kutaki | hxxps://kairosinfo[.]in/stampduty

Analysis

max time kernel
247s
max time network
248s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://kairosinfo.in/stampduty

Score

10^/10

kutaki discovery keylogger stealer

Malware Config

Extracted

Family

kutaki

http://treysbeatend.com/laptop/squared.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Drops startup file 2 IoCs

Processes:

rock.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fuxfxffk.exe	rock.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fuxfxffk.exe	rock.bat

Executes dropped EXE 1 IoCs

Processes:

fuxfxffk.exe

pid process

5204 fuxfxffk.exe

pid	process
5204	fuxfxffk.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rock.batcmd.exefuxfxffk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rock.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuxfxffk.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133687523199157788"	chrome.exe

Modifies registry class 64 IoCs

Processes:

firefox.exechrome.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Stamp Duty.zip:Zone.Identifier firefox.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

5764 chrome.exe
5764 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

5764 chrome.exe
5764 chrome.exe
5764 chrome.exe
5764 chrome.exe
5764 chrome.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Stamp Duty.zip:Zone.Identifier	firefox.exe

pid	process
5764	chrome.exe
5764	chrome.exe

pid	process
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeDebugPrivilege	4664	firefox.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe
Token: SeCreatePagefilePrivilege	5764	chrome.exe
Token: SeShutdownPrivilege	5764	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

firefox.exechrome.exe

pid	process
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe

Suspicious use of SendNotifyMessage 50 IoCs

Processes:

firefox.exechrome.exe

pid	process
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe
5764	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

firefox.exerock.batfuxfxffk.exechrome.exechrome.exe

pid	process
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
4664	firefox.exe
1384	rock.bat
1384	rock.bat
1384	rock.bat
5204	fuxfxffk.exe
5204	fuxfxffk.exe
5204	fuxfxffk.exe
4664	firefox.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
1696	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4772 wrote to memory of 4664	4772	firefox.exe	firefox.exe
PID 4772 wrote to memory of 4664	4772	firefox.exe	firefox.exe
PID 4772 wrote to memory of 4664	4772	firefox.exe	firefox.exe
PID 4772 wrote to memory of 4664	4772	firefox.exe	firefox.exe
PID 4772 wrote to memory of 4664	4772	firefox.exe	firefox.exe
PID 4772 wrote to memory of 4664	4772	firefox.exe	firefox.exe
PID 4772 wrote to memory of 4664	4772	firefox.exe	firefox.exe
PID 4772 wrote to memory of 4664	4772	firefox.exe	firefox.exe
PID 4772 wrote to memory of 4664	4772	firefox.exe	firefox.exe
PID 4772 wrote to memory of 4664	4772	firefox.exe	firefox.exe
PID 4772 wrote to memory of 4664	4772	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 3132	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 2460	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 2460	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 2460	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 2460	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 2460	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 2460	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 2460	4664	firefox.exe	firefox.exe
PID 4664 wrote to memory of 2460	4664	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://kairosinfo.in/stampduty"
1⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://kairosinfo.in/stampduty
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6673577f-8661-46ba-9362-8ae50dbc5bd1} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" gpu
3⤵
PID:3132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6af1dfb1-3a58-4b4b-acca-a2e7e1a052e0} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" socket
3⤵
PID:2460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2628 -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3036 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc13a612-a15d-470a-9dd9-ea66fc7cfc48} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" tab
3⤵
PID:644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3128 -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3536 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2865c2c2-f8a1-4505-91a5-b539bd254c1c} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" tab
3⤵
PID:1108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2680 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1508 -prefMapHandle 3136 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {952e5730-5f71-43ff-9b7b-26306af4c9c0} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" utility
3⤵
- Checks processor information in registry
PID:2952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5280 -prefMapHandle 5276 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13f6855f-591a-4f9c-b206-f4337299e2de} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" tab
3⤵
PID:2040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5af3e904-bb4c-4d30-a897-73a7f85997a6} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" tab
3⤵
PID:3932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 5 -isForBrowser -prefsHandle 5712 -prefMapHandle 5708 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f5f9488-b10b-40f4-877e-0333a3ed62de} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" tab
3⤵
PID:4404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1576 -childID 6 -isForBrowser -prefsHandle 872 -prefMapHandle 2676 -prefsLen 29318 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52ca6d2e-7277-400d-add5-324ea5219349} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" tab
3⤵
PID:5284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4340 -childID 7 -isForBrowser -prefsHandle 2800 -prefMapHandle 4952 -prefsLen 27817 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d627d4b-ba35-4bb6-a3ae-8c9a512a21b9} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" tab
3⤵
PID:6044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6744 -childID 8 -isForBrowser -prefsHandle 6904 -prefMapHandle 6900 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93e3e837-7e41-4fd5-a814-906c6e61d34d} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" tab
3⤵
PID:5928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2800 -childID 9 -isForBrowser -prefsHandle 7040 -prefMapHandle 7048 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd5c37b4-2697-46d1-a741-73b5ada1b9b1} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" tab
3⤵
PID:5936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6812 -childID 10 -isForBrowser -prefsHandle 7360 -prefMapHandle 5092 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5166c6b-fdc9-4581-9222-ed2a7fb54d2d} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" tab
3⤵
PID:3624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\Temp1_Stamp Duty.zip\rock.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_Stamp Duty.zip\rock.bat"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
- System Location Discovery: System Language Discovery
PID:5136

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fuxfxffk.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fuxfxffk.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffac43ccc40,0x7ffac43ccc4c,0x7ffac43ccc58
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,6127753236645747154,12055594307119364514,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1968 /prefetch:2
2⤵
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,6127753236645747154,12055594307119364514,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2228 /prefetch:3
2⤵
PID:6056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,6127753236645747154,12055594307119364514,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2472 /prefetch:8
2⤵
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,6127753236645747154,12055594307119364514,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
2⤵
PID:5188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3336,i,6127753236645747154,12055594307119364514,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:5220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,6127753236645747154,12055594307119364514,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4564 /prefetch:1
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4800,i,6127753236645747154,12055594307119364514,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4808 /prefetch:8
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,6127753236645747154,12055594307119364514,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4880 /prefetch:8
2⤵
PID:5428

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
- Drops file in Program Files directory
PID:5816

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff692d64698,0x7ff692d646a4,0x7ff692d646b0
3⤵
- Drops file in Program Files directory
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5136,i,6127753236645747154,12055594307119364514,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5260 /prefetch:1
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3532,i,6127753236645747154,12055594307119364514,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3508 /prefetch:1
2⤵
PID:688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,6127753236645747154,12055594307119364514,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3352 /prefetch:8
2⤵
PID:2072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5268,i,6127753236645747154,12055594307119364514,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5348 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3476,i,6127753236645747154,12055594307119364514,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5360 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
5595a719405d8f756dee1f4bd8b165f2

SHA1
75de570eb7f0e9067fd83fa879b6f09eaca80715

SHA256
7fb61ba2b3e5b7cdc5da88ae80ccf576a7d31a6d5bb9d75faa9ddd84b3f37f48

SHA512
63cb5d09e2124b249aa372f51e046d8d9f1e26b71b787e5c8e53a154d83d53ea1de1bff86612f916685f7f8fc2ae27864437a1829a23ed115828faa4472b4f46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b
Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f
Filesize
27KB

MD5
6b5c5bc3ac6e12eaa80c654e675f72df

SHA1
9e7124ce24650bc44dc734b5dc4356a245763845

SHA256
d1d3f1ebec67cc7dc38ae8a3d46a48f76f39755bf7d78eb1d5f20e0608c40b81

SHA512
66bd618ca40261040b17d36e6ad6611d8180984fd7120ccda0dfe26d18b786dbf018a93576ebafe00d3ce86d1476589c7af314d1d608b843e502cb481a561348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
672B

MD5
a2f1b00c3ad067b76b727fe2fa978670

SHA1
341557b4319ff56b738f7834b9a86da7d3aa0d15

SHA256
9df8150f54226421922f1bfb47d03cf9110fe10368e5d3d519276dc58f3eb43e

SHA512
7ef4aad72f704cad8282ee335e374a26eeb1cc082af7bbbbcb5134d04c8f30e4ea2468ddf55ced8c4995a3137578c5582affe47ed52d745f51cb34dd06bded46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
c3cd688d2701a702488dae2b0df779d9

SHA1
4dec66703ee96d8857538ce80453a1145a5d01cd

SHA256
d55b748333928138414ee62594499c605218cc119b931a4d13786fa68750b1f0

SHA512
7f0c2d3c72e91ebe8935106138fe25513c3b5d11ae313b71945d6550a8a93a380e664c6df4adb6fcf8ed21d04c51b4db0ba43ca9fdb61c74788e1765fdcfc159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
858B

MD5
bba41f803c0c0a5e00c748f49e61a822

SHA1
b10ee8614243924540392da883d5be73d9daf990

SHA256
01862a60ee665718fb363a02b4b485603e708f18b999e3337ad1d98922f7711a

SHA512
37ecd5a1d4d1aff48dc9380be50371e1058066f31a0a0cf034866b2b5b2b47242006aca61a85cb25a91d16192963541c8f50f8c9eba73666e8f0769f04b65034

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
7100eca9f3476fe235371272d89d0d84

SHA1
1b36c2fc3a2b64307ee1ff652c8c7b71e7aeed19

SHA256
697fd1c7122d1afa98bcfbfe73b2bd38e2eff605b282d8231ecb55b7cfca4a93

SHA512
a330d89619cddafe52e9af5d0bf915ab5a11afad622284ce586865e56dffcb00de77211262573898b32fd9d78edf5ca616c0357e50ce54a85ca75a3f2a62ab1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
dc2d8c86cda20ed590f14276ecc57ca6

SHA1
393b4978c234610759694d759e0d49f69eccd998

SHA256
09713d55681614b6546335d01eaad4efd90f38471c57abc0ac925a22f0d171f7

SHA512
b3e2a9c1c291699f369f9a31c00e26c1292106bcec44364cca1315dc0693da7bb90f0ee16015ed6fc3eef0930771cff997c00a32117953324f5484711c4d3851

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
dc0e22a7d351f243f67b9ee8eeeec145

SHA1
3ebb4e239ac8982fc94cfc21d179a63799a9f9c3

SHA256
c0c95e61a08a8373c95d4a78cfb7036aa0ce4dddb7188311ea69a19c14f68afb

SHA512
64d2882744e645faf5ea57d28caf03e03e4aad9ad076c0ff4c1feaacea541d48583eef941d32d7482d8336f8bab83737c2d24eff1cb6f0a74862d9e5a423fee9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
d63d87f254a38da6d424463818af193b

SHA1
da3c32efb455981240a388d914fad3c4d7a67403

SHA256
c8455c077b4e3860de2e64658232ab7ecd58a9907620de06b08c27f9340e7f76

SHA512
04abdbe77cb9bd122ec72f54aa9507f7d48ec66d0abf90b0d02ed34b48fcf7629d4f4d3e2f7f418505ef212c48166ddc2457ca928d9c60c83a35a7a3c9769419

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
08f6956e3afc4cef0e6509f56fd7048c

SHA1
00e50007e2c653491e5f5b6ebd8b9f2fcbe45ce8

SHA256
43bd8187c6e7e81930c71b3c00f9fe99a2c3bbb14710bb62cf892a1d66ef6742

SHA512
cc616e9e366bf9b386b9c9f20d44b4753cade4cfa6cafd78599b12e790e5cd5f6f4776c4853797b90e5743a9be75675ad55d49bcc3bbab67f74286fc645563b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
b229cdca3e2ee2211a99c06b2b6a0fd3

SHA1
829679b489380a5514c513881a2c30f62c02c8f1

SHA256
00145fead843a0ce4dfca24aafd0af2d1829187d529aee174812a041ef269ed5

SHA512
b0799c8b854272b9e69efb0c4ffa39c2bd875b445393efa2935cbbd2f40d97379a91781c1df76f8615faf970763451d86164bdfffa734dea919326d26b102272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
252dbc17ddf787cc605c2fb493d53510

SHA1
a4cbeac4379b75ff7c7db80aa5e8ccd24f316380

SHA256
17f657780e5c59da865ad51d386e9434fa5fae41069e03b522a19f7704ea8b72

SHA512
90ae4d32b6612d2b2f6e3de5a21a313dd41657a884929db1c767f91263b7374f4b9d67c81b170d7135fc15956d743b57e71ee836cc7750a447a7640df71512a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
ab1758a72a4a2c7831318dfe2ed23442

SHA1
9841e1936205854ca049edeeb26b007e3a31bea2

SHA256
e63c7c7322a9affd3b6660f51668b732d609385ab4fd1b082f537202486d36fe

SHA512
b04d86c8120c318da7748cb980ef0f1f54e4b9c3f48c1a50501325e0beac9dedac836eefd79eaeaddfec049d59777eb25d9d41a07fc759c764b5dd4b4fb7400b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
201KB

MD5
c3b0d75a1e33ca39b85de933fe7d5567

SHA1
093d30a7048ee0c1b1331def1e612cd1ccd0008b

SHA256
fac94755cf5a41865a315ebc7c0e803cda4394c8661b2af071b41ad27186edec

SHA512
89fe590ba7cc2bb51790f35a27526a5003b4ccf6d4a0744db50e48535112cd48b460c7f0a912d3479baa4cd2e5b502dc5964c797b6fb1cbc780b4a99a4227f32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
201KB

MD5
6ae980ba2985df7438815d001677fd30

SHA1
eeaed8c19fa108cf1d3ea0e869155ce300b801de

SHA256
43fdf558128395aa7ac5d23669f4c3dec03be40b5a1922b157b470bf07727c5b

SHA512
5588b25694d84d20c79159bf7745ec3ee1fb1a2e4e911ccd802b9c2de093881f1192255048711da1d1539bd500cdb043f9dce9e0a49a4ee790f8407efb7638bc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json
Filesize
27KB

MD5
a7f24e899f4a048ab34f914576a68c28

SHA1
2ee0d632462a14721bfa544b096d04c777b99ffc

SHA256
d83d485ae598409838e2afbcd197eb19b376925dc45ba92f7e77dee6b92f1802

SHA512
a0f77b26a43ccf7f46e6b3396ad8c9181bfad40a0a4a035df91bad8b02061df47af1515aacf1e2febf98e1647d7271501f4b9de4950498c585f1362f68f08d81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\doomed\24535
Filesize
44KB

MD5
f12a00ff4bb50c8eb8796533a4f5ba42

SHA1
05e2e433a1b33544ca88b4c9af2494f9021455d9

SHA256
01154c159c0de561a3396c04442ba01efcde802337b5c6f508f2101f069c389e

SHA512
41fc7fae498ab1f1a7a18abadeaf99fc52aa05f81637e524310c3b2f1c90551b87a71084dfb870ed6b4028fb9d728380ee5af7702f6215b743c32fc9d77d89a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\0B88AB1FF2859241FFE1FA6FE3714A5863D4A4D6
Filesize
221KB

MD5
8c5b3e27000736fae1dbd5eef5a5fc32

SHA1
80918b8cc50fdcfc2201cce0213ae3933605cb3d

SHA256
4a2d1812a66a473a933f12bc56baf9a7a6d73a28381ba572fcc33b967a05d44a

SHA512
8c773c1c68dfb1645536bd57ebc6688a1ee33d1392271980cb24a02eb157e9e3b802155ebff823efb285fc056812e823e1c61559294868179548064640a279cc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\FE760788527E0892C036105BBCBC40258C0A2667
Filesize
54KB

MD5
5210aa602768cff5fae922878bb82a8c

SHA1
a92546793041edc62ec5e404cf5a856f183bc570

SHA256
bb56bb1be11eb2ebbbb3ee1e1df1b8a45a5d827c1b31c6112ee9963ddd65ef3b

SHA512
71e6c24fc31c6892dc4653e0d885d3095161c80c188147a1585b8e31337bf3b631b85b948941ee3fa0881b38bba5b9e79a7b7c1d62cfcef6b23ea6e3de2d9352

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UTRZE6CKW7GONNS4UI6I.temp
Filesize
15KB

MD5
f14fd61ccdf8f8072965f1b83ca6a2c3

SHA1
d3fb0d9d5fb49e8d28e3ca8a4c7a9312ff885113

SHA256
4f18c8a6722f0da2b07267e8556bd7aee81d8d3ea908a4b0a6de4fc9bbd2e52f

SHA512
3f7703328e34d90397f78bbaabc2e03e71b594f701eced9a4b624a0fa9e1f2ccbf7946ae10b77043aa66d7b111aebf253bbf5b0dc9aab2966c3950cb59c51653

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fuxfxffk.exe
Filesize
752KB

MD5
9cfd040eabbca8e45f3e2865659d369b

SHA1
0bf290ff9efb1b1e09d0f9aa71bd63f2e0448fa9

SHA256
d24ceb07dd603a2dca820e9dd1fbb6e1b4318990cb7df9a172da3beb556688a7

SHA512
77090b8f5dee277b1aeaee3e861af2b37fcb9e43c0c2af7255edb828b8c13ed260eac9aab2012a48f872a4cb8ba0974dbc5dab88adff158dc4190af64a28fdab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin
Filesize
8KB

MD5
54ffa362993d60c37519a757d5db67d6

SHA1
75ef9ed58bbf7bc22676c9af460b6e928e3daf69

SHA256
fe80e5b7fe424d28ba3d96a40daef61a0dd8783cd98e19c381573060c66de34a

SHA512
081ef38d24d94494c9f7e02dd9f0b77e934633a8564b92466cf0955dda4045a1a887883cba10c0a53d97572f6bb43dd2e66ce5452f3fb3d3d86e4e9fd5c82fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize
5KB

MD5
ec2ae646126ec765c50e6dc16402eb5b

SHA1
fccac171aaad6977f477da65fa0fcd11b628f164

SHA256
7f9dd2cf4d09ef051c63af88bfbcf4e02bcaaed0688db100889cc9163a711d19

SHA512
90f7d558a6e90c8c88a83ef8b72368b95345876f08c6874c399662cd10f8b003f58262892db48038e15a1621463cd9663e3a36d994ef26ce04d1e15aeab51f5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize
14KB

MD5
4e7692df895775ee1aad460740e81d02

SHA1
1bed003423aa61ce4ac480119d428582834dadf6

SHA256
a3ef7c7c1dbae4853b7b4925a142de60a614dfa3aa92eda0d69b23d92a5e0b08

SHA512
50e829f59aef7e4619cb2c9e5d9a239bed6da586a882c135fb0aa5732e3974a65331e97265c0609f6b10609f1d6517d9545834076974fdd414aca89aaaba91ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
Filesize
6KB

MD5
7fe3a2d665f67475d5f24e15d71228b7

SHA1
e0daa879490aea04e9e8d8baeb49b1720760ad6b

SHA256
e30f2afd1ff21a6c88ba88b385ae007f9c12fb4fe106340bff5d0a47cb43ed8d

SHA512
bae7073120946e4459674669aadaa1dedf74f31703f4312dd87c4cf86c1eb67002fa211a64f6950d44e8412ae45198e2c0c6fd5d86e3ca2442559b0ad0df3ed6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\03775f66-ceb6-4809-9126-a5097c4a91a5
Filesize
26KB

MD5
d86fb270b788f29d1b8c7803c46fbcfd

SHA1
af2c566ef2c333c30d1007e5dbdf995bba87e39a

SHA256
93f20711d81437c0d41da74d8b47496e2a27806ba603fb36a1d87d4efe6712a1

SHA512
1f43cd2c0f9378412498c1484ca331cea7abcc4a1e5f4fac1de8196e790e3e929e7f43f60db34259af946f500794078850fc6e375272e1d99894d5a8d33087dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\de24ca23-5035-48fd-8372-fff5db9ccdee
Filesize
982B

MD5
82b5dbec592a606aa25d7182ba2415b7

SHA1
7924dd43e4362c0248500f6a6571fb861c1e0cfb

SHA256
550a77533a245500ae53d1088eaaee26d93675a013978dcdcd1b9d3ec0510e8e

SHA512
490914871db9addc95560e20c1a4f7043a6b4994545be6018f6db26c3fd9ad277c054b33f35990f71df096e8ae1d5308a0e8ea7575225000ee3d448e40090b51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\efc0a0b0-0773-4a95-9d95-e6f7815675e2
Filesize
671B

MD5
d95f7f324b86b1b483416752378f8bb7

SHA1
f4d5c1ce9f8e50c168faa4a1a5dda722e45f551c

SHA256
f2218015c1e8b5940d1dc832ec0fd27823e57ff8b6183e759fe5f443370e156b

SHA512
e76f6ca74b8cb8a22c75f6676353c663f2a57cfd90c07112ddb0aaf39fee82eeb15c6f0d9c55a3f927192d323404c163efd05c71e5740be17da9006ee58f193d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js
Filesize
11KB

MD5
6daf50e5ac2d4006c19759505057dccb

SHA1
a441f1a670da034e247de78f08f3ed49fe412e5d

SHA256
cb230080a3b93d7f3f830012bc9d32148aa5ed3f6f4fd8e5864378dc2023dacf

SHA512
210da3090131832cf4ec7a98791aefbb2a866bfba1d27737d2f5c776b33f70eda7ca0050694fa8e2ddfb0d1af81ad07694198c3774e0b298030e208e0c0a3fc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js
Filesize
12KB

MD5
b1556b1440d2a7283dc9a747b8f5d4b8

SHA1
e5d051dfbbaa299f37642f47b1b2120d5a4eddd1

SHA256
598c0155084a8db8d6be3c8569844326c00f5481587f10077f89c3371f9bbd6b

SHA512
76545be42e4db224f0e1cd2b98111f3b8c6900ab7c48c5769cc05d9bc6a651959804a8d0179f1946909e278f9f722c1eba4b8b01f5d733782c4350683b5019e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js
Filesize
11KB

MD5
f8d5ec37c7dced9cee7c87a4a7a34d9a

SHA1
97af36646565e9ece964e42faf129e29dc1d1c68

SHA256
1256d692589757c1885b552667a90b8f1dec957aa2e60517446dfd439b2fda49

SHA512
03b290fd5839ca3b65875fbb3a6b7d800ecd655e65dc2a672a1804b981534278216d9919be9f3ec2848320d959c09a7b3920752cc03ef92f70492eca66db85ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize
2KB

MD5
097bae261f49ac69a960be1a675739a9

SHA1
b6633f7f5bcf8983a04b004fb9ff360adcab3abe

SHA256
af3aab3c01ed06afd9b0ce2b8c4a2faa4020fdb468d4aa5ea208f0fe4ae974e0

SHA512
a6ddfeb015d6a60fc55a157582e1a34c3dd10e48f52adf83e20a39f5edaa4883f50cc10d99479d79826ae0e66bf61d4dd5506852e9652988f80cd8efc39a3eac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize
1KB

MD5
d8202feb06e49136db52d2ca0c68febb

SHA1
9d722a727f0e008ca667902887c5fc2fd9503103

SHA256
33d57b89fb5bb85ff1682143102306e8791fa04d015a06fe782d35641b91cdfd

SHA512
2fb7425e371b813029e5ce15ad9f8fe0f4427b5361b646138e5e74dba9ba1a3d41a80437b3a027cbcecb9624d89e5f5b841b6c097186c82e6de979e10ca73918

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize
2KB

MD5
d1170532fac855f62bdadcefb911b49d

SHA1
369a687a3ecf9808df6ceae3a09d63faa52c1d56

SHA256
a5c542090d06d1851b8811daff489ea168c88e26a3cb81805ae30d51eb7ef2a0

SHA512
9c9d7e5b9d6b750d5027974377ef895ae97dac2c85e09522f1240c919a42b7588e3fc3133fb6d4cefd6d805bc710b7bfa71c5c28e9f08cac8de111b1e775b319

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize
2KB

MD5
152e52497868a4024101e89c65de78c8

SHA1
10752edd6bbaee77e772a62a9bac2d5a05e49e5e

SHA256
d5ebdf7302db34ac8c9eecf3f3fc13e054c960deb2b931d393d310c2c4791faa

SHA512
274259610a34abfb738d4f202f79743d1a8111e40942b5ea91fc4ff95627958d92d21b0c55a4edac92904628f5673c5acaed8ebf3a1857d108b8c807c2e2498d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize
2KB

MD5
2e3c1221b1f051adee9bc355092c10de

SHA1
28222c7209908bb2a2aa1bf1ca5ad5366b5f42f8

SHA256
737952d125e5c4c2f966a186ed4e8d78708ff93025f41bd4c30c9c6373441d9d

SHA512
1e7cddd26daeb92ec668e3b88c738ff73b921a4d4787c7de9386c0f1a5e25aace11ccc10e157e5e433f84bc392ff43d28e55eab4e791dba850fa4cf4f855bd0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize
4KB

MD5
9b1a0ec77d8d250395202b40b8433c1a

SHA1
a45919653e93db2c945f83941a4db33e218706e7

SHA256
8e831de1d27bf11ce5ab3a58d18f8a03497d6069cacb444c808790fb704a4fdf

SHA512
895a7b7e929d0c99d1955a115363ee4a2f0c6250c3bcac58c0e856cf95dbd82e1eefbb4b3b39c0172116d5e66dfb35be28c73fcc1b3b9bc86fa81fafb880c969

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
Filesize
1KB

MD5
ae1c62445e4e4ecee2305439160af6cf

SHA1
5a5b2d402fbda816aa1a3a4352a4580ed03c912d

SHA256
aafbaee072149b821829315cc2388d271cce862c6343d9d521b24060d56234a6

SHA512
57f9016252ebc309ffda2d37c6cd2bde23b560841636ed2d78701a9dec002b08c733a0ca00fa2444914d21ce06349c010179faca0aeabc75d0218be30a0cf94b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\default\https+++www.virustotal.com\cache\morgue\89\{f4b8c443-c957-4e80-987e-3acb63481359}.final
Filesize
49KB

MD5
6bd20534cba56fc49efe48407524fae5

SHA1
0fa9bdea7ef064873554e021c8bebbc749410bee

SHA256
e531fb1ee3d9d162f40e5867b530bb50594240168f3a96fea3fd16f367a9b19d

SHA512
8da996d51806cb61ffb858745ed328ae54f6c8db416472e4e17f2e65496d6df94a397a3080a303ce8e1050b620b4d701d0015e1fb56340a2108100b41d5490df

Download Submit
C:\Users\Admin\Downloads\Stamp Duty.wF2LlBIZ.zip.part
Filesize
380KB

MD5
e3befe531bf0a2d9dcc78703fbae7ead

SHA1
0073a7522c8375d33f932ca510734e35a61ecc6a

SHA256
40523b317c640766240570f4a91ebff2ed4939b0288a9102dc2e4cea0576c29f

SHA512
76477af4bcedb5c1c05d2c6776fc4d2ce6c290b2f0e933857d43478cf9ae017d9e8979bef7456cc3c2ad0fcfc5c8470dc12dc02a83d2c39eda1c598de124afaa

Download Submit
\??\pipe\crashpad_5764_WAFOAFDQCBJRRJCK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit