skuld | hxxps://mega[.]nz/file/JLtQ2IyA#lLkRLj-vkg_SlEzeRpogGn_bG9grIXlqdi8889qeTDM

Analysis

max time kernel
139s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/JLtQ2IyA#lLkRLj-vkg_SlEzeRpogGn_bG9grIXlqdi8889qeTDM

Score

10^/10

skuld discovery persistence stealer

Malware Config

Extracted

Family

skuld

https://ptb.discord.com/api/webhooks/1288587368357691492/f6mEc_FzE-0rWvSFgK4IhjmpgbSQPZiB68NsOLb9EE3BfoQbAE6r4kjnh-Luc4aVRpR4

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Executes dropped EXE 2 IoCs

pid	Process
4816	entropy.exe
5968	entropy.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	entropy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	entropy.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
166	ip-api.com
139	api.ipify.org
140	api.ipify.org
141	ip-api.com
165	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	142	Go-http-client/1.1
HTTP User-Agent header	167	Go-http-client/1.1

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-523280732-2327480845-3730041215-1000\{FE0D00BC-031A-4A15-AEC9-C232016B8BB2}	svchost.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	entropy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	entropy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	entropy.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\entropy.rar:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5708	msedge.exe
5708	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4348	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	firefox.exe
Token: SeDebugPrivilege	1784	firefox.exe
Token: 33	1560	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1560	AUDIODG.EXE
Token: SeDebugPrivilege	1784	firefox.exe
Token: SeRestorePrivilege	4348	7zFM.exe
Token: 35	4348	7zFM.exe
Token: SeSecurityPrivilege	4348	7zFM.exe
Token: SeDebugPrivilege	4816	entropy.exe
Token: SeIncreaseQuotaPrivilege	1092	wmic.exe
Token: SeSecurityPrivilege	1092	wmic.exe
Token: SeTakeOwnershipPrivilege	1092	wmic.exe
Token: SeLoadDriverPrivilege	1092	wmic.exe
Token: SeSystemProfilePrivilege	1092	wmic.exe
Token: SeSystemtimePrivilege	1092	wmic.exe
Token: SeProfSingleProcessPrivilege	1092	wmic.exe
Token: SeIncBasePriorityPrivilege	1092	wmic.exe
Token: SeCreatePagefilePrivilege	1092	wmic.exe
Token: SeBackupPrivilege	1092	wmic.exe
Token: SeRestorePrivilege	1092	wmic.exe
Token: SeShutdownPrivilege	1092	wmic.exe
Token: SeDebugPrivilege	1092	wmic.exe
Token: SeSystemEnvironmentPrivilege	1092	wmic.exe
Token: SeRemoteShutdownPrivilege	1092	wmic.exe
Token: SeUndockPrivilege	1092	wmic.exe
Token: SeManageVolumePrivilege	1092	wmic.exe
Token: 33	1092	wmic.exe
Token: 34	1092	wmic.exe
Token: 35	1092	wmic.exe
Token: 36	1092	wmic.exe
Token: SeIncreaseQuotaPrivilege	1092	wmic.exe
Token: SeSecurityPrivilege	1092	wmic.exe
Token: SeTakeOwnershipPrivilege	1092	wmic.exe
Token: SeLoadDriverPrivilege	1092	wmic.exe
Token: SeSystemProfilePrivilege	1092	wmic.exe
Token: SeSystemtimePrivilege	1092	wmic.exe
Token: SeProfSingleProcessPrivilege	1092	wmic.exe
Token: SeIncBasePriorityPrivilege	1092	wmic.exe
Token: SeCreatePagefilePrivilege	1092	wmic.exe
Token: SeBackupPrivilege	1092	wmic.exe
Token: SeRestorePrivilege	1092	wmic.exe
Token: SeShutdownPrivilege	1092	wmic.exe
Token: SeDebugPrivilege	1092	wmic.exe
Token: SeSystemEnvironmentPrivilege	1092	wmic.exe
Token: SeRemoteShutdownPrivilege	1092	wmic.exe
Token: SeUndockPrivilege	1092	wmic.exe
Token: SeManageVolumePrivilege	1092	wmic.exe
Token: 33	1092	wmic.exe
Token: 34	1092	wmic.exe
Token: 35	1092	wmic.exe
Token: 36	1092	wmic.exe
Token: SeRestorePrivilege	3744	7zG.exe
Token: 35	3744	7zG.exe
Token: SeSecurityPrivilege	3744	7zG.exe
Token: SeSecurityPrivilege	3744	7zG.exe
Token: SeDebugPrivilege	1784	firefox.exe
Token: SeDebugPrivilege	1784	firefox.exe
Token: SeDebugPrivilege	1784	firefox.exe
Token: SeDebugPrivilege	5968	entropy.exe
Token: SeIncreaseQuotaPrivilege	1400	wmic.exe
Token: SeSecurityPrivilege	1400	wmic.exe
Token: SeTakeOwnershipPrivilege	1400	wmic.exe
Token: SeLoadDriverPrivilege	1400	wmic.exe
Token: SeSystemProfilePrivilege	1400	wmic.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
4348	7zFM.exe
4348	7zFM.exe
3744	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe
1784	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 1784	3876	firefox.exe	82
PID 3876 wrote to memory of 1784	3876	firefox.exe	82
PID 3876 wrote to memory of 1784	3876	firefox.exe	82
PID 3876 wrote to memory of 1784	3876	firefox.exe	82
PID 3876 wrote to memory of 1784	3876	firefox.exe	82
PID 3876 wrote to memory of 1784	3876	firefox.exe	82
PID 3876 wrote to memory of 1784	3876	firefox.exe	82
PID 3876 wrote to memory of 1784	3876	firefox.exe	82
PID 3876 wrote to memory of 1784	3876	firefox.exe	82
PID 3876 wrote to memory of 1784	3876	firefox.exe	82
PID 3876 wrote to memory of 1784	3876	firefox.exe	82
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 792	1784	firefox.exe	83
PID 1784 wrote to memory of 1508	1784	firefox.exe	84
PID 1784 wrote to memory of 1508	1784	firefox.exe	84
PID 1784 wrote to memory of 1508	1784	firefox.exe	84
PID 1784 wrote to memory of 1508	1784	firefox.exe	84
PID 1784 wrote to memory of 1508	1784	firefox.exe	84
PID 1784 wrote to memory of 1508	1784	firefox.exe	84
PID 1784 wrote to memory of 1508	1784	firefox.exe	84
PID 1784 wrote to memory of 1508	1784	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4920	attrib.exe
5152	attrib.exe
3684	attrib.exe
3576	attrib.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mega.nz/file/JLtQ2IyA#lLkRLj-vkg_SlEzeRpogGn_bG9grIXlqdi8889qeTDM"
1⤵
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mega.nz/file/JLtQ2IyA#lLkRLj-vkg_SlEzeRpogGn_bG9grIXlqdi8889qeTDM
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1e7b6fa-15bc-4ff5-83fb-5572daae6329} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" gpu
    3⤵
    PID:792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2456 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2420 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78e59f6c-7287-433a-a238-5ea1a13a95c7} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" socket
    3⤵
    PID:1508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3220 -childID 1 -isForBrowser -prefsHandle 3216 -prefMapHandle 3212 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71f37172-e99d-4d57-9d6a-57dd218ebc11} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" tab
    3⤵
    PID:4312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3828 -childID 2 -isForBrowser -prefsHandle 3228 -prefMapHandle 3224 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7f753b3-21d2-4060-8079-b05fda754bdc} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" tab
    3⤵
    PID:3668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4780 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4772 -prefMapHandle 4768 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1fd4df4-d17c-4ea5-9bd4-149073759a16} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" utility
    3⤵
    - Checks processor information in registry
    PID:4744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5200 -childID 3 -isForBrowser -prefsHandle 5176 -prefMapHandle 5188 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f92a65d-93f5-472b-91d6-9ae8d2be5c3e} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" tab
    3⤵
    PID:368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 4 -isForBrowser -prefsHandle 5348 -prefMapHandle 5352 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {314fdd98-a4b6-45b2-bae9-eda456235682} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" tab
    3⤵
    PID:1756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5536 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3413f2cb-6c3a-45a5-bba1-89a5a6be4ea3} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" tab
    3⤵
    PID:3628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5940 -childID 6 -isForBrowser -prefsHandle 5976 -prefMapHandle 5380 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ec2c262-890e-4762-9df9-544d9f799cc2} 1784 "\\.\pipe\gecko-crash-server-pipe.1784" tab
    3⤵
    PID:4592

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x380
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\entropy.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1520

C:\Users\Admin\Desktop\entropy\entropy.exe
"C:\Users\Admin\Desktop\entropy\entropy.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4816
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Desktop\entropy\entropy.exe
  2⤵
  - Views/modifies file attributes
  PID:3576
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4920
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1092

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap27023:72:7zEvent15095
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte9ef0794h7b63h4648hbf55h48a47acbc3b0
1⤵
PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd94b646f8,0x7ffd94b64708,0x7ffd94b64718
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8963778052303490449,10945650118398641992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8963778052303490449,10945650118398641992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,8963778052303490449,10945650118398641992,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:5776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:5796

C:\Users\Admin\Desktop\entropy\entropy.exe
"C:\Users\Admin\Desktop\entropy\entropy.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5968
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Desktop\entropy\entropy.exe
  2⤵
  - Views/modifies file attributes
  PID:5152
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:3684
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7b4fe6acf6e968ae1d32569164af4c9f

SHA1
1662df61bf2b5951de4dfc6f0a56e0dfbda891d6

SHA256
5133fe57026bf6219165b755747ebded6df44a40bb0238545a39a976e70a1dcc

SHA512
e06060a120e229bc7bcf315c4a58f09ee39b1aae3a80cb7e3a2bccfc06214b3423a8514c49e31d2ee7323bc79c3a7589f5adc2cbe928fd089ff82d7e962e2c17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
41bbc1ba201ceb82dc35af27a7110f76

SHA1
945b7676a592c4b025a189441b62df74916562cb

SHA256
dc540a261007396633ed4563c14e187a10e586015fd89cceec5e34beb5cc4880

SHA512
a573c4202953d21b9b5a0e55539e1468e8a7500b772526d3fceef438f9c6ae6e8f94266a934802c51acff8123a25150634a733a112d292bcd6a1600ac2a29376

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
b2214b560f7dda783ad791209ce0856c

SHA1
47b1c8ccbfc98c1dc0c188e0c46de7a15288ec99

SHA256
4725a3a6ae1d422ea0f3984387baea8ec9cbc7676a1e538d2dc0d533fda3cbcf

SHA512
b88cb4aa70619f66e57db013d09838f6c8d4c32ed1598c6119e207bba1b574c6783045d0842780a61b7e391ffbfc6ed82f82b0a12514233596c65716a6827718

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
6KB

MD5
7cba82be8c450e4acef2b78fda908907

SHA1
0357a96ab82ce0c3431e99bed19bf23cb54e0628

SHA256
672ecb9eef2dc3e561f81010177e5d58e2d3b5658b3ffb5f6ff355c9cdb084cb

SHA512
153bca81a10873184955821d268fcbfea2ac87d3596b19defcebae02b7d9c871c2b776cb90a9de12ac6888066ab5547230b35776c481aad7e97e005d1b48fde9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
8KB

MD5
9512f360f8365256df507afe475ba21d

SHA1
434ef6b519170545aed514e8174b3f8f356fdb47

SHA256
9e526f5e8c24048e0e657f1d7ba471458651d59f9c6fea643416e77fffc117be

SHA512
ddd952df3dbe9d54308d35bda3f42c6bf25e2eb3921e65ff9d3579e45c788d3e00161d9fc3f0a8a730737c8a8651c7750e3b2574d85cc60d18f6696d0861ec71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
80bd44b51cf0c2439dc62979a46144c4

SHA1
43924b3cbc194bc0e14e03e2eb718dfa6a47044e

SHA256
ece509c4468c1dd8688492496267ccd083deccddf027b72c6ac7892d6e3494c6

SHA512
a3df039e1e666dab9fa6488f604575f1681e942be60cff7a325211d0b83989efae339a5c029e52f83e7a379284cec645e7afedb8c9604d0aded2c899e1e8ca5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9e1b22c548c1a969cad956d24df0b2b3

SHA1
53a7726d8e192e1c428f4d5b919a54bf7bdaaf72

SHA256
c025fb2213372ec4564816112a752db9b5018eb2c6000d0c1ad1949976b013cb

SHA512
b4793225f345d25aa65f90d068737a6ab9245d49a832152ed742566b628509a1f709d73e9060839465811780055e04d0b5ad32620576cdb5dea0f648ef88d7f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
2e33a82364df9cf072221aa098d48868

SHA1
3ebdfd501cb0ee90e318fb89d18ada10f88d681b

SHA256
9816609ad687456c4ed4ad6bcd56f8d2fd512f7f82675a916d31488dbb4e8009

SHA512
8b2dc276473740b99864f2329beda96069c6bd078d4a7f4e400cf4feafe5c00332ddcd9557b9dd8c6e0ae9f7cb78373149823fca6d89755fd85918263e744484

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\9b730351-ea25-40c6-ac4b-365f66531555

Filesize
27KB

MD5
5ab4a293ba7e191330b8c764435fc764

SHA1
53979457c23f118f93d11127937eee46d6cc7d14

SHA256
c02977c946ae5ac36d1fe962b957b1abeb7972f302aff223b5f17b94fef5b645

SHA512
536002bc0d01bcb60ec138646018d3d3114c9ba0fa1f2d777ef03646df68f98551e7a7061f8524afac165076e02a852af46544c0e0dee4610dac52982ba3a76e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\b9b7ddf4-114a-48d7-95c3-9cdc3b814a20

Filesize
671B

MD5
15ebd883040845f29163fb3de849af38

SHA1
e150fd8dda2882699216cc5625917c18614667a3

SHA256
677a81a0f64be9d3cf171ce79fbdb85cab70c2987efc5250a3563e49e0c3e456

SHA512
1aca39e0586ee39cd2857df40cf11b6ad8a019c29898807798a85fe7907ae4868f9704f3439bd94c31926272db7731fa4c29f8a3cf46b8bcda018ec12e3fe015

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\f6c40867-458c-4157-80ec-5f9cf830c856

Filesize
982B

MD5
d46facf283a5be1ec7464ff5abf205c9

SHA1
8e121afb032f31134924d3729d8bd9ef99d1d6f1

SHA256
2bba961ce37c78e8c9a1535fd6f2c4994d2cf27e4e23bfca5d683a0d1beab558

SHA512
01181c28314843233cab52f8bbda0768d557dc04ce8de781ffe88ad35ee8a6469fd9d174de43198423e31601335dff705418aeb619b28a8d3d83b216c838d0a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
11KB

MD5
f6d5ccace025cde29a7cad478e1f5c9e

SHA1
b119de470f7d8131503f36b3dfe10587bff0a14e

SHA256
85f8e833526c14d257fe5f8357fedf4aea08293ba0438e156b533d9cfab77320

SHA512
1ab7ccddde06a00f388f10f9ba8fd9707ea2af1619b6b56c466c3606d2eca9119589e3536c5b2cb89e039035bd6551ed8c93af66feb95cf187381e93250135cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

Filesize
11KB

MD5
546a1adcd4bd94c76f73df3a609b7b46

SHA1
dc841c2df463b1165b448870755e3b84e7f522c8

SHA256
d26edd9da06ca833d4bbd3dc243655facfb357352a6b0101f153e4c9a48dc2e8

SHA512
80005c695eaea60f59daf9c765f5d4707eeb697c0a5ea7adf3ac697a087f5757c33c6ddcdb5a0d8c72c2ca9d0fd2426c1eb0d83bfbaa34db7b7852dacc1a7c3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\default\https+++mega.nz\cache\morgue\195\{e9456474-cf97-475d-8f0d-45e25724bcc3}.final

Filesize
1KB

MD5
3efa9abd92666265dd81c4f4311a96f9

SHA1
41b6b716d67b93555e444cd453f3c6e3f8c9522c

SHA256
5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7

SHA512
5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite

Filesize
48KB

MD5
c0704826b4c5471d3320fcb1cc5db54f

SHA1
6ce79178c32abba895189d3ceadfeaf95ed80921

SHA256
4b9ebeee114b40e89c6ca8701afd50a49677017c780ef516787ed0a08c45fd9e

SHA512
e4614b4a3552e5893ba1e7655f9891521981de747679e3b6d033cbe0db936e4a7b6b23191480f5cf76d5b077f19bb33c726056e78877489f8603e73d6ced7ec9

Download Submit
C:\Users\Admin\Desktop\entropy\entropy.exe

Filesize
14.2MB

MD5
3dcf58ff02a0049f25ff30aace85ac1d

SHA1
6aaf7782fdcb4b88a81f2e952a07738d30009346

SHA256
1a163088b132afd5dea5565bc90c0013b22a40e0ec1495dd291e634498c6cb80

SHA512
76a643f177c1ed3e76af60c4fd072f54ca19d38f62cbadb14db49dae09d0e8f805a2675e21024a1c0cb23b25bb98b6a9102e26ef7da4bad567d2bbc01f3a8a93

Download Submit
C:\Users\Admin\Downloads\entropy.60J8c0bb.rar.part

Filesize
23.2MB

MD5
86d7a2931e759ff1281de13b6396df99

SHA1
ca4bf2b8e506388027c6c434caaca616149d1353

SHA256
07b53a74ef1ba3a5bde939eaafb2dd81cdfa246dd6e1a41b0029e45e1c83c9f6

SHA512
a196748d0c42103a1732e5b35d4951d6f7838c1a8dbb304d2df909fd3f4da8b80cd018f9e10a071080da4372dcc433f18fa3c900962485430b53fc329590bf3e

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit