teslacrypt | 9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217

max time kernel
1292s
max time network
1292s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 06:07

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Size

388KB
MD5

a0340430d4b1c1f6dd4048ab98f2e4b2
SHA1

a43ff275972b4ed9b7f3ece61d7d49375db635e9
SHA256

9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217
SHA512

54ca85bee0ded2a742c767565159c0e3121d8cd1d97cebc751d067b1ea45d9fca86b6d5acad5b472eddef23d20afcc8ae3497cdd411fd9f393d80e0c90f2cd8d
SSDEEP

12288:XhTjRwlkwFrnAEryLFcG3yBrZTRDgZ8zOhG6:p4DRw7325gPh

Score

10^/10

teslacrypt defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+sbowq.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CCD5E7F08AF2C724 2. http://kkd47eh4hdjshb5t.angortra.at/CCD5E7F08AF2C724 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/CCD5E7F08AF2C724 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/CCD5E7F08AF2C724 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CCD5E7F08AF2C724 http://kkd47eh4hdjshb5t.angortra.at/CCD5E7F08AF2C724 http://ytrest84y5i456hghadefdsd.pontogrot.com/CCD5E7F08AF2C724 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/CCD5E7F08AF2C724

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CCD5E7F08AF2C724

http://kkd47eh4hdjshb5t.angortra.at/CCD5E7F08AF2C724

http://ytrest84y5i456hghadefdsd.pontogrot.com/CCD5E7F08AF2C724

http://xlowfznrg4wf7dli.ONION/CCD5E7F08AF2C724

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (428) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2024	cmd.exe

Drops startup file 6 IoCs

Processes:

lkrjuaskummm.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+sbowq.html	lkrjuaskummm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+sbowq.html	lkrjuaskummm.exe

Executes dropped EXE 2 IoCs

Processes:

lkrjuaskummm.exelkrjuaskummm.exe

pid	Process
2940	lkrjuaskummm.exe
1936	lkrjuaskummm.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

lkrjuaskummm.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\chisgjvixrxn = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\lkrjuaskummm.exe\""	lkrjuaskummm.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

000.exe

description	ioc	Process
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\H:	000.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

Processes:

flow	ioc
335	raw.githubusercontent.com
338	raw.githubusercontent.com
346	camo.githubusercontent.com
348	camo.githubusercontent.com
480	drive.google.com
336	raw.githubusercontent.com
337	raw.githubusercontent.com
345	camo.githubusercontent.com
347	camo.githubusercontent.com
479	drive.google.com
481	drive.google.com
482	drive.google.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

000.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper	000.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exelkrjuaskummm.exe

description	pid	Process	procid_target
PID 2448 set thread context of 2652	2448	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	31
PID 2940 set thread context of 1936	2940	lkrjuaskummm.exe	35

Drops file in Program Files directory 64 IoCs

Processes:

lkrjuaskummm.exe

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css	lkrjuaskummm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\ja-JP\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\Recovery+sbowq.html	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Recovery+sbowq.html	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\Recovery+sbowq.html	lkrjuaskummm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\Recovery+sbowq.html	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\Recovery+sbowq.html	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\Recovery+sbowq.html	lkrjuaskummm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css	lkrjuaskummm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\Recovery+sbowq.html	lkrjuaskummm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Common Files\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\Recovery+sbowq.html	lkrjuaskummm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\Recovery+sbowq.html	lkrjuaskummm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv	lkrjuaskummm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Recovery+sbowq.html	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RSSFeeds.js	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\Recovery+sbowq.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Common Files\System\Recovery+sbowq.txt	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\Recovery+sbowq.html	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png	lkrjuaskummm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\Recovery+sbowq.html	lkrjuaskummm.exe

Drops file in Windows directory 2 IoCs

Processes:

a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\lkrjuaskummm.exe	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
File opened for modification	C:\Windows\lkrjuaskummm.exe	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NOTEPAD.EXEa0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe000.exelkrjuaskummm.execmd.exeDllHost.exeIEXPLORE.EXEcmd.exeAcroRd32.exetaskkill.exetaskkill.exea0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exeWMIC.execmd.exeWMIC.exeshutdown.exelkrjuaskummm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lkrjuaskummm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lkrjuaskummm.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
3772	taskkill.exe
4012	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{10333C81-ABE0-11EF-BBB7-C6DA928D33CD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438778298"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000b24cfb5670e7a690a820cc22bd90cb44e9dda33883dfd3cfb67306a4e2b56290000000000e8000000002000020000000ace38bc4100ddadb82dae7a53e26ac9fdda65e181f279452738b52337a0626de200000000ecdc3d80ee6122a6a487909efd6811046bfaac20b73ea4937711281e7fcbac640000000f9ac01e627e572f802224042cfa6affca9ab46c57f02ee3e96dd6f4b35668f85d939be632652fa62eb52eab9361f8e8e5e39f306981cb09f48e0f28080083056	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000065c5b3eae995cbdb6a29737133b172c15b25b5047671c6f64eb476b9d180abe000000000e800000000200002000000086d46016ec1ff90262d9635f328e664bc60e57a095cbbaf0e0947a3c90bc9f9390000000be13818c8fda8853232442f398dbd9dd622b08a77c09d63bbfe528f29e8de10ee1afa02ce8e71b8f57a3407e10129a674f2419b8002da2f25e246bfc3be3acfedfcb62f1273d0224b1c0a38ce37d7e9d094ffae426b11c1e68ff01e1f07a1fd0e46a539d5496e7ed79a20ad939a406634f0bd6b91891c9a64b995ffb1512ae5a7f1756cc8bf6e7567f472105ef6ee751400000007bc0b1a42424d52c2e0192aa404c392d6e5c952b96ca8aa8f2623696a475cabe109f46ea10371e3808ab503d089dda3db3d80bf782787c6a4308fc097fb1eff2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50abb6e4ec3fdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 5 IoCs

Processes:

firefox.exerundll32.exerundll32.exerundll32.exe000.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

lkrjuaskummm.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	lkrjuaskummm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lkrjuaskummm.exe

NTFS ADS 3 IoCs

Processes:

firefox.exe

description	ioc	Process
File created	C:\Users\Admin\Downloads\NoEscape.7z:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\000(1).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\000.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
1876	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lkrjuaskummm.exe

pid	Process
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe
1936	lkrjuaskummm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exelkrjuaskummm.exeWMIC.exeWMIC.exechrome.exechrome.exechrome.exefirefox.exetaskkill.exetaskkill.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2652	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	lkrjuaskummm.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe
Token: 35	2020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1132	WMIC.exe
Token: SeSecurityPrivilege	1132	WMIC.exe
Token: SeTakeOwnershipPrivilege	1132	WMIC.exe
Token: SeLoadDriverPrivilege	1132	WMIC.exe
Token: SeSystemProfilePrivilege	1132	WMIC.exe
Token: SeSystemtimePrivilege	1132	WMIC.exe
Token: SeProfSingleProcessPrivilege	1132	WMIC.exe
Token: SeIncBasePriorityPrivilege	1132	WMIC.exe
Token: SeCreatePagefilePrivilege	1132	WMIC.exe
Token: SeBackupPrivilege	1132	WMIC.exe
Token: SeRestorePrivilege	1132	WMIC.exe
Token: SeShutdownPrivilege	1132	WMIC.exe
Token: SeDebugPrivilege	1132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1132	WMIC.exe
Token: SeRemoteShutdownPrivilege	1132	WMIC.exe
Token: SeUndockPrivilege	1132	WMIC.exe
Token: SeManageVolumePrivilege	1132	WMIC.exe
Token: 33	1132	WMIC.exe
Token: 34	1132	WMIC.exe
Token: 35	1132	WMIC.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeDebugPrivilege	1020	firefox.exe
Token: SeDebugPrivilege	1020	firefox.exe
Token: SeDebugPrivilege	1020	firefox.exe
Token: SeDebugPrivilege	1020	firefox.exe
Token: SeDebugPrivilege	1020	firefox.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3952	WMIC.exe
Token: SeSecurityPrivilege	3952	WMIC.exe
Token: SeTakeOwnershipPrivilege	3952	WMIC.exe
Token: SeLoadDriverPrivilege	3952	WMIC.exe
Token: SeSystemProfilePrivilege	3952	WMIC.exe
Token: SeSystemtimePrivilege	3952	WMIC.exe
Token: SeProfSingleProcessPrivilege	3952	WMIC.exe
Token: SeIncBasePriorityPrivilege	3952	WMIC.exe
Token: SeCreatePagefilePrivilege	3952	WMIC.exe
Token: SeBackupPrivilege	3952	WMIC.exe
Token: SeRestorePrivilege	3952	WMIC.exe
Token: SeShutdownPrivilege	3952	WMIC.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

iexplore.exeDllHost.exefirefox.exe

pid	Process
2020	iexplore.exe
3020	DllHost.exe
3020	DllHost.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid	Process
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe

Suspicious use of SetWindowsHookEx 38 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exefirefox.exeAcroRd32.exe000.exe

pid	Process
2020	iexplore.exe
2020	iexplore.exe
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE
3020	DllHost.exe
3020	DllHost.exe
3020	DllHost.exe
3020	DllHost.exe
3020	DllHost.exe
3020	DllHost.exe
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE
2020	iexplore.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
348	AcroRd32.exe
348	AcroRd32.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
4008	000.exe
4008	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exea0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exelkrjuaskummm.exelkrjuaskummm.exeiexplore.exechrome.exechrome.exechrome.exefirefox.exe

description	pid	Process	procid_target
PID 2448 wrote to memory of 2652	2448	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2652	2448	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2652	2448	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2652	2448	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2652	2448	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2652	2448	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2652	2448	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2652	2448	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2652	2448	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2652	2448	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2652	2448	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	31
PID 2652 wrote to memory of 2940	2652	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	32
PID 2652 wrote to memory of 2940	2652	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	32
PID 2652 wrote to memory of 2940	2652	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	32
PID 2652 wrote to memory of 2940	2652	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	32
PID 2652 wrote to memory of 2024	2652	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	33
PID 2652 wrote to memory of 2024	2652	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	33
PID 2652 wrote to memory of 2024	2652	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	33
PID 2652 wrote to memory of 2024	2652	a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe	33
PID 2940 wrote to memory of 1936	2940	lkrjuaskummm.exe	35
PID 2940 wrote to memory of 1936	2940	lkrjuaskummm.exe	35
PID 2940 wrote to memory of 1936	2940	lkrjuaskummm.exe	35
PID 2940 wrote to memory of 1936	2940	lkrjuaskummm.exe	35
PID 2940 wrote to memory of 1936	2940	lkrjuaskummm.exe	35
PID 2940 wrote to memory of 1936	2940	lkrjuaskummm.exe	35
PID 2940 wrote to memory of 1936	2940	lkrjuaskummm.exe	35
PID 2940 wrote to memory of 1936	2940	lkrjuaskummm.exe	35
PID 2940 wrote to memory of 1936	2940	lkrjuaskummm.exe	35
PID 2940 wrote to memory of 1936	2940	lkrjuaskummm.exe	35
PID 2940 wrote to memory of 1936	2940	lkrjuaskummm.exe	35
PID 1936 wrote to memory of 2020	1936	lkrjuaskummm.exe	36
PID 1936 wrote to memory of 2020	1936	lkrjuaskummm.exe	36
PID 1936 wrote to memory of 2020	1936	lkrjuaskummm.exe	36
PID 1936 wrote to memory of 2020	1936	lkrjuaskummm.exe	36
PID 1936 wrote to memory of 1876	1936	lkrjuaskummm.exe	41
PID 1936 wrote to memory of 1876	1936	lkrjuaskummm.exe	41
PID 1936 wrote to memory of 1876	1936	lkrjuaskummm.exe	41
PID 1936 wrote to memory of 1876	1936	lkrjuaskummm.exe	41
PID 1936 wrote to memory of 2020	1936	lkrjuaskummm.exe	42
PID 1936 wrote to memory of 2020	1936	lkrjuaskummm.exe	42
PID 1936 wrote to memory of 2020	1936	lkrjuaskummm.exe	42
PID 1936 wrote to memory of 2020	1936	lkrjuaskummm.exe	42
PID 2020 wrote to memory of 2176	2020	iexplore.exe	44
PID 2020 wrote to memory of 2176	2020	iexplore.exe	44
PID 2020 wrote to memory of 2176	2020	iexplore.exe	44
PID 2020 wrote to memory of 2176	2020	iexplore.exe	44
PID 1936 wrote to memory of 1132	1936	lkrjuaskummm.exe	45
PID 1936 wrote to memory of 1132	1936	lkrjuaskummm.exe	45
PID 1936 wrote to memory of 1132	1936	lkrjuaskummm.exe	45
PID 1936 wrote to memory of 1132	1936	lkrjuaskummm.exe	45
PID 1936 wrote to memory of 1568	1936	lkrjuaskummm.exe	49
PID 1936 wrote to memory of 1568	1936	lkrjuaskummm.exe	49
PID 1936 wrote to memory of 1568	1936	lkrjuaskummm.exe	49
PID 1936 wrote to memory of 1568	1936	lkrjuaskummm.exe	49
PID 2228 wrote to memory of 1976	2228	chrome.exe	54
PID 2228 wrote to memory of 1976	2228	chrome.exe	54
PID 2228 wrote to memory of 1976	2228	chrome.exe	54
PID 2264 wrote to memory of 856	2264	chrome.exe	56
PID 2264 wrote to memory of 856	2264	chrome.exe	56
PID 2264 wrote to memory of 856	2264	chrome.exe	56
PID 848 wrote to memory of 2888	848	chrome.exe	58
PID 848 wrote to memory of 2888	848	chrome.exe	58
PID 848 wrote to memory of 2888	848	chrome.exe	58
PID 592 wrote to memory of 1020	592	firefox.exe	60

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

lkrjuaskummm.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lkrjuaskummm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	lkrjuaskummm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a0340430d4b1c1f6dd4048ab98f2e4b2_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\lkrjuaskummm.exe
    C:\Windows\lkrjuaskummm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\lkrjuaskummm.exe
      C:\Windows\lkrjuaskummm.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1936
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:1876
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2176
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\LKRJUA~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\A03404~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2024

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6679758,0x7fef6679768,0x7fef6679778
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6679758,0x7fef6679768,0x7fef6679778
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6679758,0x7fef6679768,0x7fef6679778
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:592
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.0.342504047\1086879384" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1228 -prefsLen 17985 -prefMapSize 230273 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c63e3a55-ed9c-45f8-80de-e11fd98899a0} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 1296 f8db658 socket
    3⤵
    PID:3000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.1.354590603\487065518" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1060 -prefsLen 19080 -prefMapSize 230273 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d722dba-7f53-4342-a6cd-09868f8b3a88} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 1624 f8db958 gpu
    3⤵
    PID:2432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.2.1607657263\1756973224" -childID 1 -isForBrowser -prefsHandle 2376 -prefMapHandle 1152 -prefsLen 20143 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5e89fe4-4705-4247-b642-f6460192c9c6} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 2388 15843358 tab
    3⤵
    PID:684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.3.955497798\2079159001" -childID 2 -isForBrowser -prefsHandle 2608 -prefMapHandle 2600 -prefsLen 21336 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4e8bd1e-41d8-4c3d-af93-5084d3a0d6c8} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 2772 1c56a258 tab
    3⤵
    PID:1728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.4.1586840408\1898741083" -parentBuildID 20221007134813 -prefsHandle 2920 -prefMapHandle 2688 -prefsLen 22476 -prefMapSize 230273 -appDir "C:\Program Files\Mozilla Firefox\browser" - {957908d7-faed-449f-8eb5-2abdb247aae5} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 2612 1d7bcb58 rdd
    3⤵
    PID:2496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.5.1283551075\1692640946" -childID 3 -isForBrowser -prefsHandle 3112 -prefMapHandle 3124 -prefsLen 27197 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b46606fa-8232-4e26-81ef-00e9de6f72be} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 3192 1c56cc58 tab
    3⤵
    PID:2320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.6.725497469\1955849271" -childID 4 -isForBrowser -prefsHandle 2524 -prefMapHandle 2628 -prefsLen 28330 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7049a2d2-0abd-4674-bd14-437bfbf2b5f1} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 3804 ff09858 tab
    3⤵
    PID:3044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.7.482372387\1917217675" -childID 5 -isForBrowser -prefsHandle 4272 -prefMapHandle 4276 -prefsLen 28330 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {066416b2-4146-4bbc-849d-6ced62601f07} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 4260 15aae258 tab
    3⤵
    PID:3056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.8.862445980\926980135" -childID 6 -isForBrowser -prefsHandle 4448 -prefMapHandle 4452 -prefsLen 28330 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3606b15-ddaf-4a60-a64c-5955ac779c6e} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 4436 1eaa4f58 tab
    3⤵
    PID:2480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.9.248539647\170075041" -childID 7 -isForBrowser -prefsHandle 2904 -prefMapHandle 3028 -prefsLen 28761 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58e21dea-4d25-4eb1-b25e-70b798fce905} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 2116 235de958 tab
    3⤵
    PID:3176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.10.108072774\786061596" -childID 8 -isForBrowser -prefsHandle 4072 -prefMapHandle 8560 -prefsLen 28761 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47ae36f4-d0bd-465d-ae26-bd387c0ab159} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 8448 10030b58 tab
    3⤵
    PID:3868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.11.905108072\1658333663" -childID 9 -isForBrowser -prefsHandle 1448 -prefMapHandle 1456 -prefsLen 29306 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cba55042-0bf1-40c4-90c6-b31928f47496} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 3764 249e5e58 tab
    3⤵
    PID:268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.12.1287448891\661885134" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 8180 -prefMapHandle 8176 -prefsLen 29306 -prefMapSize 230273 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfe0f45e-ea2f-4f6f-8489-5d6050d37405} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 2872 2353b558 utility
    3⤵
    PID:3604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.13.1475894271\1526854308" -childID 10 -isForBrowser -prefsHandle 7936 -prefMapHandle 7944 -prefsLen 29306 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b0ad159-836e-4ecd-acbf-900bf1c321cb} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 7924 23628958 tab
    3⤵
    PID:3636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.14.834306773\1164488006" -childID 11 -isForBrowser -prefsHandle 4180 -prefMapHandle 4300 -prefsLen 29306 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb4f5453-af87-493e-921c-7a3857e8bb84} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 4552 21a59c58 tab
    3⤵
    PID:3544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.15.590666048\2011195838" -childID 12 -isForBrowser -prefsHandle 2116 -prefMapHandle 4456 -prefsLen 29306 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b92ea43-559e-43a0-8aa1-fbcdced50289} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 8544 100a9d58 tab
    3⤵
    PID:1604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.16.1021118244\1989836500" -childID 13 -isForBrowser -prefsHandle 2108 -prefMapHandle 8204 -prefsLen 29306 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63f4483f-9bda-4239-bf70-ba725405b54e} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 8452 e68d58 tab
    3⤵
    PID:2492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1020.17.1403917462\731761228" -childID 14 -isForBrowser -prefsHandle 7892 -prefMapHandle 7884 -prefsLen 29315 -prefMapSize 230273 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dd87a0b-c5a3-4e56-82fe-0a1e7eb6bd78} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" 7808 e2ff58 tab
    3⤵
    PID:1740

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\NoEscape.7z
1⤵
- Modifies registry class
PID:3356

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\NoEscape.7z
1⤵
- Modifies registry class
PID:3488
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\NoEscape.7z
  2⤵
  - Modifies registry class
  PID:1756
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\NoEscape.7z"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:348

C:\Users\Admin\AppData\Local\Temp\Temp1_000(1).zip\000.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_000(1).zip\000.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3772
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' set FullName='UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3952
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename 'UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /f /r /t 0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:620

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3112

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+sbowq.html

Filesize
9KB

MD5
46655fe8e7b55f3709bd944308d62af9

SHA1
f994c70db7e51ef26eab11ac9d4505ca640aaec6

SHA256
29697f8cbb4437a27bf085e1cd532d7644ac30281da4e6fffa548ae61aad217d

SHA512
e5690fa16536ac3b5312fcd8831d81d78409ab36ad49fd847c535e3edcdc273d6b410a9ce0b98b7a6f6c96302d467073040b6395ca2be871ffb7cc7f87a734f2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+sbowq.png

Filesize
63KB

MD5
53283c548673f8c6a54e35d3f59b963f

SHA1
03b1816057be6a9ef9cdf1fee8e42175f7d2d1ea

SHA256
d0c3299bf4e03e6ee04a37d703bad9491ecac7932a20a20fe98fbabc9c82fa03

SHA512
11f8df81062af45991190145028b97d768eaf8c81e8240c16db7480efa6bcd819d1e4f4a7b5ecf6e59e24a5103cd795583251dbe4887beede3427c6697503dfe

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+sbowq.txt

Filesize
1KB

MD5
81433b4d0d4e438614e07bb6b4df1867

SHA1
5326db44b3c2f714eae2256894c366f3209f82d7

SHA256
9b3a555475370709c933cde2984e0959187926149208fec6c004c342bd3e4139

SHA512
591fae4a0cd9e1f97f59d10f50956dca0b2613d4c0e67b2da2336914d482a7a87eaf4364e8a90d25b8329ea84aac8ce173bfce1134c49b04393825e809cfc560

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
cf90cb42f9b9d792892f8b9d3755b175

SHA1
99969aef08a0fd7bcbbc8538457d050e55d9ce25

SHA256
dec9a71d97f56e0e8369193c01f9686d5dc7a4d8c98ffd5cf0da53d3d7e809ec

SHA512
9df79746bb2d8ba3e85b53a8b74faed0fa76e2d712604264f0d0cca609db8f5ee858d57c1d6448ae5b50dbb23669fd6bf1173eea18bb46db6d3410fa868ef390

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
07412af3fceaae2caef0f9ceebbd17b9

SHA1
66d72f74d4adfafe8e8f1f91ce929aba94bf8f10

SHA256
6a86df6b4d1b5c4511d29a16ff312fb0da6a124c745e89d41d044fcf7825f3b2

SHA512
799ca2985d0d9126fc3dfc6bedb047e7880add3c7b8df9c8c102d5948531437b8b85c81a1e3dd7185ebb7266221c3f4b0240408e1e766c13659c67b2a5732d01

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
9ace478b11efb874a2494569dc40842c

SHA1
6afee09dc29ba320a6f417b9c79d06054cda33e8

SHA256
ca0cd791a9d72e302709d5b0c8137561d1d05bb691e4dd3de4795aea5c3a1b4f

SHA512
659251c27dfc818a41f59de848781682a6b69eedf9ca2cd37ca51bbb26f6b799f3eddf674c03f99e1c6078e4047a8404e6a6d677c506a5c988bc8e369d2419bc

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
508c45764a0407a79ecad8b390408bbf

SHA1
140413b5979b6bc4f6a9a923506f65990ea4f214

SHA256
2bcf4cef8b55ae99c67b7f56273f5dabc7f7e9fa469b19030b2a7ca4a305a8fc

SHA512
83fb6677e41ca021a76c1c492e62a6331e2b8baec890131bd64b0c270292f5523b16ddc84ebe6a17984fdf7c249f08b341e6c030329e607e639ee966adf1b2f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
865e6598077173c24c409c3429260a8a

SHA1
0ee23e938c229ce3d4fd6510578b9e099bde73f9

SHA256
1a1811a9cfde42e1baaba41c66e9bd098b4280993efca846ca372e59c9dd641a

SHA512
17572a7a5a161cd8c3cbc01c661a0399c09fdf83e50d666194c257f75e306204878f29fc8758f5a69c30393cd23c071f07f655f1029dd38dabb0a31471383d2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8648bac4efc7f01de187e99d78945da5

SHA1
b3127a3dd043d97526d9edef829981af59c38c2a

SHA256
bb4fa10cfa9e90c22b2cb20aa257fbff977e6b357d314d28251b98ee665c7ec8

SHA512
7f21886158df7c1fcb06e003077479a2052228b9ec5313fa002ab62fec88b483877bd52348496300466421193d69e2e6ca833d78a26a6a0970c25a254e19e1ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26204458cc4711105afb4008b2d1d3a7

SHA1
54d55ce40943d58d71727aac8e8795930d90b8d5

SHA256
9a7d8a232256944b3ad8679523f17f1d79858c5131610b77260f7d72854151a2

SHA512
2fd95794c2ae2a21f3d3729f96e033459e3278e314e6ecb2182100b9ea9b94f16430fd26891cea627483d8b0a8e5bdbf27add63b607a981c00064b044b5acfd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deecaade409afb6e83f218cb0e305ced

SHA1
17c60c53d9d43bae5d1134b69897731886d6afb5

SHA256
35881417a38e5d97cccdd8bdb3b24f893f564363adeb2e051e1f7e058c8a36e2

SHA512
0f727297a77be20312dfac9d51bbf22ccf025a345d24e6d3650fe6f5f63bd6ad24dcc3aee1838ffb3ff22ec7db33a083173ad02cfab2a858371311ff35df1752

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9ae96bc893431f9271d32a53f448dbb

SHA1
749d92b5efe1be475adb1a87c94613373aca8c5d

SHA256
b4f7352cb86d49101bb9f3ff677c47e84d88ca7254ed076f47e3d99c1d58f33b

SHA512
bb58f1be9561982a0e92497db6ee3d62b1d4479fda965a5508676e35cab46b605e3a9235c12aebce4ab56229b3a05b180ac527cc37fd4122ee851b9c3877ef34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65931a5544389c4234953a66bb0c21fc

SHA1
f1e15454726f8291919d2d027131df71f444988d

SHA256
29fef3e0d844bb92e98626cff8f701033b29a241bba4db9fac88e4989c19dddb

SHA512
dbef15279cf5d4a8208f8efe2a3d53fee514d5a8508caccc672b02a62420a380304b85ce0fa44325e2664701852d151bbac049e3221b1c28b82c33cdd538008a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06f14d40529d90a0a37f9a140f570cee

SHA1
60bb7b847b3bfd8dbabe88ce130cace0d77379dd

SHA256
ba7fc54a7febde0db72e04b988b92ce1971b31d2ec445af2a700a966fc3d9f64

SHA512
7ed93a69f7b085021435bf5eaae3ff52d55f45e45383b1807f1a2efcdf5615842a5217cc63177183ab1b50df048fb501a29bf47e7e50dba9251f9765f6ee62e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72bd487413248f7591b824807b026172

SHA1
2d19e13b17bc9a6e5db9f2a52215fed0f606c501

SHA256
c2514ee3f0827570ba6916b337bf2d2a4eab13f3d3711efd6d819d196a8bc977

SHA512
5bbfbcd398c2b214945859b7574d7aa82c924e0533ee36cf85cbf65b109f2ebba772943f17342e48aec8561a06919a89d88f6f00decb3feb79574ed2b5019053

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6ca85c34a033c9e50dc91e1a90fc55c

SHA1
64e99b68ee35811253e24bfe74e2e71bb1d8f9e7

SHA256
0150d9af10237ba8379e476d647f50f2de74f55e6021f36a2f75b0accea9caa1

SHA512
ff2cf776154150694210c68b24705f6bce11c4d140382345c2bd6e1bea0f4f1a2d01134f613ff87dbc82fdac0b9c4a66ab8ea3cd0431ac2d0fbedf752ac7e877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32b24e22c6e22e9818df0a39156d1c61

SHA1
3043f5ee009ef5ff40878eb4daafd35d6947666a

SHA256
53f77d1adfd3fa25a013f6a780e7578dd6dc118d77820f39637e1e62591454b7

SHA512
559501f22f686c4ca97ab8c4c8b0614c08decec78e4aa1bdcbfa2d26f40796a6704be578e3de50fe3296f0fc6097f781ff4b158b7e55e369b6d598ed1b546c40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86bc099a0ce8f43c40b5e75408980500

SHA1
6262a14dbdd93948b6373181bf498cb0907fcfb8

SHA256
877f729555091f8bc58165738b1d47981b24abb313a179be97a532a418a1b119

SHA512
86d278c197f54e1196a02e481fa06d287880367f473e7aa76ebc08e901d2175d3bb45e5e94bf8dc8167fdaef954b9db77bd65aa03ed1a84a0754f1af8fc5b26b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e51e6c8aca54b95aba0dfc52fde73d1f

SHA1
955bc3d416d1b221a985d2520ad4cbe92afd1234

SHA256
18345765c14b5ae2b7a01d2f252a1e87c1c92577a95c3acdd6706c2f7b6c4dde

SHA512
8e10edf020d8de99ec9fa3364b278ce6f64535b6cef88c66e003b5eb2dc90cdd138dc855da408e24d464a6730a5fe675440d38488992fc49dca9773121fdcd34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae4a058ffc498f81484e2331a4caf4e1

SHA1
a347c284c08978e493fcbeff902e1f8413ca0fd8

SHA256
d2fed138ade04e46955b1459aa273567ab9edf38bb4fc6b52e289a356ef38ad6

SHA512
f567b664c7ca6ef9b4d1ef90ed7b15f591a9daf50d21322a540a1b7499151dd6905ec00138c28f18bcae2681e1afb13a7106f7f55c631680db6b65a661d1b132

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2edb654bd449b5addc51190d2914df4

SHA1
47be55b63e6a34bc71560c5b9ade76a82231cfb5

SHA256
209fc582a42f05b5c6d9a595df8aa2db2c8d142cd10d45d33efce171ef8a1872

SHA512
27ef249ab306c42e23e391dc85ed001cb882d8371ebc38505b4a30a11307f2b74164b1a3e79710238a4039124b36b6747025c9028850353517e7d2bef540c7bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e44430ad294c16231a690a9692f03f9d

SHA1
c46a642b52bcfde0cbf5c48f517c582276c31d1e

SHA256
248284b32842f1f288ac562a6364b04122b4ce62299a01260d4eae47bbba7d87

SHA512
fc4ec605e37e49ba8b53e96178cd04722a5af0aa2bb5614a0137fcabd5f0cafe3b1411ea225ecca67886cbe489ce2e23a56104a9105677dc8fa5b746a5530ba8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6622ad2c070ac956098c47f9699ea1cb

SHA1
d581b94e21cf47be885c1230c15880bf3e82223e

SHA256
3652a5c60db281962414339642f91e6ef94bb063b384232cd131c80118b671c6

SHA512
523f43df6eac9696aebc9a32ac6c4721f65317643fa47709a2532f713929d9e9ab70341d48c7712ff75797e84f646bddd2b3a4f0759986330997f31a9a4b2dcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68ed741b67ba1c96f13bf692b13ce641

SHA1
cad9d0735a007a23485d394e24ba35ab0c64527f

SHA256
b36134a5dd4ff427f473722486065fd2ef2a4e3f2a88f4d223fdc8bee47a3284

SHA512
2117930f2970b71e902ea97abde9f4bd9c0eb6ce49c86cc57029323aff2df385b0a6f1b05132f239dc783a820b6fdf6d7dbac734b6025b751ff0cab7d583f734

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3aeecb221ae99da45064bc244b02a6c1

SHA1
0b521ac96ddce0195480e1fe55b74fcbac9d7d69

SHA256
4098e6f9a99c91094ede3dfdcb8283adb571b57ca66d9decbaeb6d3b558c80be

SHA512
5292a76f2ea3158d921d60ba1efb91b58881cc26da386469f72d8d13443edabf4204fe4da3ecbc2afdda1a2f7671789e74166f18e785b45934133b4a980b764a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
36518cbebd5049beb8f9cf541a1b48f6

SHA1
e3c1c87fc4405c5e4d3f715f79af9a9767318648

SHA256
0ea45509fbcbb8d5ef851c4e605a37ae3a2ff73ade5acf9e7c520c3aab4dc069

SHA512
0ec85ff2e09cf21987568f84b566fc1168ae8af39ba827d42eee2b95bd362d6c0b2a74eddbdde589379a169c875889e3680820263f0b0b54acd83c8918b8c424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

Filesize
114B

MD5
7f4caf2620c8f4bf5c3fce62ee2d27c2

SHA1
dac74c41bae5268b7f8f486dd0a1d5efe6b1479a

SHA256
f215c7c9ae52fbbfdd9fac7514ffbcda0fd6c59af52c5a6ee3052d1cca6caca0

SHA512
e10639d621e0d9a61bc72eaf5548cdad66b6a0e415dd12e0fb56c25a1102e52e3a54ee8dcd3300aa7e13b1cee9110404a4e9c1dd4dff324dc28846fed1948f63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

Filesize
212B

MD5
0bf5dc683e9576b63e833b9fe98cd499

SHA1
e2f77c459a2594e228bd398d97703ee9ff0e42ee

SHA256
78c49a1190c832a7ea6092da92b892b3afebd29416bba6cdf53cbf4f6c79e5a6

SHA512
2de02e7f45f69522d617992c0cfb4a342e152b216794a6b45eec121bbacebae69c1fa309a4dbe72ed23927816e4e049fa742e259aa3615ccc4e5289f263db14f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\4fe448cc-ddca-4ed6-b42c-5303329c7df8.dmp

Filesize
163KB

MD5
9f0e2a7f504b08e82b38742f14c435c5

SHA1
61e30c6531bdea32593badf027feb2c380f54894

SHA256
60275ae1c436db4ca1635ef2bf4a0149b383c019f1391f5c322420f7c1e9e612

SHA512
85494f20834b2d8087fd9b2a3a7d209123e7f929f54d2fd84d0a18d51fb754c411af652251c7c6d667b18a61d04561ef75d65beab52944bb97409963663c1122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\edad8a68-95ec-4e07-9107-f1f2cd7ad5e1.dmp

Filesize
163KB

MD5
3988fc8789220befe89a6638456d1892

SHA1
915ed2278fb5af2f15a049bf2df34df94d63da95

SHA256
b49edd9bee00cc1fe794c4ff49b1f8aa389a3401b6a8c1650af461d8109ce250

SHA512
5290e87465de7adecd0a56f97060a687fb2804089edcb754ad4a755e57fa2072004e823e7332a9ee6bd9216fb1b17b0f77f39cc7783b6b68789bcddd1fd4d478

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9ca337524816226bf5da651706d62f51

SHA1
6f8a551c620e75e45b2340aac6720452d2886a26

SHA256
ba3dc56f607d63a68f065d56b69cefc8ab6dd4991fa972d80a1ff4ee388f4877

SHA512
97d45a79a646fe20a2ac9ef7aa142fe9483d95a6d2d9d007e7043f1b0776fbdf10616ba3fc93acd15404549bdd8c6e58706a76774fba18958dc8c1e76acc6e88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
16b7586b9eba5296ea04b791fc3d675e

SHA1
8890767dd7eb4d1beab829324ba8b9599051f0b0

SHA256
474d668707f1cb929fef1e3798b71b632e50675bd1a9dceaab90c9587f72f680

SHA512
58668d0c28b63548a1f13d2c2dfa19bcc14c0b7406833ad8e72dfc07f46d8df6ded46265d74a042d07fbc88f78a59cb32389ef384ec78a55976dfc2737868771

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp

Filesize
29KB

MD5
beab8cf3495e31eee2c705bd853218b4

SHA1
1e2acf5cd42f42b64eb2609ebd9130bc0b4e90b8

SHA256
f6e23252b416706e3bb9fe785541d7634b53aab8c07e1120e861655a4400451f

SHA512
8417216d142e56a16e7d3b4ea43970894e2d1ca361f09e073d39928e03d66b7e0165ad2be4e29863d2770fd9064231757a95a7197a78029427b8c912861210c1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\doomed\14667

Filesize
13KB

MD5
c213ee778d9016c61e065b44ac4db357

SHA1
50bbb1ddb15e821b5e9a40f5a8d82460f50c1fa2

SHA256
081d222d67e9a34f232d1b97a9a5772c17fa56feaad888f729a97ae5c2b39d63

SHA512
10fd4c895d7f033073dc583a56cb6e95ad3dcac33b79b97d868ab1bd6ebd0490e063707e76f1356e364ff3efd0a888cb1ae47286f18629203611f1b906c5c802

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\doomed\15655

Filesize
15KB

MD5
c2c86f4beee24574715ea889d4c566a6

SHA1
7da5469a78a4d43df70b4bdda217eda71354274f

SHA256
69cf88d13d7cee2e09d91001f4f026dfcfd063e22eb07fa93ecfe3d4309eb7a9

SHA512
3b919986853810f6fb04d5cbcbc34c4031dc0dd6962aea758b549cc5f7b475f18cc1a345360e90bb66c481762ba29ef78a9dab8871de43372c0d174c5bbca5e9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\doomed\25954

Filesize
20KB

MD5
901ea6cb165f56562eb012a47933f296

SHA1
44c36273c2ab432c5e688f2c248ea43b0e1eec6f

SHA256
eaadd25cd1e0c20a03d72ad4dbcce01316ac5befaf746487f84c5f698638dec0

SHA512
c6a336ecf4fd75b3b4858a59b34c62dc76d53d4e857de1fb33079f55b6f21de46e896e688954839f0f8edc53c6e8d66b886ae65eb27718f3bff378ea1ec2e450

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\doomed\4132

Filesize
18KB

MD5
bbe7604f0c44de2e8dd6fa8a44a9acf9

SHA1
89b66989f69f1af2dfd7c2bfb1c0b4b4b8a793e6

SHA256
8ea138c7a97c495d657a4c8014ae9a52449975347466c3db4d8f40caf1a764a6

SHA512
413176ea604dff3f3b8b7674e9cb824fc2b7c97c792707505ccbd65d795a43a1c85b15433f72d6a6a1c7f450f9c916f57b0e80eba7149ee1da48865cfc7af415

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\049ADCA1721603B8D45F26690060353B7C2E080D

Filesize
64KB

MD5
1c233fae28a622222279e3f018c3fea5

SHA1
7c7c9d61985bbe015c46249b5d87eb9cd64137ff

SHA256
96ef32e6a3b9f8110cf99b55ad00f6dba5c110b17ff1de61288269dc5be66694

SHA512
5d4d5cc1017639da8fe827d57f53aac44f4bf5ea91a0078bab8b8195d5a1497c05c7c6f45d616bb3e205556c5a869272fc54687bc2fe0f96a6b069e5d14a9390

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\15AB8100E9EA03F53EFED5C8DC84E5E397EDB150

Filesize
13KB

MD5
6b3506d489f82ae4cae4355a4809e3df

SHA1
3fd73d802f8e9f8124c98b1c13fa2ab5ec79905b

SHA256
a574be188cef38a9e32c51ce6afc8897acf6b05c0a7cffa103a8934cd683ae45

SHA512
09d0f93463743108055a3ed34732ed6412f61c63f191691da2afbc59620d5cb9b965ff76709c5e682266a24443aa71d2f60bd913e3fe7edb82f044903f8ea65e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\1EA49C294032D90D3413795B2DA0273F2BD4BB03

Filesize
36KB

MD5
f1b8ace6935122b3e102ef83a2f5d124

SHA1
a84f8da2a6df57c3a08b7e54c6dd816d1cd2709c

SHA256
328183f67a1454f29c9664d2a6e3cba0e731c5eeb62cd66890c60bb521009b59

SHA512
00f564ef7247dbe26c98fff0cb7823f2fddca78646c60ab193e25fc3ccbe06fb66cf6d8e62713769d08f93bf28bd89f2b485dc6e15b54da3e08453e3d4ecbb6b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

Filesize
63KB

MD5
20562301a0f1cf86133686083dfcb74c

SHA1
fad6520bca50811c658f5c03102d09a8f593ef1e

SHA256
2b7741e04928713e98cbbcb6eaf2017190e1e822f1f2f4eaec6952bc36e66c7f

SHA512
e37dbca399849ce4aa05852f6419a83de7901de051403b4d8747b7a542a0b77737ff2d0e81c3b247363c9fe49652e192084e96c866ad05784bcd7843bdcac484

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\2D53DC86EC805E3FED3983CF4856BD056706B752

Filesize
234KB

MD5
39346dbaf3f6dbe607e02d9b0c712de7

SHA1
42b67613e6a3ca900fe00927a02cb73a4bedd5a2

SHA256
3f0499a8bc5d64e6f87ef47723bf5a8206b6f612608946d60808f18f62a7601c

SHA512
7ed61131d153cabe62e6ca785c2eb247e75e4d83d4db4e4df24ec010aa8081b2b77e3e5faedf19d2946cf068798298d2b497ab3c7e2b737a35aeb0ba28b85d69

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\3F692E2BA237A7E6C8D9C98526AC114680553DB1

Filesize
26KB

MD5
ce85d0e3d16bb58cb31d868572ff186e

SHA1
a150cad52e866bd06f4ebc3a5b024e45e57ebd91

SHA256
fc2d2ab76db8d6a18a677b4551ff7f7a24d3e833d777b4dadae40f40caaebce1

SHA512
f6a284bffa671bc40ccd41b65d1a42a423fab8aea6d7340ab4a5564f25ff48a3189817610bae97a14b053b123769d485c31b151555be9f57e6d74b6239266303

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\549C94847E35BE89DCE95DF86EA39378F22E5078

Filesize
99KB

MD5
f01d62b76c028cd7cb42d42655b1895a

SHA1
5ba8aa94e9c38ef46ea3a5b8805a34af80b8eb30

SHA256
5e8fa29301680762a378d6d0067e5b75bad3a55e70192d543c368e563651c535

SHA512
4038482ff23d67a0273928ec9c4c2a5a67c5a313b9c92f2fe6481a75e39545fd8f80575890a789caeabe18ce52b12acd78201e25f5ea7446e17e5202b68ffd0e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\6BC30B9C339C838A1A70FE76DB7C129794760028

Filesize
59KB

MD5
3a6f36304f9e3c7db26d86996f132982

SHA1
b2ed7952500b59719e08fc8da13317bbf9c4c1e3

SHA256
bf514c44c34765c6da967f2c8f3232689128844f6144a080fb40bcae299272ec

SHA512
575bbe458f30f3f1e1ce0f6b176149e606bbff51281b64fff11b41e989566e95bc88d2b50e4a95a7f8916b969b720d34d091cd674db9b729a98bd8f4e941c835

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\A03E3E61B5B0A23F2BD68515B245FF480863548A

Filesize
41KB

MD5
e001bc388518b24db4e4039e4532938f

SHA1
7e9266ebaa70ff78cb0cb0da092cbb22a0753439

SHA256
f0e1d25aef637a549e110e7c6e42ae931659c659a8de6ab0e72c437e6ae844be

SHA512
969894acee45b6556d33ed54eaadc46b482402a9a853e29913cf1073e243a8a215937bdebc462dc88b8c8a1a4c981570763974d59d9613239d2caacffa6bc7fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\A4F0CD7C87F397AAFD75A245C43599943A2A40F6

Filesize
51KB

MD5
b0b42e6da2f001487a13c11100ecb7d8

SHA1
829c909a7846f9db611d0b8ce9759a15d8c38e7b

SHA256
f84669897c89490017a9a072e8963a1197ba07e0519bb96db225d36b905d8ed8

SHA512
9e339ef12b9fe68bf011a6909c764b51ffa1c21398aa0139a46b3d9fce7540cb73464054891f932efde597a701c0564d849b597f672c5b99b36859de141ad9f0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\C137593A6AC2C888ECA6F4CFDBB4AB562172A494

Filesize
44KB

MD5
60ddbf93c3d7454501f3c2e983c9a4ec

SHA1
a33f22daa2c9d47d369ee731deb9d04708187c6b

SHA256
98f592cdc88d7d81d76d183bad16eac2db8b9e8e7505f52aaa26917ba6e63cf9

SHA512
e257ebd4045bb04a5297732bd5d1f9ac7c513343e9061de771d98b770220f8a5f343a75c762e13f5792289d7fda6b3da4a3f0a6417778c60f468bd99a419c844

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\C93F59131F26430B8E189FEBC8E637317721CE6B

Filesize
40KB

MD5
8a52b6123c8f45471055e576ab783e55

SHA1
51e8eced4893664d7695d09891af4b8dcb750d55

SHA256
623e4822e5b74476e4aa819ad5bfb41c8ed96bcfcb1cfd544e5d426e478992bd

SHA512
debab356e545ab0bc7e81c764ae90a76acac41d165bb878b04b68125d31e95980ab9efb5e32c5b2109977f2a07cdf0c83ee4cd3a149fb688d64dc8e3262a0e06

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\D85F220783F9DF74B369CCFF2661EFE249FCCB38

Filesize
61KB

MD5
12b495a14acb4ad5df38d4359e651408

SHA1
8d255cd6705c4099e66061336288cf75ae66deb8

SHA256
30c31da54fdad8bdefe8629be248cf29141f364ed5a93bae37c46ae800d07008

SHA512
39591a0af12df1031a3f7d838e98f219a9a02395b4e4738e40fefba0f4e092b176134f776a15dac220e6b769467fae720d351bcfb57c8e59e56db3ea6804c088

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\E8BD986722565A28F40356B72AB577075CED36B9

Filesize
111KB

MD5
fc7bff433fc531a70cfa9f38130116cd

SHA1
3122e0f776ad20dc5c61d7247999f8eb86e372aa

SHA256
6a6826187a7be15cedde1a8a0a803a71a9667ac24f82e517333aa95bd20b30f7

SHA512
614eaac022d6866874fa946a21cbe6a8991440714ccd6fb37996970f9ec6d2539b76ed8c5c413bf27671fcfb5c5642ef566c89993ee771afa0cbaac5a7d3206b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\F127A716A52FB05E4EDCF9C7D4225433521F3E41

Filesize
83KB

MD5
4b631a8401dfc736c70a34819ddf1561

SHA1
ea6ee6ef0bf98dd7d32c1a5a0f9e6e477f759117

SHA256
f6ca68b2f13678c695ad2d14b30c3866cac2325335ca352c13ab676863e5912f

SHA512
f5d6cebe2c27f2d38009878e381d98c621051351595fafeddb04757254d658204f6e7958c4f87ce4d3ef0e167e521cc46ce28e88798d7016ba9fff10f2ba5700

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\cache2\entries\F5153B1CE7F244E6AEC0B8F09548F60E56AC1FCA

Filesize
87KB

MD5
72b16f9e71fd392cdd14ceb1cf382776

SHA1
88e0dee8f904c45c192601d35d06dd6f1f85df26

SHA256
bc94d8778b238e7835a8b96e447cf47b82db6ca11d8ee1a7853626a9ed9fe17d

SHA512
207a76dd2ef6abebce5a85d2c39d67a049569c6d1d4efbb6bdcab37d327e7755e28dab0c03c12a87414867aac2a391dd24f034c22c215884a9292110e1ab085b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\jumpListCache\hu0eqrAc6GTuBBpTnyqd9g==.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
13KB

MD5
f99b4984bd93547ff4ab09d35b9ed6d5

SHA1
73bf4d313cb094bb6ead04460da9547106794007

SHA256
402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

SHA512
cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab58AE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar58AD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.mp4

Filesize
81KB

MD5
d2774b188ab5dde3e2df5033a676a0b4

SHA1
6e8f668cba211f1c3303e4947676f2fc9e4a1bcc

SHA256
95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443

SHA512
3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin

Filesize
491B

MD5
df51ef8fc4ea5596e53217e206250bb5

SHA1
bdb77ff28680599b49eb85a3165dad68b35a11d1

SHA256
7578bcd4a3d99a72f5093b18e2b51295dd867b15904c90c1ca83415160c4d254

SHA512
ebfef2421a9d0f9a8d55a848cf6a0270ed40f88e94d37d4bbd74a84ad520e374a49e2fc91d21222ed60c99ae5224b07a0d9fa04e47a0e36a71a1b02b04de7d18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\deletion_request\cbc5cf57-a7cb-409e-9e19-3a0f85d813d2

Filesize
514B

MD5
3f8c6565fb7806800d92742b5ea0d528

SHA1
41ad45f82c71d2613cd3d1699b3db7746f8f9b54

SHA256
70b7b9c2f61fa75c168a6fd4a0710a4e39997126385a36ee4a4b1036865f6ac7

SHA512
2d0b71efb7bedb30d7492df9b7ef91a5c4fa7fc2cf5ad65676a03892333cc4318ecab269c3e435a25a325c5d91a877c1b8ae4dafe27a2f93766567ca0b6c63fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\extensions.json.tmp

Filesize
42KB

MD5
8662628adfc2d9e232090336185d5214

SHA1
0bfbb64c4906618a4b6c89fd282f38d0af9d2729

SHA256
9d4f5b3147592716c95bcb2780b53aa2a31805b5361c6366f79ce373a59a9cd3

SHA512
a4c1b03b8b705e97cddd9bed1f7788c2ccf2d07d7d970bcd84449431734288766da53b3d146f2f33c43cc90b491e226c5131532737b95e85e756638dc05861a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

Filesize
7KB

MD5
109831938f400f451a10ec8a3da1eeaa

SHA1
75eccfd644579107f04fdbf07059d9d95b63662e

SHA256
f56dae4def5d9ed1fd42fb8345e606d1996933c5968ff2b4ce7f44a3a64ad189

SHA512
86f9c61a36a360063a34c38c8a0280c95a9c022240a7326bb510d4a479df251f42914bd38b7eff797a031839450b399820ca9ca6aa2f6d4817774fb248b93e39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

Filesize
6KB

MD5
ee91da343480018d928e5e94258c3768

SHA1
1933f0f6ed39f1b2fe8cb324ab6ea920098ff150

SHA256
9bb06d35849ecc422214683cda064ec72560a62f7a8095f362c34adbf0a82df5

SHA512
240516ae834dfbb4067d19bf7fa8ebf104f4246f6204019241f8bcd5a66ab75aae574a2792794f91ba68eb5cac534c457bc547bd775b4a86d927e2b2614e3fd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

Filesize
6KB

MD5
ba55e903f8d03088d1f3197096e124ca

SHA1
566bb63688f5babd535cc02de651130c293fb44c

SHA256
e60935f19148a49b86d5fd7f7bfed637a5166f3c763ca09375de431eb07033d4

SHA512
7c129237b7a92727ec7eeb7b88aa3afe934ad9f6595138511d2cfbcc606d4f47f1f73c36a5da12910b563eae0344f50d1b41b2fe116e52ceb359f313f8ccb776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs.js

Filesize
3KB

MD5
df8871563aedbefbf3551179acf1e192

SHA1
8b7dad091d65b91aa9f7a7b9aea52ccbcce85a15

SHA256
36822ff4389d3cb94e9fd2256e5db505684b033470be41b7375b0b36bda38684

SHA512
08e8c0d4c781fc536cf0a9fb3eee943cff9989fc02426867b2043a60ce6172d654c8954e26922191a30a9685aaf59748508ce634c65308934dcc749aa5f3f61a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\search.json.mozlz4

Filesize
298B

MD5
bb6e65729186d099afaf2a9690c40d04

SHA1
9ff87bc9662659572dfd4ef66bb6736aaa5879e6

SHA256
f90aea459136b3e4779d58298eddc233c06c6560ab6d58502da4aaeb77064f10

SHA512
ab92af6e067a6f9b03ac9c6c513c5214846b525d0a4f71a9ae6fc970dc8cec9590f294eae69771f9a3feea8ae01ad5d620aec83d1c89a79644982842f965e392

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
97098c13974edcc1d5e53bc3cd5093af

SHA1
27c3a97bdbf8c7ed9467014caff71f4dfaa71e87

SHA256
4dcf686290c71c7e694127bb390eae9ed1478a4292db7cbcf3381db03a97c9a9

SHA512
c0e14fa03af0f82e23cf81179cae97fdd65210f9882dbba940d9732e14830081935d846c384a70ef8ee866f9eb0a024e828871362fdb6f75347a6c0eb9c7bf14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
f558db04402e967a8620faa5f89da777

SHA1
a55367eee08c3c2aeb8916168f52babf05c41e9e

SHA256
57b62de7c798c1b1a2d5a498e218e87d93226671061e31c8ecbe103a693f464a

SHA512
24ce537889e6f5d4d95b353d7ee18420231a23f42a6e100331d4d943302c2222fd635a1c765244cc4b6628078fd3e622dd2fbc3aae2126865028b208283c618f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
f3069c0915acfd7ae6a09e85e02e4218

SHA1
c7a93337b1238252cdb5e2a619d158979cc2bd5a

SHA256
b59ffece7a86100e1c4bb31aec4b6d79487e4e409a0775a14460088958bdd20b

SHA512
4081b8cd311fcbd6ca891fea6d3966701c4f4b62930d3730cbf5c42a47495409f6b2207e782ac8de19a6bad4eaa3d1a551e668229895558a7bb57dbf73bb5736

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
9c16b85183d2b0de4bcb8e5a487c3b3b

SHA1
5455d65e54c4ac543d63d99b37a75eab6f3d660c

SHA256
ccfcd5804bbbcdb09510ea95ca2a08126ce556932b3575a4366f44ee5b755a72

SHA512
a1bb9ebe2797fa4cebe6f0d8a03035dd073e830af5c2ddbe72d781bb3d751744616edae215d6360836c282553111af0b714222f67161ae7ba3c50eaa250290ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
2c85954c370660dca5a765d7095a9a20

SHA1
38e237023dc15fbcc3f363adfb3751cefdaf47b4

SHA256
bbfb42be859e86ba960db23d42d965ddcb23af05985575ac20e527374392edfd

SHA512
f2ac688c540b0850440ca567c4e7c4bdaaef035b5a4c164161a76546c41be8b6919cd8c3b4ebb8089c7f4abf701ad2b63757ae713cf6d2f73aa6081d0b14f138

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
7bcd0c8ff78024f6d84747febcce7310

SHA1
4e9a3c60da72a6233fb4e3feca5df6ac860ae83e

SHA256
474c805403c77166e41e18b4f8f04c23ce3657d91921a1d301f3fc5e7292f124

SHA512
b3982ac2f8d7bd0611c669feed767745566d875ba205b3a70d01ab777dde900b472e494befdd35ae01a3f4eb18aa11d086beac078b44f889a9033e4b8f5cb6c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
cf295a68f4477730fe4fd6c5faae454a

SHA1
6b29c9ddb7b783fb6492e973b5ef6a582354f89a

SHA256
3c575a0b075c3d8880a52bca7bcc0cf5fa862be03133bd3d6da216954472a892

SHA512
2f53494f23ff2aeb7b6dcd0d8962efa5689b1ca6c20ca9e27547b11f36d31826765429bf7240471b00852443a2cada3103d983415f177f9390084ccf49d815a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
cc22415ee35e3619ba8727e18057c1e2

SHA1
319b4a07b1d68efb5052bab786c76b335faa2abf

SHA256
bd3c0b31402eba76fd732c6a4b67a214aa2134639ffbf0057078c74718a07920

SHA512
0fa8aea193f955c2e48cd3345cb365abeb20992d85c1d57a9d8e67204ecb35809597f5861310ec07cf63479ed75c2c873e83264e9343514341b65d94d498e59a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
0abadde22715498320fa9dc46c4ea1c2

SHA1
6f33269c815fa2f0c8b8307a437765977ebefa25

SHA256
2877d8da075016c204bb7626a3c60e0458f00da0ccf0f9740173fde89bd236cb

SHA512
c25f1dd1fca0c17173ddb3e17b218432824b0cafb7059cf9a4b449946d0d865e292f4b4c1354958babaa1b797d6041c1dc82ed04d41b24bd578316192ab74c30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
4a98b5d7de9c6675a37099d85ec1c01a

SHA1
d9e53be0177b7c40f1f86b80bc92ce34a00e4832

SHA256
de19f4e863bdb0223b49fec37f785c60a95399b986b6bfc4d4302b9c7d8dbfab

SHA512
e98ed04f3e0e266e91b870fdaac440bf41af124b0c2d8505d97f1b6be59803699c7da8b9f4f0b53e3db8b7f2b3ad5b839d693f8e2f8b84abc87723695b1a63dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
80ec98ae167bc5cfb621af2760f8ec21

SHA1
6d1c0a81731fd72e736a257f96c5175366fdbf66

SHA256
fc5ff35965afa85337194290c7597933469cb288584aac96c1d8e7951a085bb3

SHA512
116f100f844fc229f93a104df42421699a191400261cacfe414a54147cdf6656caff27de48aa44dc5e9e772709c2418dc00e6644edff8bc58d81d70776cb4a2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
15KB

MD5
1cb0252523cf93fba94d4f11387db5d1

SHA1
d3e915da0700dffc4b84971ee2386d66db6fdca3

SHA256
7cf2b21ae9b4c8bed03d718ee5f1298575ffdc22b67177b13290ee7f55a57b8c

SHA512
78503aa71ae0bec10b9f8764afcf9cd4d7f236da13256f68f7f1fa3382a13041666df1c2b9be6032ae1783933735190c8bdec829bfb58596fa80e29e281cf9fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
25eddc6abd8a2d1ec4b1cb4a22fcef7c

SHA1
7135eef0779ae6a89603561b93b6d2f3c3731f4b

SHA256
6b87786d4df4d98776e0b01107918c0e2581cf349115fa3b934e0e5e7361cbe7

SHA512
bd7a665b76af4f81e94c304d6ee54738644f8ecad722984890df802a6ecce833fa118003cd04d4dbae8c9735cb30b3394f1a562e8874530f0c747e4dd5037c89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore.jsonlz4

Filesize
12KB

MD5
8521da1bda343b8566db32b08ee1b9af

SHA1
2392469b0c734b27b15efda3c01fe2e59e8a504f

SHA256
e0cf087077cb43a8119ddc9ea8786a1f3832ccbf0583be5d2de7171b5f872d3a

SHA512
be9fc2e720b53fd73a153c7f144c1a332107b2f48f3dc5e1d06d45e9979b29686acf9a6ad0fe19330c2affb2b6237062f8c24c038ea0ecb556a31e8d723fbb51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite

Filesize
48KB

MD5
2702b732f5d762bfa65ecc9793f8ed38

SHA1
abd9fd399802ef9af66f8a4ec7f0f083eb982432

SHA256
8d5bf16d2ddfcf5cc463055ffcc788c6d51699196380fc0f74df0e8072376795

SHA512
054a08c2034192d85f0914f627aa95226b0e4cba5ae8cc294871fb764f12d637e586bffe4e1c3371dbfc8d5bb92f8b1fd05b5fc93b7fb6f3c8f4e456fb2af1bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
248KB

MD5
154791e02ed766cfe3de69b464eabc97

SHA1
87a48750707d2bfda030df4921d87f795618c267

SHA256
8228b12729b907e9a3691c3214793a331224c5b25ebd18a650363297d8d73499

SHA512
9aa2e7e50a1d050a625a4d686465853acdeea6c52ba146dddeb9691b7fc0fb439955fb3caaac60990d47340f6650009b4f729edf794ec15d5ce8abe50611c510

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\Downloads\000(1).dJ6G8BKC.zip.part

Filesize
6KB

MD5
10c4350c9ed0738e5761d6607cbaaef4

SHA1
a900ec5edb93c67c368d4f0d73b2d9db57bdfe41

SHA256
1834083a34ed2ccfd6abdcbc2a6d99a5b61a8dc6c248459db728446bd656b479

SHA512
ac1d2a5048b9c44888308be3e44f8602699a1e52e95ec1c2d84d1fc362b3f21cdc97763e46de81d9feaeb9093e75602ae302c0d9d611341b6d9335b9422a4435

Download Submit
C:\Users\Admin\Downloads\NoEscape.of38gmHX.7z.part

Filesize
10KB

MD5
ca35c2142d839611333b85707d7f57db

SHA1
68dac63e1067ab473d8338f59bafd66c1029f664

SHA256
8335aa0c45abdac21e98af19e651bb151a1435e97ab14daeac77ff550a9f3271

SHA512
1e8ee6f828a7bcff615912216a9c29384301c9a5aa9af0dab9d27a0879b0b3e5263c1e3323e945008adac909dd2251f528123d9934e74443b2c3a731e8634230

Download Submit
C:\Users\Admin\Downloads\YzTRxnLz.zip.part

Filesize
119KB

MD5
d113bd83e59586dd8f1843bdb9b98ee0

SHA1
6c203d91d5184dade63dbab8aecbdfaa8a5402ab

SHA256
9d3fe04d88c401178165f7fbdf307ac0fb690cc5fef8b70ee7f380307d4748f8

SHA512
0e763ff972068d2d9946a2659968e0f78945e9bf9a73090ec81f2a6f96ac9b43a240544455068d41afa327035b20b0509bb1ad79a28147b6375ed0c0cf3efec5

Download Submit
C:\Windows\lkrjuaskummm.exe

Filesize
388KB

MD5
a0340430d4b1c1f6dd4048ab98f2e4b2

SHA1
a43ff275972b4ed9b7f3ece61d7d49375db635e9

SHA256
9b1622602d4ae8196316deeb91fbdd1346a4b31453f3762be119e24c84827217

SHA512
54ca85bee0ded2a742c767565159c0e3121d8cd1d97cebc751d067b1ea45d9fca86b6d5acad5b472eddef23d20afcc8ae3497cdd411fd9f393d80e0c90f2cd8d

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1936-1750-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1936-49-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1936-6146-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1936-1751-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1936-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1936-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1936-2679-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1936-54-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1936-6149-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1936-6133-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1936-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1936-6131-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1936-6128-0x0000000003D90000-0x0000000003D92000-memory.dmp

Filesize
8KB

Download
memory/1936-6122-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1936-4877-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2448-17-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/2448-1-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/2448-0-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/2652-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-28-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2652-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2940-30-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/3020-6129-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/4008-8710-0x0000000000E40000-0x00000000014EE000-memory.dmp

Filesize
6.7MB

Download
memory/4008-8734-0x0000000000E30000-0x0000000000E3A000-memory.dmp

Filesize
40KB

Download
memory/4008-8733-0x0000000000E30000-0x0000000000E3A000-memory.dmp

Filesize
40KB

Download
memory/4008-9538-0x0000000004D70000-0x0000000004D7A000-memory.dmp

Filesize
40KB

Download
memory/4008-9539-0x0000000004D80000-0x0000000004D85000-memory.dmp

Filesize
20KB

Download
memory/4008-8724-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/4008-8725-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads