxxps://github[.]com/Zenwki/The-Big-Malware-Repo

Analysis

max time kernel
147s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
23-05-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Zenwki/The-Big-Malware-Repo

Score

10^/10

blackguard stealer

Malware Config

Extracted

Family

blackguard

http://45.67.230.199/x64/SQLite.Interop.dll

http://45.67.230.199/x86/SQLite.Interop.dll

http://45.67.230.199/

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
2	camo.githubusercontent.com
18	camo.githubusercontent.com
19	raw.githubusercontent.com
27	raw.githubusercontent.com
32	raw.githubusercontent.com

Checks processor information in registry 2 TTPs 34 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\infected_auto_file\shell\open\command	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\.infected	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "2"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\.infected\ = "infected_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\infected_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 8c00310000000000b7581344110050524f4752417e310000740009000400efbec5525961b75813442e0000003f0000000000010000000000000000004a0000000000a7013300500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\infected_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\infected_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\infected_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\vbc.exe.infected:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\Downloads\vbc.exe(1).infected:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\gjnvlcxv.exe (1).infected:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\Downloads\gjnvlcxv.exe (1)(1).infected:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5372	vlc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2488	msedge.exe
2488	msedge.exe
1032	msedge.exe
1032	msedge.exe
1552	identity_helper.exe
1552	identity_helper.exe
2880	msedge.exe
2880	msedge.exe
1992	msedge.exe
1992	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
5172	msedge.exe
5172	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2064	OpenWith.exe
5372	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	5484	firefox.exe
Token: SeDebugPrivilege	5484	firefox.exe
Token: SeDebugPrivilege	5484	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
5372	vlc.exe
5372	vlc.exe
5372	vlc.exe
5372	vlc.exe
5372	vlc.exe
5372	vlc.exe
5372	vlc.exe
5372	vlc.exe
5372	vlc.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
5372	vlc.exe
5372	vlc.exe
5372	vlc.exe
5372	vlc.exe
5372	vlc.exe
5372	vlc.exe
5372	vlc.exe
5372	vlc.exe
5484	firefox.exe
5484	firefox.exe
5484	firefox.exe
5484	firefox.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
2064	OpenWith.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
5372	vlc.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
5484	firefox.exe
5484	firefox.exe
5484	firefox.exe
5484	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 4008	1032	msedge.exe	80
PID 1032 wrote to memory of 4008	1032	msedge.exe	80
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 4348	1032	msedge.exe	82
PID 1032 wrote to memory of 2488	1032	msedge.exe	83
PID 1032 wrote to memory of 2488	1032	msedge.exe	83
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84
PID 1032 wrote to memory of 2008	1032	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Zenwki/The-Big-Malware-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcd8073cb8,0x7ffcd8073cc8,0x7ffcd8073cd8
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6756 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,16415910366454746408,1181750704937534850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5172
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\gjnvlcxv.exe (1).infected"
  2⤵
  PID:1444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\gjnvlcxv.exe (1).infected"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5484
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5484.0.1796758232\238876842" -parentBuildID 20230214051806 -prefsHandle 1624 -prefMapHandle 1616 -prefsLen 22339 -prefMapSize 235161 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9da77464-70ca-41ce-859d-9a0a6a32b396} 5484 "\\.\pipe\gecko-crash-server-pipe.5484" 1716 16ba632af58 gpu
      4⤵
      PID:1248
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5484.1.1410943715\1410218120" -parentBuildID 20230214051806 -prefsHandle 2188 -prefMapHandle 2184 -prefsLen 22339 -prefMapSize 235161 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {488b82b7-9ad2-4700-a9cc-d222641fd0d3} 5484 "\\.\pipe\gecko-crash-server-pipe.5484" 2208 16b92c89a58 socket
      4⤵
      PID:2936
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5484.2.1930573382\1657489054" -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3048 -prefsLen 23615 -prefMapSize 235161 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89fa1480-262b-4ed0-b486-1e83b7c8c579} 5484 "\\.\pipe\gecko-crash-server-pipe.5484" 3160 16baa117658 tab
      4⤵
      PID:5792
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5484.3.1095141093\831865789" -childID 2 -isForBrowser -prefsHandle 3444 -prefMapHandle 3440 -prefsLen 28201 -prefMapSize 235161 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f9b8d78-3085-47fb-9aba-39defe2d002d} 5484 "\\.\pipe\gecko-crash-server-pipe.5484" 3452 16baba47c58 tab
      4⤵
      PID:4228
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5484.4.1927612488\419674577" -childID 3 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 28201 -prefMapSize 235161 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54cd2ec7-b15a-4051-bdce-c21f8e772264} 5484 "\\.\pipe\gecko-crash-server-pipe.5484" 5212 16baf4b9458 tab
      4⤵
      PID:4640
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5484.5.1662993062\735190238" -childID 4 -isForBrowser -prefsHandle 5408 -prefMapHandle 5404 -prefsLen 28201 -prefMapSize 235161 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e05856f-4407-4838-bacd-cb30525bcfd2} 5484 "\\.\pipe\gecko-crash-server-pipe.5484" 5416 16baf4b9d58 tab
      4⤵
      PID:432
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5484.6.1932602972\1832653771" -childID 5 -isForBrowser -prefsHandle 5152 -prefMapHandle 5132 -prefsLen 28201 -prefMapSize 235161 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df075122-07ec-4a84-bdb8-cfdcbb594387} 5484 "\\.\pipe\gecko-crash-server-pipe.5484" 5172 16baf4ba358 tab
      4⤵
      PID:4888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2724

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2064
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\vbc.exe.infected"
  2⤵
  PID:5000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\vbc.exe.infected
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1900
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.0.727694566\2087248037" -parentBuildID 20230214051806 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10638d62-d1cb-44ff-98ce-5e62539cf262} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 1852 198ffa2fb58 gpu
      4⤵
      PID:1656
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.1.1539112745\1654310755" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3764d947-66f7-4c09-9ab5-aca6f3ddf67d} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 2420 198f3189558 socket
      4⤵
      Checks processor information in registry
      PID:956
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.2.599478062\1084030510" -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 3128 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eab64b5-63bf-495f-b9ad-7af41c564b1f} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 3000 1988a23b758 tab
      4⤵
      PID:812
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.3.797677182\1515641127" -childID 2 -isForBrowser -prefsHandle 3772 -prefMapHandle 3768 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c707e58e-e569-4ce9-9688-469a170c847c} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 3784 1988c5fb558 tab
      4⤵
      PID:1248
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.4.559915593\839365591" -childID 3 -isForBrowser -prefsHandle 5408 -prefMapHandle 5404 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dd1e500-35f4-44ce-9547-57c7d923f3db} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 5416 1988db72258 tab
      4⤵
      PID:5676
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.5.1777067653\1473026451" -childID 4 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01b690c9-2406-4e43-a251-6b592e967c09} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 5644 1988f9a5858 tab
      4⤵
      PID:5684
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.6.564430723\483483216" -childID 5 -isForBrowser -prefsHandle 5540 -prefMapHandle 5544 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c5cd423-f28c-444f-aa6e-9a703a918d9b} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 5532 1988f9a6158 tab
      4⤵
      PID:5692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\vbc.exe(1).infected"
1⤵
PID:5316
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\vbc.exe(1).infected
  2⤵
  - Checks processor information in registry
  PID:5328

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" C:\Users\Admin\Downloads\vbc.exe(1).infected
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\vbc.exe(1).infected"
1⤵
PID:5324
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\vbc.exe(1).infected
  2⤵
  - Checks processor information in registry
  PID:5316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\gjnvlcxv.exe (1)(1).infected"
1⤵
PID:4240
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\gjnvlcxv.exe (1)(1).infected"
  2⤵
  - Checks processor information in registry
  PID:4180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\gjnvlcxv.exe (1)(1).infected"
1⤵
PID:5180
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\gjnvlcxv.exe (1)(1).infected"
  2⤵
  PID:5172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
046d49efac191159051a8b2dea884f79

SHA1
d0cf8dc3bc6a23bf2395940cefcaad1565234a3a

SHA256
00dfb1705076450a45319666801a3a7032fc672675343434cb3d68baccb8e1f7

SHA512
46961e0f0e4d7f82b4417e4aac4434e86f2130e92b492b53a194255bd3bba0855069524cd645f910754d4d2dbf3f1dc467bcc997f01dc6b1d8d6028e2d957236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d22039bc7833a3a27231b8eb834f70

SHA1
79c4290a2894b0e973d3c4b297fad74ef45607bb

SHA256
402defe561006133623c2a4791b2baf90b92d5708151c2bcac6d02d2771cd3d6

SHA512
c69ee22d8c52a61e59969aa757d58ab4f32492854fc7116975efc7c6174f5d998cc236bbf15bce330d81e39a026b18e29683b6d69c93d21fea6d14e21460a0a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fb1bacc81c4ce38006296a75454e4dd1

SHA1
2cdbd38efde2c3328b56ffdb5e5f7c079c233c1d

SHA256
a5dd98bd68464f158c2f3a738ec8db5c01882467598ca27ef7729fb538807816

SHA512
9229fa417cb6f3374d04aac1ffcec0e77cce58f8ffe96bad9acee8b410e86bf9ee60a074834b026a53f59f61ccc1bccd2a5b240ca18db3a87d765359ef7444b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
663B

MD5
4a95ed7b17c42b1290289796a4fdf3aa

SHA1
098d91330370d74327b929904045442e5527b3be

SHA256
1cf584504dd8ab330f56e7e8c314536900e78867cb326b4c40351857f93117f9

SHA512
41f216b77103d74483168d154f8bf3100be5f6bf8e5bc1d8d300bbf6bc1a356e6d8f3b3ef1df5fc46f619de4c025d4945c60ce63b9ddbaae8afb3c3bb571c4b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d9c40310661c0fc264202b112f1e52a

SHA1
da09397f80f381994468f5f529d1673ec6273812

SHA256
b57875bfca365d3cdbd7d1058a2ba7bfe9dbbed7b27bb25157f968e40ac9597e

SHA512
516c7e20166cba50857b15c655f480e9966d85a4ca04babcc27d9388e474fdfa46facb5a451b29d16a8a3dfd9de4d6cf24e5e1d1606573ecd80db184a4878003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6121ffa03f95688a4ecf9aab5acf7475

SHA1
063b86e6459f5555978b58f11e029eb72be28ee2

SHA256
334ae0dba3c7f39823e0d9986b705ca947e10e2c1372807585fdd2845ea51674

SHA512
c1bb93bb4448551b1ba4f8cf4b172ff78edf32ffd295a916bd0162c3d2eb3e09ad5b9f2724f03478f0ea56a65e59c2d4c060c5b9cddcd60d7a99a850d41e4d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
104d3226d1daa7c2b817989ee946ded1

SHA1
116fedf77050f48c9c09b44ce6b243bacc884ac8

SHA256
f9723f871f4ebf871bba66877815837dc88fbde79ed13362e8c882bdeca5e8c7

SHA512
17f6a77b9201731b66df7a5a34fcbf13dfdaf68d2bddfc5709143fad76306543d6c128920b33ebea72eeaaee5f0931ed174bd76b76a293d5d5481374c191f4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b2dcc5c3898154c72f289f065c0d32d7

SHA1
b10f360a8254efef851c69ec5be98842e86c26fa

SHA256
859a3f36713a2ffd84882d132c16fe3c642cf19a5b5c2e1e2e44fe5c49fd6570

SHA512
77943b957fa6e6aab230e306e224e8a9e549ef02d45352ca3a948bf5d009ee8cd2d0f171475a879c1a18b0a03462aa09f134fa43fb90e8839c6d92b243f9386c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b70b5d330fd3aba1381ec088d53bf493

SHA1
50967ca9e3f1be515723661c0f264b3dea24e6c0

SHA256
31ae0295149af3eba45fe6721ef8a8d24529d1cf24cdcb8ebf6ed9b8d546b8a8

SHA512
a8bd670259799beb62dc70a58c2a336cbdb586a289184e0660a7d4bc5273ad7291aa69c3a85beb29e659469fea1c38a46faa220e5f1cfa245e58a898e24df13a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f6d50e3d57732a99826da8034a9f4af8

SHA1
da1c2e12d6d442b0bb81968b0c5a0dd0a8dffa46

SHA256
4e424c1c37ca7001c47e32a91e4da442f6422c493b3bfb9b5193e7bcfaf645e7

SHA512
129400505315364c863d7a15329fc4044955b0af208eae84f6f46f2c775f05379277a24dc9f58eae4c3065cde8f33ffdba1098b762e5a9c718a7cfe39f567786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3be458818af8cbea833a487b3561db7f

SHA1
62048bdbf2312ea60c6209e85522e8fba56826d6

SHA256
bf57e3d002d57764174ce1ebdfcf2ee2baedff635bf6955b7181170c2b057316

SHA512
2fae6396326b96d54048cd46b80fec1a6fa9797f82f0d35a16d5ec30b72584cac1cbcdb2f7b493621f1f10bf2ac7e5a4eb3b0b673f503cb0f47d84fc615ef399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c532d8736626f0f9478e7190af19a873

SHA1
4414ea7df1d3bbaf53f10673d2ca1e87326fc159

SHA256
a72c84ec43f81df7d55fc52a5cdead8ac87653d755a484c3bfd2424da18a9511

SHA512
52ae7658fcd8f58c9debf48d7126dcd4913e0d6c4911e8c21adf08f4c549ef7a3fc3a12e35111dd0772e0099a03fc198bd34f21595854247ea06ded205431427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57be2f.TMP

Filesize
538B

MD5
0afc4a1ce398da71f10516c8dbc1668a

SHA1
a2915ea26272ce26722b3d134b5c86ee04c100b6

SHA256
3cf991ee9934555f7e66742336de308993f65d415a2cd7a0645f9dbe657d6b25

SHA512
ae04808f48843f2a67b751f47efd1fbfd9df42e23cf5deec7bc1c5bb1ed98d91bd1a00e4b4450565297a4cf3fce01fbd0127957bcef2c982903569c385dc22ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d830bcdd5065b453b5b76eb009ac9bc0

SHA1
7ce924407c449e8c6936e350f338620242b4c489

SHA256
1c0e178e99188dfe0c0aab96caca2f0ed2e25db7594560f89958053e3d3e8d5e

SHA512
704fe35bf08364db7f4f12c3dcba80b8ba99889865d7b2284b8ca5920e2653478e070cb0010889de61a3593c6dd82921ee30c99cff3a7307fcd54a9da87b444a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f9faebfd323cc516bb3a9f669542ae43

SHA1
77af2986d93f12e9a5da6c980a27de5b18227110

SHA256
f1b5bd11811c1988ef29d871b75cce1d1410489ebae72984ae192b9cfc320ec9

SHA512
dee030854e0d3632679258c29cb7740e63ae77cc194fa1e020702f7b6ded8851d8d0fe357784cd626add2c68a1a41d1d643466660db3302e7ec8731ec78211b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
78408966411ecfe491cfadc96d0d2f19

SHA1
829f26c9e56f387ce0326334a42d092e8be23876

SHA256
e5efbe8d1b466e7e9e707c07259688096f70fdf7802ea8aaf2c93fee52382ecf

SHA512
b16acc0c75f2355185035adf309550865cad2b7105fe648e0f231c002c04bb2bddd44b24ce5673491a5be9541364fb4e5817bed328672b68f3e708401b73b3e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
01333e516cb47ae90e5c6d7855f0a79b

SHA1
effbfa6363bc671a9c2b3bf33c2787664bc65a3d

SHA256
8b849d060e4c2ecd7956816c919b50ccbe9fb97d0b307e92514a265a4d99534d

SHA512
044537edb55e179c9cd4013ac40ebd7beb1e838995c647af3b4ce3f3647616a6c3abe22a1fd6026fcc812984c713e58dd2a8b6a1eca39ca42bf82153a1a9073a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qvsz39p.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
c5fc5eb47c02f84d098457ff3d6742da

SHA1
b4731eac77684229847915dd05700dff1cfcef90

SHA256
6429eb8c054df5c0d7ad0d0a792258aa91c47990888507386ece12ac2f0736fe

SHA512
4a824c889d214b8092c23af85a97ed51dea89acf435181bc34d11ff3c386ea13dd6ed604b62f804ccf3f8acf43f731231b9cca9774a248743732c48f4dcd2660

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qvsz39p.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
58eb73b32362e05ce26506075fbad8f3

SHA1
ab2baaf6b3fad7d61d9963bfc817613cf29214a0

SHA256
4fad08bc30b3ab6ec134bc35b52f0ba8872f99c5cba2aa174f70a459bec79a98

SHA512
18b0aadf6a972e0cba9575b2f75b8a2fbbeab7629b23208c563d8581a3600878daf8d0bc4cd0cec7cc195c67091efe24d49b9b5a6da509ac98bb736576516de1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qvsz39p.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
11KB

MD5
88e753c9d846bb031a274f830a68bdd3

SHA1
6899da2128449e28d456e2fa550f97daaccba554

SHA256
f3bf0c56684c65d2477afa19adc4f55528f963b7a13947f79d5c89b70c6d037e

SHA512
a2f6e58d250ce3e0a25ff42bcaf2d031109be5c0590c9f0fa6fb46f6ffa4086852b88417cae28504cb56b92f09821a5d4bc187f62f6bf5d2c6feddafd1f3fbfc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qvsz39p.default-release\cache2\entries\CC9AFF3BE02AD27708D587AE49B3DC68644172BA

Filesize
13KB

MD5
aa2dcf7d563fd03afca08d1e816878fc

SHA1
9dfa85eede8a8304af1b06250e5fa0c471b75705

SHA256
649dcdb9390633e4935e1e2ccaa151d3e3f193db8f8f4200b2c810b38c196011

SHA512
2ca3f9ff04701f46e420131e756caf8dc8c01ca44e8dcea9f12b2740d30bc6e24d0ec0d820aa129e3de6eeffe58ff01dbe806230ff1756b88c794763a8153fd9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qvsz39p.default-release\startupCache\scriptCache-child.bin

Filesize
490KB

MD5
1f030b7e64a9890f187a28b19df12c37

SHA1
f7f847f936b799f059d9a9c0e241bb58a914e577

SHA256
28b67443d960d02d35058db05ac5bc8ce805bd82a803331dbc890ac0371d514b

SHA512
d219c356dde0e03f00e5916c024b140eadb65bd00e6f0c3279c8ed368e9bb434e4ac4c6f1f96bbe2b3567630e3042ec3c9186b3062d34ed9c45378e4cf7b893b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qvsz39p.default-release\startupCache\scriptCache.bin

Filesize
8.2MB

MD5
24ba056fcf47b690dd6574f8828f675b

SHA1
61323d0ac3645642535969a30970ca5b6baca973

SHA256
760daf4ed6e8ef22b47a2920bd54d938e0bc2483808744797ea96335003b9a75

SHA512
cbdf49c7cf38fc48db7ffaf1ffbe33f42108202e6cf6247efff17d07aab5bebd824c7893d56239c3ee318577fa42864d2e66b5c4874624d302b702573f196d63

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qvsz39p.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
b3f7f46665413033681f6ca58e83507f

SHA1
6f543e77ccefae22464a42b03b6bab0f4a064194

SHA256
b7bb1dd0d994677a1c6cbb271896352dddd94e80fbdeaa7a5f6f7b4d1b7601f8

SHA512
b1dac354bb851eef9744a7e052b5613609033c064f906171c29aeff03823c97aab9570b373538ebfb82ea533dc9a69ae348940401b0e8b64537b963c9eb42fab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\AlternateServices.txt

Filesize
453B

MD5
afc83360439b4bd3bd5a4ee0973d93db

SHA1
ff95801d5bd17e522c41ba448cb97a25a807526b

SHA256
bf1ed87832ae26a4edf1d302c2346adc31fa2fb21a5ce21fcc1aebdfac2f7c28

SHA512
9e8848c1a4208465e619067c226e3c6ed5ee96b7e4951519436454b372e912f09afa398f347a735327de7fd40a5920f203277744a47932bc357258c136b3e83d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\SiteSecurityServiceState.txt

Filesize
264B

MD5
b57a9c0c6d77bb4a91ab3448c797b66f

SHA1
965bb52b39160ccb258c1df69c69836fd535b4d6

SHA256
87a8dac6dbbf91d9acd2e427141db3a66e409b8e4fe773d0d3df13613ae38604

SHA512
009d681180d7d2a0234a5a40af54e18bf37471f1805ff81574accc32993720309ca6b792745f5d55d03667c38d0a895322a4e2245d051d622aaaf97fe3ad08b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
7fba44cb533472c1e260d1f28892d86b

SHA1
727dce051fc511e000053952d568f77b538107bb

SHA256
14fb5cda1708000576f35c39c15f80a0c653afaf42ed137a3d31678f94b6e8bf

SHA512
1330b0f39614a3af2a6f5e1ea558b3f5451a7af20b6f7a704784b139a0ec17a20c8d7b903424cb8020a003319a3d75794e9fe8bc0aeb39e81721b9b2fdb9e031

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\places.sqlite

Filesize
5.0MB

MD5
ea9e2bf27ec60f9226eae5090bdc90d1

SHA1
5eb83a23bbf2e9a7c6d4728c39fb7cdd0cc401af

SHA256
77b720f7cec4eeded864aba0685a7e976fdc9b53f066014d702e26d83c050a88

SHA512
2f9a26087e95b17c5a1eeaf5110a1503a85a6a2cbf5e72252b4e5e19be2a79c9a46088a0dbc8110b7657ab5bf2bd74a51198062025d0f88b693ebac1537227f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\prefs-1.js

Filesize
6KB

MD5
78386be15f6ad4a3f542b75c61edc5ae

SHA1
b2b5145ff2af2da10e6540036eaf00f2450ced97

SHA256
f65f1b527c6824ce8947900a2902bbf289420b45e6e4b4b1b22c2012b197ff14

SHA512
7e4b87250021e68dd81e6d2fd05d7761e64357a77f27bdcf5d4813636352c1eee75565419221d167bdfa9c3a7d129cdb2992b04490b77835875d00b9ce466559

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\prefs-1.js

Filesize
7KB

MD5
0da559ef48da35ea12801225abf36058

SHA1
cd5b536d23b6944723ecfc4010b808955284d4de

SHA256
c584853622fdf0b4af38edad869e6f8893aba0cf9b10f65eeb3059b7672dcc1c

SHA512
5a22d1003ac997d407389f05fc9db0a97110e7cbe8e19b0689d02e7b08459fa0137eda9959c1ad2e6e7dda9dfc4f1a3e8242708a0cb56dbfd82b61fcb45e1a92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\prefs-1.js

Filesize
7KB

MD5
b431c9dd760aa9973222cb15469e0ff8

SHA1
648a805a46e60f8a923c3e874119501500c96216

SHA256
f20d6e7a5c6b6ef9b476626a8bbbe041a809be36bfb3cf67e77f3e5798f8236c

SHA512
a42f679231e97cfb20d057bc6b991ba7737d29875c96f14b7c64f45a4eac0bdaa55109cd8f12da0464c3c5e2595994dbc7913430bc04d0be7dbbc50fd0fd4ec7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\prefs.js

Filesize
7KB

MD5
46178ac23b7fc24b21a10b47a53b5b8d

SHA1
f333df8b676bedfb9bb1c91889dc3889875355d1

SHA256
cb1074ac0cbe4f9759c719646e3ff420a9f9c622435ebae560b05f6ad4d1f943

SHA512
2e85901037338e91802cbabed5a3fc091836b1ca45114a673692633dd18621ff6811ae05c9f8a7aa0c1560be9143bf8b4d6060c010033a5cf88d5eeba6eec7c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\protections.sqlite

Filesize
64KB

MD5
49397db0486dc59d607907a086f40c9b

SHA1
08742ce9db9569062def08e99eea8470702feb7d

SHA256
890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4

SHA512
fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
9c7d0b8f64971bac5918c866944f242b

SHA1
9d37834e84b8038efbf88b3738c75439c27acc8d

SHA256
5ac750493d1c5a35655d2f2a6760dc9acbe0274a2f18ee7b2127fbf0623729ec

SHA512
f8b1289adadfbc967940cde2f1ac8d3bcc6ac81368fd32d5d115ee679c593054fd534d41b0d40ee72dc9fbc6742807811fd4d12a5d8a0b7d9e9d2401972e8229

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
4f349783d1741f35ac0c4a076413f913

SHA1
a07ece2b7c4a4309882570968008b5ceb33e79d1

SHA256
861b7766e43c2e9b275f185b0bd29903497b1f95346156ca516226772729ea00

SHA512
c0050dea82a2874f71e70149ce8ea2c7ddaa8ed7d7f5ca212f4cd5af5da90c015d6c3e14bc20e29130fbb8747648f0176299063331620f9972e2f99774c9be54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
1fa6c8e54d2c9d407131d1fff56f0c50

SHA1
88f3802fcc407c778a19b128d6db5ca510bdee23

SHA256
c70f57b9476558459f379590e5d996bd2a8c4ffe81d9ce2d39a3fbba126b7e47

SHA512
c5068a72016328c95262337cc2b15433bc3872762bc3b55f209fc605c223fd3180ae153309304e154df7253f7390a1698f134e1e9132f9f4ca0c51793d77b623

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
aaee3bdc9c30c7c6b3ec37b4687c11e2

SHA1
f08d0f86fbfec2d614865c3f3d2540d0b3f45bbb

SHA256
7c8f9fffb5d4db32219d84b04515616017ac8b8163a741f0f2cb72e8227b9257

SHA512
9558aa29ab4a731953bbc36e904b32657e95587e9bb68f31f3a531aeaedd973730ad1c3ccb0636bd4fa2b3857bd493267514f97257e585402d8363f1c551c9f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
873B

MD5
80a703ca1b7a4e320b46b7a54a935c10

SHA1
f0620294997e5da3dc7144e4565700128da4af24

SHA256
cc7c21733659cb6f4b39e2387e3ae536cbd1d2e6c8b615c974d2e1b7848e8ca6

SHA512
0c1b78f4bc8a1ea8ea3bb2d42c421d0102cd0d71660fa8ccd7f613016220a40933adb69e735d24beba55b7500eff28227239c473f11ce17c888e6b356fd97efb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\sessionstore.jsonlz4

Filesize
746B

MD5
43acbc90239fb886a525643a51cf3f0b

SHA1
a6f4c87fe11c488afecf0c77b533b328013625c9

SHA256
2deddea95d34d00a5cd4247eb0b6d40824041f7306068ad4e2ee98733e9cdee4

SHA512
0c058ded951b3a028482d93d8949052014b495d63730e993b491e9a07251fb2cfc25d4383d53efb66350e494fee28de653f9d34067d54181adc3851390308692

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
6cde4b044e41ac6891f4bd610c2c28a7

SHA1
7e2773a30c89c668be57eb5975099e65dee8259f

SHA256
178dddf6e5cc845cc4c26d8674b8beec43b890df269dcee196eeb97af7615228

SHA512
939d582c6520d4ab6590757862c2353a59c347abce68ac4d1eeaaf0973d2e54d1470e282ddcd2ade49f642920a5736a626eedd83849a4832d7144d5ae5e45f69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
200KB

MD5
5528ea8a5eae2ec13e10aa59bd097b0f

SHA1
f6228873e9cc12b4fd9810768bb4d4a36913a42d

SHA256
81b80dab3309f39edc24b3a5f787f2a8938f3a3616bbde4a30d3dd0e07a1222e

SHA512
564464b91b86780384519b28e4c94ae99fdadb2a3eedd6f62866e8790447bafed162f423f5c9e6230e4da27966d8051fe2b5a094abb0967e3ae9b96e38b051ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\xulstore.json

Filesize
342B

MD5
a33540fb67dd4121dbfcb82a9171a651

SHA1
adb1b1aacfb5cd5e74d768400745475b7de47ff5

SHA256
bbaf93b501d5df8d2804ac3da933dd07efc55b9241606fc2375dc34ae10d4853

SHA512
c3bd61073cba85b1943a31a7e36d2429be384f5efab8764739ff6b7c34fa7f6a643abe216dc0027a0beb4eb02ca77543b4b6a11c3cba2a69bfea97b1215c8d93

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 945574.crdownload

Filesize
1.3MB

MD5
25c6bdbe586fd5b2747c45bcae085ec2

SHA1
ade7b2ffc3367c19858bd372777dd4a451297a24

SHA256
10955c159b4dd6c0c5d1728516c4024f6f270f20ddbbbb4d2746e34b018f93b3

SHA512
d1aa9e49dbaae41084da6882d424d16e493f855d0d39af0ea5dcecebe75b329ad4ce761216f4c62c6fb3e44fc5d1db850460b71ab19e90004d666d587759e3ac

Download Submit
C:\Users\Admin\Downloads\gjnvlcxv.exe (1).infected

Filesize
2.3MB

MD5
3abacdbddb7190c93d7f24561b201b48

SHA1
751507b13da515c2fc06e556eb7d5ca16bc54cd0

SHA256
72779e29eb9099678af9b0daa7e376322a0c8fd2c9ace68962249ed72930d9d2

SHA512
a6d63436c7f519c5af11064edb876ef569141f7b0492603caa9f6f134fed3f553cd51fdb1a7acd9b3d092b70a7d692e9ee7f88dff9156820ab6086c7f9632c56

Download Submit
C:\Users\Admin\Downloads\gjnvlcxv.exe (1).infected:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\vbc.exe.infected

Filesize
123KB

MD5
d2ce3b2a5f3efb1fcede96304e57a531

SHA1
d74be8fe0be4ec13340dad9c0fdeb653c9c8b90e

SHA256
e0a4948a58829f4ecd9e6fb9b28e127a6827bd8761ded085d2069a248f6f5462

SHA512
fd0d0b51000b146049db24ecac27885ff4f688b4e40b42061972d21aaa45f8657437db8f56880f5414f00b5e35febce8a339b1d30bd387f8f11a179b222e828b

Download Submit
C:\Users\Admin\Downloads\vbc.exe.infected:Zone.Identifier

Filesize
266B

MD5
39ee67d856fed50e71c6f937dd4fba7a

SHA1
f097a300dcfc500bb0a9e736bb7fffc441b8ad76

SHA256
b174c1a1c19ad9afa56cb270b755ce182a914ac367128601056292d83687ef6e

SHA512
30e5ac5011d409d2e4dbfd3516d3f3df5cd11ddc792559620730cd11a797f9a4f78c9d2965d01a3ade0323670d04fc8606582eda0f445ff834612337e7bbaaec

Download Submit
memory/5372-408-0x00007FF660B50000-0x00007FF660C48000-memory.dmp

Filesize
992KB

Download
memory/5372-409-0x00007FFCC3BC0000-0x00007FFCC3BF4000-memory.dmp

Filesize
208KB

Download
memory/5372-410-0x00007FFCC3900000-0x00007FFCC3BB6000-memory.dmp

Filesize
2.7MB

Download
memory/5372-411-0x00007FFCC24E0000-0x00007FFCC3590000-memory.dmp

Filesize
16.7MB

Download