Analysis
-
max time kernel
549s -
max time network
550s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-05-2024 14:54
Static task
static1
Errors
General
-
Target
furinaa.jpg
-
Size
66KB
-
MD5
c75acd9aa617d03b75c3d23d50cad904
-
SHA1
1a3f88617887cbe0d7a99377669669232a848c8e
-
SHA256
e3d68cda13fa8087a4e6d36b1cde74ceb514b36f6814e41d40d423cb125586be
-
SHA512
7f4416a7832fc75799186e0645662c16c69be6b8fb667e5dea18ae84d5ce90096c3fb6fdde17a3268beb899b55fdf21e22f513d7430ccf32d7c56b6483d621c7
-
SSDEEP
1536:9BOsicjEsh0nQmfgvrmIVGqLhcMNynt6YVTjmBFUO52weuruCz:9BOFcrWQmovBVGqvWoYVTjgUO52JwuCz
Malware Config
Extracted
xworm
5.0
interest-specialty.gl.at.ply.gg:53471
ZXQe0hLZLNfanVlh
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\FreeDon.exe family_xworm behavioral1/memory/5252-559-0x0000000000C70000-0x0000000000C80000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4852 powershell.exe 5752 powershell.exe 6084 powershell.exe 2132 powershell.exe -
Downloads MZ/PE file
-
Drops startup file 2 IoCs
Processes:
FreeDon.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nursultan.lnk FreeDon.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nursultan.lnk FreeDon.exe -
Executes dropped EXE 10 IoCs
Processes:
7z2406-x64.exe7zFM.exeFreeDon.exeNursultanNursultanNursultanNursultanNursultanNursultanNursultanpid process 3944 7z2406-x64.exe 4496 7zFM.exe 5252 FreeDon.exe 2100 Nursultan 5196 Nursultan 6120 Nursultan 4616 Nursultan 2564 Nursultan 5456 Nursultan 5536 Nursultan -
Loads dropped DLL 2 IoCs
Processes:
7zFM.exepid process 3292 4496 7zFM.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
7z2406-x64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
FreeDon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Roaming\\Nursultan" FreeDon.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 70 ip-api.com -
Drops file in Program Files directory 64 IoCs
Processes:
7z2406-x64.exedescription ioc process File opened for modification C:\Program Files\7-Zip\History.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\descript.ion 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 7z2406-x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "70" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe -
Modifies registry class 62 IoCs
Processes:
7z2406-x64.exeOpenWith.exeOpenWith.exefirefox.exeMiniSearchHost.exetaskmgr.exeOpenWith.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2406-x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 OpenWith.exe Key created \Registry\User\S-1-5-21-1672260578-815027929-964132517-1000_Classes\NotificationData OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2406-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2406-x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2406-x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000be580277110050524f4752417e310000740009000400efbec5525961be5803772e0000003f0000000000010000000000000000004a000000000034622700500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff OpenWith.exe -
NTFS ADS 2 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\FreeDon.rar:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\7z2406-x64.exe:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepowershell.exepowershell.exepowershell.exepowershell.exeFreeDon.exepid process 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 4852 powershell.exe 4852 powershell.exe 4852 powershell.exe 5752 powershell.exe 5752 powershell.exe 5752 powershell.exe 6084 powershell.exe 6084 powershell.exe 6084 powershell.exe 2132 powershell.exe 2132 powershell.exe 2132 powershell.exe 5952 taskmgr.exe 5952 taskmgr.exe 5252 FreeDon.exe 5252 FreeDon.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
Processes:
OpenWith.exeOpenWith.exe7zFM.exetaskmgr.exepid process 2460 OpenWith.exe 3672 OpenWith.exe 4496 7zFM.exe 5952 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
firefox.exe7z2406-x64.exe7zFM.exetaskmgr.exeFreeDon.exepowershell.exepowershell.exepowershell.exepowershell.exeNursultanNursultansvchost.exeNursultanNursultanNursultanNursultanNursultandescription pid process Token: SeDebugPrivilege 2368 firefox.exe Token: SeDebugPrivilege 2368 firefox.exe Token: SeDebugPrivilege 2368 firefox.exe Token: SeDebugPrivilege 3944 7z2406-x64.exe Token: SeDebugPrivilege 3944 7z2406-x64.exe Token: SeDebugPrivilege 3944 7z2406-x64.exe Token: SeDebugPrivilege 3944 7z2406-x64.exe Token: SeDebugPrivilege 3944 7z2406-x64.exe Token: SeRestorePrivilege 4496 7zFM.exe Token: 35 4496 7zFM.exe Token: SeSecurityPrivilege 4496 7zFM.exe Token: SeDebugPrivilege 2368 firefox.exe Token: SeDebugPrivilege 2368 firefox.exe Token: SeDebugPrivilege 2368 firefox.exe Token: SeDebugPrivilege 5952 taskmgr.exe Token: SeSystemProfilePrivilege 5952 taskmgr.exe Token: SeCreateGlobalPrivilege 5952 taskmgr.exe Token: SeDebugPrivilege 5252 FreeDon.exe Token: SeDebugPrivilege 4852 powershell.exe Token: SeDebugPrivilege 5752 powershell.exe Token: SeDebugPrivilege 6084 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 5252 FreeDon.exe Token: SeDebugPrivilege 2100 Nursultan Token: SeDebugPrivilege 5196 Nursultan Token: SeDebugPrivilege 2368 firefox.exe Token: SeBackupPrivilege 5812 svchost.exe Token: SeRestorePrivilege 5812 svchost.exe Token: SeSecurityPrivilege 5812 svchost.exe Token: SeTakeOwnershipPrivilege 5812 svchost.exe Token: 35 5812 svchost.exe Token: SeDebugPrivilege 6120 Nursultan Token: SeDebugPrivilege 4616 Nursultan Token: SeDebugPrivilege 2368 firefox.exe Token: SeDebugPrivilege 2564 Nursultan Token: SeDebugPrivilege 5456 Nursultan Token: SeDebugPrivilege 2368 firefox.exe Token: SeDebugPrivilege 5536 Nursultan -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
firefox.exe7zFM.exetaskmgr.exepid process 2368 firefox.exe 2368 firefox.exe 2368 firefox.exe 2368 firefox.exe 4496 7zFM.exe 4496 7zFM.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
firefox.exetaskmgr.exepid process 2368 firefox.exe 2368 firefox.exe 2368 firefox.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe -
Suspicious use of SetWindowsHookEx 58 IoCs
Processes:
firefox.exeOpenWith.exe7z2406-x64.exeOpenWith.exeOpenWith.exeMiniSearchHost.exeFreeDon.exeLogonUI.exepid process 2368 firefox.exe 2368 firefox.exe 2368 firefox.exe 2368 firefox.exe 2368 firefox.exe 2368 firefox.exe 2368 firefox.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2460 OpenWith.exe 2368 firefox.exe 2368 firefox.exe 2368 firefox.exe 3944 7z2406-x64.exe 2368 firefox.exe 2368 firefox.exe 2368 firefox.exe 1368 OpenWith.exe 2368 firefox.exe 2368 firefox.exe 2368 firefox.exe 3672 OpenWith.exe 3672 OpenWith.exe 3672 OpenWith.exe 3672 OpenWith.exe 3672 OpenWith.exe 3672 OpenWith.exe 3672 OpenWith.exe 3672 OpenWith.exe 3672 OpenWith.exe 3672 OpenWith.exe 3672 OpenWith.exe 3672 OpenWith.exe 3672 OpenWith.exe 3672 OpenWith.exe 4232 MiniSearchHost.exe 5252 FreeDon.exe 5404 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 4372 wrote to memory of 2368 4372 firefox.exe firefox.exe PID 4372 wrote to memory of 2368 4372 firefox.exe firefox.exe PID 4372 wrote to memory of 2368 4372 firefox.exe firefox.exe PID 4372 wrote to memory of 2368 4372 firefox.exe firefox.exe PID 4372 wrote to memory of 2368 4372 firefox.exe firefox.exe PID 4372 wrote to memory of 2368 4372 firefox.exe firefox.exe PID 4372 wrote to memory of 2368 4372 firefox.exe firefox.exe PID 4372 wrote to memory of 2368 4372 firefox.exe firefox.exe PID 4372 wrote to memory of 2368 4372 firefox.exe firefox.exe PID 4372 wrote to memory of 2368 4372 firefox.exe firefox.exe PID 4372 wrote to memory of 2368 4372 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 2452 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 380 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 380 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 380 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 380 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 380 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 380 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 380 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 380 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 380 2368 firefox.exe firefox.exe PID 2368 wrote to memory of 380 2368 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\furinaa.jpg1⤵PID:3000
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.0.663054079\1644667076" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1424 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e04cf7b-f1aa-4f56-abfa-67f57c12abd1} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 1896 1b5b560ef58 gpu3⤵PID:2452
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.1.1185038849\852847661" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee0d59c3-2d61-4421-8936-09ec85d725d8} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2420 1b5a888a858 socket3⤵PID:380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.2.1353432806\1624256194" -childID 1 -isForBrowser -prefsHandle 1716 -prefMapHandle 1596 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a458e16a-e391-4ca6-ace7-07ff4873de65} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2908 1b5b7dee558 tab3⤵PID:2552
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.3.433532953\1147322840" -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3548 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4123d1e-66ee-478f-8188-eb2f52388e19} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 3564 1b5bb01ff58 tab3⤵PID:2084
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.4.1007862898\1606920020" -childID 3 -isForBrowser -prefsHandle 5036 -prefMapHandle 5032 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {854881ce-6604-4fcb-8832-6c7593b1aa4c} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 5044 1b5a8880d58 tab3⤵PID:1080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.5.737695518\854914208" -childID 4 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d609e15c-c57d-4644-ab2e-8d8a4e4db261} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 5208 1b5bbde1358 tab3⤵PID:2188
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.6.448346326\965839413" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5212 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c0cca9c-a2ad-493a-aca6-e6d7616963da} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 5400 1b5bd464f58 tab3⤵PID:4608
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.7.557364378\1028396740" -childID 6 -isForBrowser -prefsHandle 4788 -prefMapHandle 5936 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b4a8f31-eb04-4bf0-87ff-91462a442c1c} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 5948 1b5bdf64558 tab3⤵PID:5024
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.8.1157311089\502990718" -childID 7 -isForBrowser -prefsHandle 6060 -prefMapHandle 6048 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ea0ed98-e454-4fd7-9de3-8a6ebc5eaa6e} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2980 1b5be38db58 tab3⤵PID:4220
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.9.1237305292\907416870" -childID 8 -isForBrowser -prefsHandle 6848 -prefMapHandle 6832 -prefsLen 28215 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9deb87e-5ac6-4a38-b99a-19bea08a62ff} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 6808 1b5b7df0658 tab3⤵PID:1564
-
-
C:\Users\Admin\Downloads\7z2406-x64.exe"C:\Users\Admin\Downloads\7z2406-x64.exe"3⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3944
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.10.1431935357\502982388" -childID 9 -isForBrowser -prefsHandle 6132 -prefMapHandle 4900 -prefsLen 31069 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff254255-81dc-4adf-bffe-19c3347b6941} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2884 1b5bdfda258 tab3⤵PID:5352
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.11.1775695385\752754274" -childID 10 -isForBrowser -prefsHandle 6028 -prefMapHandle 6032 -prefsLen 31069 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d23de00-4b5c-44f1-9646-faab6c2db9c8} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2720 1b5bdfdb158 tab3⤵PID:2124
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.12.1218192411\926714357" -childID 11 -isForBrowser -prefsHandle 7384 -prefMapHandle 7380 -prefsLen 31413 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c2cd2e2-a9ff-4bbc-b6d1-e19318307dcd} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 7396 1b5c2227858 tab3⤵PID:3784
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2460
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1368
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3672
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4232
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3736
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\FreeDon.rar"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:5256
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5952
-
C:\Users\Admin\Desktop\FreeDon.exe"C:\Users\Admin\Desktop\FreeDon.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\FreeDon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FreeDon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Nursultan'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Nursultan" /tr "C:\Users\Admin\AppData\Roaming\Nursultan"2⤵
- Creates scheduled task(s)
PID:4320
-
-
C:\Users\Admin\AppData\Roaming\NursultanC:\Users\Admin\AppData\Roaming\Nursultan1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵PID:6068
-
C:\Users\Admin\AppData\Roaming\NursultanC:\Users\Admin\AppData\Roaming\Nursultan1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5812
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵PID:4480
-
C:\Users\Admin\AppData\Roaming\NursultanC:\Users\Admin\AppData\Roaming\Nursultan1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6120
-
C:\Users\Admin\AppData\Roaming\NursultanC:\Users\Admin\AppData\Roaming\Nursultan1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
C:\Users\Admin\AppData\Roaming\NursultanC:\Users\Admin\AppData\Roaming\Nursultan1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
C:\Users\Admin\AppData\Roaming\NursultanC:\Users\Admin\AppData\Roaming\Nursultan1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5456
-
C:\Users\Admin\AppData\Roaming\NursultanC:\Users\Admin\AppData\Roaming\Nursultan1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5536
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39f8055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5404
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD57ec019d8445f4dcdb91a380c9d592957
SHA115fd8375e2e282a90d3df14041272e5ac29e7c93
SHA2561cc179f097ee439bb35a582059cbc727d9cea0d5c43dfaa57f9f03050cfaea03
SHA512d71a79091fcc6a96c24d95662a18cc24145b9531145ef0bcb4e882c12f5bb5ca6c7a9b9e50024c9c0bf4cb6bf40dca7627cecbfddd637142d04a194e1956ae9b
-
Filesize
1.8MB
MD51939f878ae8d0cbcc553007480a0c525
SHA1df9255af8e398e72925309b840b14df1ae504805
SHA25686926f78fad0d8c75c7ae01849bf5931f4484596d28d3690766f16c4fb943c19
SHA512a5e4431f641e030df426c8f0db79d4cef81a67ee98e9253f79c1d9e41d4fc939de6f3fd5fc3a7170042842f69be2bb15187bf472eeaaf8edd55898e90b4f1ddd
-
Filesize
960KB
MD55764deed342ca47eb4b97ae94eedc524
SHA1e9cbefd32e5ddd0d914e98cfb0df2592bebc5987
SHA256c5c7ad094ad71d8784c8b0990bf37a55ffc7c7ab77866286d77b7b6721943e4f
SHA5126809130394a683c56a0245906d709b2289a631f630055d5e6161b001e216d58045d314b0148512d8c01f0c2bf5f9f16e93fa7d61ab3d24beab4f9c3d4db13c18
-
Filesize
783B
MD5f75bca5e458bc373b27178fedbc08dde
SHA169925e8380fef1675a832ad80072045c68496975
SHA256a9f1d0387cbd5f76e755aca09714df5a3f59f89c72058a089d664b3e3151dc2a
SHA51289beec9f5b4a1a30bd39aac88d9b76ca604edf53fdd18fde4b4fdf04669f6119bd681a8f901a64e3afa4adf4d7abad2f3fbb055ca86c0e448efbebe45e6bdab9
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
14KB
MD5bf27ba6e5bbaa32e7d473c8e30a10b21
SHA1cc9d5ad6944fa4c24306e538d088e91bcf9490bf
SHA25602c40d29f8dc493a8fc393a9ca22836936bbc373025a0653280ca8ea5069b4c9
SHA5124447cf6a9ccc79848ebe60bee8631477691d0a5ea065002d38a45f26f553d3d69f17180a72e1a9589ceb179c12b881acdb1d17d73ba69e4b3a8a79ca101586dd
-
Filesize
14KB
MD56439b876c1256338dff766ec21e4894b
SHA104d86ce1b131612ed97fd1f2173858d201b7c4a2
SHA256a630e5fb067734f287859c60bdb047fc11d79645e80b6cdf87e102904ae8da23
SHA5125e67786415d41a92e9f3e609a167a38dc7d4ce00e3cdb7f6759cba03b4cf3c90d1d73759d0a9df3a53c910ac250754729b69bb1c6e533f5f8b341654d9e7b044
-
Filesize
944B
MD5d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA25621942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA5121a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b
-
Filesize
944B
MD580b42fe4c6cf64624e6c31e5d7f2d3b3
SHA11f93e7dd83b86cb900810b7e3e43797868bf7d93
SHA256ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d
SHA51283c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573
-
Filesize
944B
MD5de72a228bcabf1530b028259a45904a8
SHA18f584cd6b0e728a72e8fea86aeed8c308a80c95e
SHA2563aa6fc7f1a9f4947c43dd2a3533a4db67bc89774b9eaa4f31279a1ff223b4411
SHA512762d5ff80a9fe0c2361d5a50a65b4625ca30a65fefeda8a52c7dd41a79162e3fe6f8623808730d07fe1b199e514b9fe3937926891beb5113119469d4fcd3e4a2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD596506344c2ca375182f16025551f0775
SHA1487b24589c56894868a1e3043589e8890e22ab6e
SHA256ae86706049383e1e6061b2d8da676cc679487c5b4d13500c8ea5bf629f09801a
SHA51225cadc5033d293b98980d6891c3baafb2afb73c22894ae2bd42e47ca0b925181ff932b59a5ed2fc8cdaabd9ba7fb5e02331d3eba348ea5c4964b2353affe764b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649
Filesize13KB
MD5ed0a8e0ffc0766398f67c2ff35a65ef7
SHA11349610802bd524f47448a02104a02fac6e36d32
SHA2569146fb9ae7faf47a075ea2967e31f2f32dfe0cb3f4224e963ec35420b628240c
SHA51281a62bdb015b4914a99e641fa8c9b4b98391c1aa8d1a7079834a80ad1cba244fe6a8ac26796330a7047886a86d0b44439b1b403bda22fed849688323fe1ddaf6
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5e9aa12ff0be6d995ed86f8cf88678158
SHA1e5ee38fc2ebef0fcbc3059dee29b39f7daf21931
SHA256f35cd8ef03ac924a59943c5dfffc31ab67a8b5aff272e9f47ff776aabc7ee561
SHA51295a67acd2a4784b87d73910c1f1f590937c9d9b901e98448556a37eb8137ae5f458f1c673d65a46cf7d6b90bee5fe6b102ce3eeac9e819062cd9c5c2418bcbfc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize14KB
MD5da7f697acf9dcd10f7ceabb1c61b5161
SHA1ebbbfd4b7c547b7fbb9f32ed99e864772e5ca0ab
SHA256d9780ac6eb7d3e14404378637a7850f2c789de1f8b9e5202792e5aee46d0d2f2
SHA5122fba3d34aa5c0d5ca37d92dcf02b07b8b5f0ecb104f4cd742e7e11cacb3ed871d2054c87ef4ab4807afe50220b47142b8b67928b081a7a50f18ac802391b30be
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize15KB
MD5a0f41b475d109b9b1890669039c8d3f6
SHA1ce9f62eb336c1afce96001c148579bf435a5e64b
SHA256ae367527b14b5058395bf9bb9f8980f7a14a094ac61766bf31566ec0d11ffcc8
SHA512bc42e2cb63b587ff51324546b13e4bddf69730d08ea6708fb54b09792826cdc6d4c4296c5e453e652424cca83a00363f171306f92efd3adb515dcdc2d5c6864b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize15KB
MD5950eb26a1f1841aeb80c63e78a1936dd
SHA10e2abaa973a49cd50ac1fd92c1157a81d91d2c59
SHA256c2106d9d1fcafdffbc7d3c346d7479496c46f48fe9cbc12c45790994a959df36
SHA512e9f2f189bd78b1433536249ae37fa5e40d075c10d1b6615e79092cfed1cd55e2bca742da73ee48fe0fd530e66de85b58cd2c62dc6e1ae09d545a79fe45e4b580
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize15KB
MD50c414731e876cb9af97d4ab69930b589
SHA12be0b374c4840d920ffeeaf3a559af9956c23860
SHA256bb136f084b3dce1332f1f474004ea35b16a0c161e86c4370aacac421db4ae336
SHA51298183f6ead1a98ecd364525d92a36638743d95c4c7ed6524b746f60094e214abdb75fdefdd447a97e3feb29a5d5a6d1fd855120ea656e8a6fc2e173550ab07c2
-
Filesize
759B
MD55a57ee4d5dd5195140a2e17d46a3757d
SHA1d3d328506078ea28450e8a4417dc051e4d636536
SHA25648e88d13eef82e3cff64b7ec47f51b1e7978c14eea0c835376c5ffa30c19ec32
SHA51223bee69d319ae1a4a9a7cb5cb5b89b2fe51b8dbed26cb73cecf474f4ed6a736d7cae3ceebec5c6c4c9487f36f7bbecf94da3ad0a61461df378778215d77e74dc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\datareporting\glean\db\data.safe.bin
Filesize182B
MD5b1c8aa9861b461806c9e738511edd6ae
SHA1fe13c1bbc7e323845cbe6a1bb89259cbd05595f8
SHA2567cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70
SHA512841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD56268dc122b69bb3decc6f3553c2fac3e
SHA1ac4524ae31e1759a24a1c374d2bfb0401b4908b8
SHA256fd26601d6fe26de94daa4976996fe507708a2bf7e0df2abeaa14445fe6925d60
SHA512a79a005de36381468ddc5b3a486cfc3919374406db43e576014d672800688c01600cb914b8b08a6ab30f6524ed4a075ead5c55f7b503894b91fb428e85794b5e
-
Filesize
6KB
MD5ae178de4c8f860bf113cb08a352463ef
SHA1b88b747ad0cbbf62446822fb0491bdc56572bae4
SHA2563e36c8ad765d8932c0c09b595329047ec5e9535e287ffedd6edfc417dfdfbd55
SHA51220785b79f53f13b7ef080accff36555dd81caad38aed119451f929f555a48fce24ebac11bca4b277dd71275d9b5098b0638b840b7c8a18869e7d1125437c7a80
-
Filesize
7KB
MD534f7d1715000739dadf374bbbdf86c75
SHA1bbd06472af1fb9bce8ffafbcd606f2d83ff87a8c
SHA256287b7c1009566bdeda3c5718d08fc2a14506e186e728b189362d127b3ecb7329
SHA512e93e70b46b2cab1da60d4767bd2ac1c7a21953ec11429e6685f8f1cab910deb550a8d96c76a9a910b954262f78d6bd2e9825137756fb0c304869ad08c346b7bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD510b0539c8890a39155b8e26d56f474ab
SHA1f37122efbfcaf85d299c0c3780df24fb2b482342
SHA256b567af3f4e0152d1a2c98055faf0c8726014372753e0e73e9030963305eee384
SHA512107c40a0b9fc35389be785b0d7c7e17d172c09e54694c2858440174a9f44694679efd5a21e12c70c08d54baeed064e807c5d662c49d00972902763a3be6a5a7d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD581b66c46094a0fc160e257087561ab09
SHA15d5cf7626046eef1902fdcc9796545e87f6b89a9
SHA256f8280e20b561eaafb52e02ef49e96dad43b0696c5faa3cb4890be95259b2bc5b
SHA512b9d0960b164d6e415c88290eaa8750ae330a735d432fcdfddd971bc95ee9b437bee522b52dec32fbe1b11fc771a5f368a17692599451bdf05e97ecfe30e46c7d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD558f477f0b28e9753878512afef780ceb
SHA1a5ba86dd7996b2df2b606a8124589b2c5c9c338f
SHA2564bab9f984d8d2bbe7bab48ce877376f9185319763541a88d53c74083a7f22354
SHA512f0409e82f61627ef8f943d41d3c60e53024c5959242cf289fab9e021b281095a9b18c52bd2ae43a9bcc1dda1fb56bef5c4cf7a16d89488026ed68c70a7362947
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD528fb4aeac021ceb4d79de0fdd2589dcc
SHA115a19474e01e23d8fb5ee51caa02e6ad59474ad2
SHA25634b6e8f93abee214b79a68e599a942d77a59022e057ded7f48729199cd509e42
SHA512a64e052b4681259ef5c2ec4e3b44e8d41464c228df5707188d0b33e27cfd01327198a4774fc68aa00b5313214fe95cebebf3cc0cb1c6da1d46cd0a7f225e7b79
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD540a5130eb4a500db6ebec3a783e417d3
SHA174e89946a97a86d12bff97c324b6e6bbfb3a0a49
SHA256f282235bf5855ec89a7a4d3027f88d4db4ce018ef14d1b0b0bc62c59597d38c3
SHA512ea47a8a40a741ffdc630d1d61c57eda9a382b05676440d45d657050e2b48efef62f5311011ced14600d59cc637be3f9b9a315c2ba47dee79e485ad29febd811b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore.jsonlz4
Filesize2KB
MD5895b515d053be005553b962b3a91c16c
SHA111fc8c4498f8d418e59f0a0a3541390a7010ce80
SHA2567542ebe7fba865d26f7599c418555977b7adf397b4c7a8e8ad4137c57772ef84
SHA512becdf2d5c9ee23e9ec5227fcfed08dbbd12f767652bbdcb3778e0d89608818d7f259bf70c9bfbf7acc08a35d24b6b86d05bfa2feea9583ad03dc5737b614905e
-
Filesize
41KB
MD5e1f17ea0754c07f8090d366d4d8600d9
SHA1ece42940360b736f5a087461d59d4e7d20e23a17
SHA256e1374461ee3fbb33b746a65eec26bf5b0f3a4dcec6f2b4086f2805bf14927509
SHA51278d81fb23100fb125348da151c4ed16ca88b07d52b451684b64712286ec70069f9a47539d34856b8050f60b0cfff40bf1af476ee153fb29cc18acb842dc1aa26
-
Filesize
1.5MB
MD5d8af785ca5752bae36e8af5a2f912d81
SHA154da15671ad8a765f3213912cba8ebd8dac1f254
SHA2566220bbe6c26d87fc343e0ffa4e20ccfafeca7dab2742e41963c40b56fb884807
SHA512b635b449f49aac29234f677e662be35f72a059401ea0786d956485d07134f9dd10ed284338503f08ff7aad16833cf034eb955ca34e1faf35a8177ccad1f20c75
-
Filesize
617B
MD57d95d0b5da2fd9a23817a4869a408ad2
SHA13fc1121716b660f5c0f7f80ec2e88ea87e9363ca
SHA256813143a66c9957854e6800c69c9a6b9f5c6955a1b311009f1a17ca45ede3cf1e
SHA51215f1481027adefc71f012a0d3f606619e17cf4653f328cfa9121ea4cbf35006677cc7207dc1ff3a518ecbb6290ecb5a4a865ee8b86f21be922271942cd2c656d
-
Filesize
19KB
MD5d35953088cc948dd9eda4f1ce2432997
SHA16a62948696fc3c4cd269b77d3dd7ab4445c1d020
SHA256348d2d9b00d2cb37539896f41be890ba0378a0177756308e0f38fcf993d3dd73
SHA51212d35dbd6306bf06b6320c3be9ad8bc251c44f6ef7e82524368f22e85af0ca172904f56dc1bfaaffb876c7d9000a48f4ebe8b7a09913a02266d792c6d52866bd