b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Analysis

max time kernel
1667s
max time network
1686s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-12-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Trojan/Zika.exe
Size

5.6MB
MD5

40228458ca455d28e33951a2f3844209
SHA1

86165eb8eb3e99b6efa25426508a323be0e68a44
SHA256

1a904494bb7a21512af6013fe65745e7898cdd6fadac8cb58be04e02346ed95f
SHA512

da62cc244f9924444c7cb4fdbd46017c65e6130d639f6696f7930d867017c211df8b18601bfdaaee65438cee03977848513d7f08987b9b945f3f05241f55ec39
SSDEEP

98304:Xpkr2dY/aBcjJOBHOBIQBajMtWvoJiLE1+XgRKz89G/4ZSb0Funwh6DsN2PIpCr/:Xpkr2dY/aBcjJOBHOBIQBajMtWvoJiLf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
4240	svchost.exe
2280	taskhost.exe
4588	svchost.exe
1176	taskhost.exe
2220	svchost.exe
2308	taskhost.exe
1516	svchost.exe
2480	taskhost.exe
3816	svchost.exe
924	svchost.exe
2600	taskhost.exe
2416	svchost.exe
3060	taskhost.exe
4376	svchost.exe
1072	taskhost.exe
644	svchost.exe
3900	taskhost.exe
2504	svchost.exe
320	taskhost.exe
2576	svchost.exe
3368	taskhost.exe

Drops file in Program Files directory 43 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.dll.sys.exe	Zika.exe
File created	C:\Program Files\7-Zip\7zG.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Zika.exe
File created	C:\Program Files\7-Zip\7z.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Zika.exe
File created	C:\Program Files\7-Zip\7zFM.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7zG.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.dll.sys.exe	Zika.exe
File created	C:\Program Files\7-Zip\7z.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Zika.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Zika.exe
File created	C:\Program Files\7-Zip\7zFM.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.dll.sys.exe	Zika.exe
File created	C:\Program Files\7-Zip\7zG.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.dll.sys.exe	Zika.exe
File created	C:\Program Files\7-Zip\Uninstall.dll.sys.exe	Zika.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\notepad.dll.sys.exe	Zika.exe
File opened for modification	C:\Windows\notepad.dll.sys.exe	Zika.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zika.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	Zika.exe
Token: SeDebugPrivilege	576	firefox.exe
Token: SeDebugPrivilege	576	firefox.exe
Token: SeDebugPrivilege	576	firefox.exe
Token: SeDebugPrivilege	576	firefox.exe
Token: SeDebugPrivilege	576	firefox.exe
Token: SeDebugPrivilege	576	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
576	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 4240	3448	Zika.exe	81
PID 3448 wrote to memory of 4240	3448	Zika.exe	81
PID 3448 wrote to memory of 4240	3448	Zika.exe	81
PID 3448 wrote to memory of 2280	3448	Zika.exe	82
PID 3448 wrote to memory of 2280	3448	Zika.exe	82
PID 3448 wrote to memory of 2280	3448	Zika.exe	82
PID 3448 wrote to memory of 4588	3448	Zika.exe	83
PID 3448 wrote to memory of 4588	3448	Zika.exe	83
PID 3448 wrote to memory of 4588	3448	Zika.exe	83
PID 3448 wrote to memory of 1176	3448	Zika.exe	84
PID 3448 wrote to memory of 1176	3448	Zika.exe	84
PID 3448 wrote to memory of 1176	3448	Zika.exe	84
PID 3448 wrote to memory of 2220	3448	Zika.exe	85
PID 3448 wrote to memory of 2220	3448	Zika.exe	85
PID 3448 wrote to memory of 2220	3448	Zika.exe	85
PID 3448 wrote to memory of 2308	3448	Zika.exe	86
PID 3448 wrote to memory of 2308	3448	Zika.exe	86
PID 3448 wrote to memory of 2308	3448	Zika.exe	86
PID 3448 wrote to memory of 1516	3448	Zika.exe	87
PID 3448 wrote to memory of 1516	3448	Zika.exe	87
PID 3448 wrote to memory of 1516	3448	Zika.exe	87
PID 3448 wrote to memory of 2480	3448	Zika.exe	88
PID 3448 wrote to memory of 2480	3448	Zika.exe	88
PID 3448 wrote to memory of 2480	3448	Zika.exe	88
PID 3448 wrote to memory of 3816	3448	Zika.exe	89
PID 3448 wrote to memory of 3816	3448	Zika.exe	89
PID 3448 wrote to memory of 3816	3448	Zika.exe	89
PID 3448 wrote to memory of 924	3448	Zika.exe	90
PID 3448 wrote to memory of 924	3448	Zika.exe	90
PID 3448 wrote to memory of 924	3448	Zika.exe	90
PID 3448 wrote to memory of 2600	3448	Zika.exe	91
PID 3448 wrote to memory of 2600	3448	Zika.exe	91
PID 3448 wrote to memory of 2600	3448	Zika.exe	91
PID 3448 wrote to memory of 2416	3448	Zika.exe	92
PID 3448 wrote to memory of 2416	3448	Zika.exe	92
PID 3448 wrote to memory of 2416	3448	Zika.exe	92
PID 3448 wrote to memory of 3060	3448	Zika.exe	93
PID 3448 wrote to memory of 3060	3448	Zika.exe	93
PID 3448 wrote to memory of 3060	3448	Zika.exe	93
PID 3448 wrote to memory of 4376	3448	Zika.exe	94
PID 3448 wrote to memory of 4376	3448	Zika.exe	94
PID 3448 wrote to memory of 4376	3448	Zika.exe	94
PID 3448 wrote to memory of 1072	3448	Zika.exe	95
PID 3448 wrote to memory of 1072	3448	Zika.exe	95
PID 3448 wrote to memory of 1072	3448	Zika.exe	95
PID 3448 wrote to memory of 644	3448	Zika.exe	96
PID 3448 wrote to memory of 644	3448	Zika.exe	96
PID 3448 wrote to memory of 644	3448	Zika.exe	96
PID 3448 wrote to memory of 3900	3448	Zika.exe	97
PID 3448 wrote to memory of 3900	3448	Zika.exe	97
PID 3448 wrote to memory of 3900	3448	Zika.exe	97
PID 3448 wrote to memory of 2504	3448	Zika.exe	98
PID 3448 wrote to memory of 2504	3448	Zika.exe	98
PID 3448 wrote to memory of 2504	3448	Zika.exe	98
PID 3448 wrote to memory of 320	3448	Zika.exe	99
PID 3448 wrote to memory of 320	3448	Zika.exe	99
PID 3448 wrote to memory of 320	3448	Zika.exe	99
PID 3448 wrote to memory of 2576	3448	Zika.exe	100
PID 3448 wrote to memory of 2576	3448	Zika.exe	100
PID 3448 wrote to memory of 2576	3448	Zika.exe	100
PID 3448 wrote to memory of 3368	3448	Zika.exe	101
PID 3448 wrote to memory of 3368	3448	Zika.exe	101
PID 3448 wrote to memory of 3368	3448	Zika.exe	101
PID 4676 wrote to memory of 576	4676	firefox.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Trojan\Zika.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Trojan\Zika.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe" -extract C:\Program Files\7-Zip\7z.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4240
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2280
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe" -extract C:\Program Files\7-Zip\7zFM.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4588
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1176
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe" -extract C:\Program Files\7-Zip\7zG.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe" -extract C:\Program Files\7-Zip\Uninstall.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1516
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe" -addoverwrite C:\Program Files\7-Zip\Uninstall.exe", "C:\Program Files\7-Zip\Uninstall.exe, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3816
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:924
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1072
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:644
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3900
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:320
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc, C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1a3ea96-405c-4fb8-bb8d-4a0b94607e12} 576 "\\.\pipe\gecko-crash-server-pipe.576" gpu
    3⤵
    PID:832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d01d0a9-bfa9-46a6-bc11-639f7b30fdf6} 576 "\\.\pipe\gecko-crash-server-pipe.576" socket
    3⤵
    PID:4088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2968 -childID 1 -isForBrowser -prefsHandle 2764 -prefMapHandle 3048 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1000 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26c50bb9-9532-4398-b59b-5e7d150e4fbf} 576 "\\.\pipe\gecko-crash-server-pipe.576" tab
    3⤵
    PID:3032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4180 -childID 2 -isForBrowser -prefsHandle 4172 -prefMapHandle 4168 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1000 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24c2d6df-fe47-4aa1-8b41-12fe6b88a929} 576 "\\.\pipe\gecko-crash-server-pipe.576" tab
    3⤵
    PID:3312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4808 -prefMapHandle 4812 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cce518a3-87f4-44c7-a3ec-2a911e183b2d} 576 "\\.\pipe\gecko-crash-server-pipe.576" utility
    3⤵
    - Checks processor information in registry
    PID:1844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5196 -childID 3 -isForBrowser -prefsHandle 5188 -prefMapHandle 5164 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1000 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe733585-f515-4fb5-b5ba-7c45d2aedd1f} 576 "\\.\pipe\gecko-crash-server-pipe.576" tab
    3⤵
    PID:5448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5412 -prefMapHandle 5408 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1000 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d42aed0f-613f-4cfa-80df-9ce7d0286a23} 576 "\\.\pipe\gecko-crash-server-pipe.576" tab
    3⤵
    PID:5460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 5 -isForBrowser -prefsHandle 5628 -prefMapHandle 5164 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1000 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b289738c-93c2-4ef7-82a5-6468c0a594b0} 576 "\\.\pipe\gecko-crash-server-pipe.576" tab
    3⤵
    PID:5480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9enwga8g.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
d67f201c40da16a10efecb200db28e49

SHA1
15d59efd69ecd47318480c24e3c31706d2f78688

SHA256
c4722375dc2afe42e19cafee11c7a65ee0908a47067a9b61d882bb4155a4886f

SHA512
3d0336375379ebf7f56576f51294f1be2020cdd36360bf712c005eee02a2895c27f798f5dff40fc653e1388f7f7f27c153c19f199fb848f690819641fa0205a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\Icon_1.ico

Filesize
1KB

MD5
0e581dbc510cb867773d322c22275703

SHA1
e77c65e5afa7147740b9153a536ac6e7fcb8a6e0

SHA256
498446f91da7facd85ec64a4b009ebd3b37df82ed8ea72634f853887689cf6d9

SHA512
ce16d74e3b90bd68f407b9269c755c53960d74b6234a775e05960ebfc3655098972bde2f2c6786060bb421de2e5fec889c1b3b3493215000e2e4af5fda6918e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.rc

Filesize
23B

MD5
0242dcc2276a78bad128831c3658e05d

SHA1
7f1cbfe2bbe0a88839b5bb988d83aab24b6af559

SHA256
efd2129c933ee2233bf7fc74e640c0b01d9aee82a9bd08088528fe366c2d77c8

SHA512
ac308ec35d4b9e3c3b4e3ce57c1459158f2f82cf0999f4a7b99c58f2431c9e096c59f493285e4f0331430ab3cc22e4d17c35791e21b177384d0f770ab053eb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res

Filesize
32B

MD5
45d02203801ec5cae86ed0a68727b0fa

SHA1
1b22a6df3fc0ef23c6c5312c937db7c8c0df6703

SHA256
5e743f477333066c29c3742cc8f9f64a8cb9c54b71dbc8c69af5025d31f8c121

SHA512
8da0bf59066223aab96595c9fbf8532baa34f1f9c2c0dee674d310a82677b6c7d6a1cc0bbaa75262b986d2b805b049ec3a2bfb25a9ae30fe6d02e32660f15e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res

Filesize
64B

MD5
8a678660f560e83627c2c9495bc884c2

SHA1
d7457cff6547a40b2963ea22e5d7b8493adbd2aa

SHA256
2cd09ae011fa80dfb4c703c96be9a639c7f1b6e8b5cd7c6499992f31dee1c668

SHA512
b411292d9a986b59a683cdb95e63da2855a60a83619570c0512aa755500e90b1ccaa9e941fc4af0c2fa92f7b8abf63efe1d9950b7a19e9d78174d32dd65e9990

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\icons.res

Filesize
1KB

MD5
2283046ca6c89d23349a4ed76964e188

SHA1
786a12ad143db960a78ee4e926c6db0153da4245

SHA256
ed680a08263dbb1e2a66f9d41e6f2bba9a5a6805ce178326d9af1d3316c9e135

SHA512
f5fb87e4fc3d75471a31302f2c68fb6ac82d5fe691b81dafe3a11a17fcd9ca5cb5ee68b96d61ee306cded4ee371df4024fcc2beac882111825053ca3c2d8ab02

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.exe

Filesize
861KB

MD5
66064dbdb70a5eb15ebf3bf65aba254b

SHA1
0284fd320f99f62aca800fb1251eff4c31ec4ed7

SHA256
6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

SHA512
b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.ini

Filesize
488B

MD5
b1df7d496d812728616126d7ead649cf

SHA1
dd37ab29984bb5ef9c08feeb78f825fb2cb66d04

SHA256
d87eba72ddc677f74c5c418556b88c06869d9e5b4e2aff8ba0917672bf4dd13d

SHA512
2d4a7584677d08f4e870d14e6a40bd328249d8590033861703607d9562540a6eafc4681215a0cfe259f8275a4b23c1acb466e61f57a1156c418265113f49724e

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.ini

Filesize
532B

MD5
ed8cc3fd6c2c098709a4ffcff24f57e0

SHA1
7c5af9a6f8364a5faf2247a1d3cce3e4f3d6b937

SHA256
a4b67c15c249b215d373216fb836a74a1ad638eba34e97063b52419a83a627c9

SHA512
7ed25040a9ae177260ec1131eb32b8f14da7a157b6ba70fcb3838a930d9ae50ddcc6337142500b119e1a4b18a44c1741ade0b037849b0bc3061f9af23fd5172c

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.ini

Filesize
579B

MD5
6809de6edb2093051220c4bfc62a2e85

SHA1
fd17c0a5e74506afc0ae7692d51725977ae78c2d

SHA256
2e33a767363b5bfff1aab9960f1036f5c2993271b9541d422c40b48efeb0760a

SHA512
83b386429b52a9070c75804d90bef3405a001edd6e1c074a9a3c1ecf20edf8c41444401470fa5435801d768d8006708b875580aeebc6773b2327ae1105a7d879

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.ini

Filesize
629B

MD5
994810667a50754e5d2cfcbc730e06ea

SHA1
6beb1e79a37f9d762e61e88504b2613b49d1e3c7

SHA256
37d68676665f29facd6cb8bae05057db179376bf36e10ea379c83b5869f35ead

SHA512
f21b1be05f211803738aa35f01037eade5cb8673f1095b3751b7ad247f366514951ca63366a5abbf97e0166196679f89baab7c3aec556b927cc9968b9ffd8b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.ini

Filesize
629B

MD5
1afabe6942158d10888b8306500c147f

SHA1
5b817ca55dc5095180b094af10d5a2231b53b3eb

SHA256
b0ff761b5ee2fd2ee5bc615f184491ffed908595f5628e2c5275611092d3f030

SHA512
e68ed681e3dde70042c161885226083ab495e5dc37c14b648bf8894633c6ca1ded74c01ce2bd6a7b2d4effad5ee03c9f4c6674223010d8578348c95a92bbde24

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.ini

Filesize
291B

MD5
a4b2f7b9b22de64af6f23dfbf6c17b3d

SHA1
e887f6639e7246aff18b1178dbe5a6192198395e

SHA256
2b520f2ad4d97486ceda159e25110b23b13be7b635a21376c31f72f5f1e73122

SHA512
4a15176727b862ff4d631e0565017d527acdae3fff01f60c0575f4aba06ed5b03bbcfd0c81eef6b5e61c6820776ee650c55bc2787e24fae7755375e11616985c

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.ini

Filesize
330B

MD5
505a58977f0bd5542fcf8f73810d584b

SHA1
f1fb32f008bfb1de1108af9a4949b84880c12949

SHA256
3fa1bff72495582f12cb343f78c091d0d0ddf116dca25875c448c05c392b1b96

SHA512
9d56e8e82d61e7e79f4f30ac2ac7aee084877406d7463f789a66a58d3e47f21c7fa4a3aa43ae54fff98828f425afea6a87b99560a3724129e513d3f604bc5cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.ini

Filesize
368B

MD5
8c2bc5be121f832a27462fc8fcaff47c

SHA1
ab4e41c0ff82ab19c186bbc3f71d4ef8342b98dc

SHA256
6b510d3a47c6aa9f0b258d5c01e4e1a25662d5f2ba65305b9c4c0968adc37967

SHA512
ac70446384567fd1bb45c6d7da7fb5bb871ef7c80dc78472533b98fecf3ac0cf9e1b4ff2aeb634dc8c410d7d2437d51e60818c68342fd678df86f5183a8e73bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.ini

Filesize
412B

MD5
c23d7206b436557a5e6b38987e91ebcb

SHA1
a9424ed7541094d430f41c7e4d26df98c7180a9a

SHA256
633a6fbaaa13036b445decdc727efbfb89812d45689a3dc9d3890cb8bd47226b

SHA512
169091f32e8f51a993995b186f10184173cd9e76993e26ab50da64c481d4868824b97f673044588d1dcff8aa1d896d97ede6ff214857f8e00e2f0e759939c70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.ini

Filesize
411B

MD5
97ea09a08d3a0af5e956bee7b206431d

SHA1
7f5981536ee1d9e127cc30e0d084e6d81f27f0d9

SHA256
76c53cd9e4b76e73aa3b8a1caaa25be0a4c64646b770921bc1721916c4cdc109

SHA512
1987a36ef878d79da41e83a00683737fe9db475f02560f60519c03e2c8aa1df5ff2e5595a50b797ce1bb0a7f170e5a1357f85b5b27c3616e0828fadf4b8509f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.log

Filesize
289B

MD5
a6444320aa175b9d995b577ca5d691e2

SHA1
41cb63812da8d1425aa472971f55d8dc6dd870bb

SHA256
6ebed2d4f50ab306c03921ed03f414a48b6867f92dbd270bc0256d2848d6d657

SHA512
7c1fc3e4f6dafa3f8ab2360862038445982f7fedd0fa59a6fe245d4044ccc3ca491353143c7c084f30daf561f50cebab4541f6142b857f28865d7a0b8ab10898

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.log

Filesize
298B

MD5
958cdfca1916114dc51ef3898363855d

SHA1
9ae36b9ad69f755f57183f5eba120b7d5b99ca7b

SHA256
f5899a6e77a53646fbb02a0c28e51ef2e70bc74800249fe039fff0af0e3c4972

SHA512
15c4c0a8932592d45759e6af2918ffc7a06eb28d30a8ac737ad45aac15cd97e30f76f5fa65af23c4680d2a080623703938a04fe6492fbec6b4e679c6303a57f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.log

Filesize
293B

MD5
2a22c7b76f415433f98677a38304e0dd

SHA1
1123c07dce568477a62f4438ca59e51c6f656680

SHA256
89810d58b171a0daf3941a67cbc1c6461a1a9882cb1e50cbc1fbaa73175ec937

SHA512
9ad302d9f4ada1806e60881c1b9990d54a68a41cb037307dee813cefa8d49066216a18116bb89c58d31cb2206e001e335c7f1b50e254374a5ee69f624ca82ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.log

Filesize
288B

MD5
8a24823219caea9aa8c54a6b907441d5

SHA1
3d2ac860d998e07c3fc44c6596fc45b8320cfddc

SHA256
288faf909e3671b720003467d2dcad46bde949100ae0d16b99484b13187bd1ca

SHA512
5875c2470e26ecab0d48b44ff5cefa8c0cb7464a921b0458a2b08c2c5799dc902e63470de23faa49e2da9d79dab6bdb45ca1b04f82a06bfa54adfee680938d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.log

Filesize
292B

MD5
1f1dc6c177bb542dce2b870ac76088be

SHA1
eb31351fcc70992ccb7ddf3a75fe5f9e7e384244

SHA256
7bc9acf02653fe66f8baa8208dd90d00663b0ff4bbe3fe3305a0429c488a7ead

SHA512
92d0aa3fa722c160a637de45c559b97dcd006d36e5ff217950ff7445b726e7709b11dd78124ca7a5dcf83f2989f4c01efeb8b9be35049255ed60a7044f5f7b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.log

Filesize
246B

MD5
3c004ba8a8c90c0d741660806ef21c3d

SHA1
1eb5d3319f057549b1da31470729a16c8917d0d5

SHA256
6da730f5364919cef2052eaf5be93091787f2abb1523516c0d9bb3b95ddfac6f

SHA512
d3f06c5c5c3c10c0bb1e6b3103378024e1a1cdaf837ffbc4aabeebb950b9e44b1d2a7fb4118988bcac6a00e700a46fafaea7c52bc9efa7808914a4f156d0b72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.log

Filesize
245B

MD5
5c60dde8931186722cc01e769c9b5fcf

SHA1
379f2e56e6ca5d573cd8e7d9eef3d42b83c334af

SHA256
c96dcf2cd7184170982888cdd2ab5c4d90948aeae09e0f38a8fef2d7ed8c954d

SHA512
1785df66c29abe515473c892e9290e9c6b3880eb37c82a1abcb077d0a2d7454b9f7fc0548b94681c2ce15d171fe1ab3f556a3b53884abd6a2cd06d59b8cd4223

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.log

Filesize
251B

MD5
cae50f64ae85678091a68db0c7eaaa3f

SHA1
89318fdfed67719d94bb4ed87757c37e85b37027

SHA256
672f256eaa777fd01db568b56d90968221618c08b320dedba34d67c819d48c6d

SHA512
449cf01dbd23d64658e011c88001de3df1f6a565c8ff1d4fc9fc937670fb132bc3d1bd3ddc1473efe79f7b0bbe7c30fea314f25adf0a6747248d5623a13f4dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.log

Filesize
289B

MD5
a9dcdc9f24e739e9e68279d41d4b4833

SHA1
697386f81170919622bd96f33bc76617be4a101c

SHA256
f5f45b4cf1e9fb0071e9b9de337420dafb029565ec3cb17ae43bdbf8650c98c9

SHA512
748b060a227255a7fd0413b8591d9f720116db28f25d885023a134e4c15f49d1d8ba71c1722b4a97122c3445dce3ff262278dbfc01d1978ad4abae8342ddcf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\svchost.log

Filesize
288B

MD5
ca554c91020b4066a9c8f05457f93035

SHA1
9efb1eeee03644d73c1ac08a9f9f91d737e250bb

SHA256
0404d780da3e2fbe786cdd4b4d7c64ce9da7e63f20a6113706d0561569901019

SHA512
a01972b96af97487fe561e78f49fc3c2e7bc4fb6d32cc10394ec88f36e2e1d2d5061dba0c9d6cf2cbc6cb993ecf2e1e52a35e9bd81d5ca7d73840c4b3010b592

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.exe

Filesize
4.1MB

MD5
c6391727ae405fb9812a8ad2a7729402

SHA1
83693dc297392c6a28f7f16d23414c6d62921711

SHA256
d98fbfca17f194400d19111e4813340e6666b254b99f833739b661a4d2d0217c

SHA512
7a4e2ff93d853415d433f5e90b36959c78b77590aa1fa00753831eb4d01cb1a972bb9e39eb8dee5b216005e7709eacda51c0c410aacfe37fcdb163603fd36570

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.ini

Filesize
44B

MD5
dbfea325d1e00a904309a682051778ad

SHA1
525562934d0866f2ba90b3c25ea005c8c5f1e9fb

SHA256
15a3a3303b4a77272ddb04454333a4c06aa2a113f210ba4a03314026e0821e6d

SHA512
cd853c67c2b1a44c3f592ff42d207b2251e8b9bc1eb22fc12cd710329069ef75abffccd169418c4f9bd008a40f2fbbfc6904519f27fd658f316309f94b8ff59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.log

Filesize
702B

MD5
01e9d01b69215688850db37f779b0396

SHA1
d25d695e788924c4d30b34562793e893bb2e81eb

SHA256
dcea5bc539e7c892c72aded15c73748c02a10f8c6989045047ac304f334d6c4e

SHA512
a0010b5cc42e87d744cc3caa1b9694e5c50a9a9b6965d174e23972fe85109311d945e0b8672408e0a925b176dcb81456176fc2eede100ce9b359e14671006c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.log

Filesize
702B

MD5
4b26d341e8ba49f3fb001a7edee9b43e

SHA1
20a4c89b63738bc1f99329f9be21fe878f867a9c

SHA256
36ec3a5efa75330667da5aed8cf25db0c659b1e5893d1d271029e72eaad64bc3

SHA512
5a2bdd2155263f8b23c89c6a425cdd1a5810df225d6fbb33299e9571b354d335112cfbdcf1483448d84216789c5fa3e7f6defc6dec5b8132df88c86ddcbe12ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.log

Filesize
702B

MD5
30d8b477604688c91ce85eb5cb2905dc

SHA1
c5e03b62b48dae2c3db7eb08d652a78134b2c946

SHA256
f3690fcee64fa62d2a393a60ed0921bcf682f28bdb957e3ff7c80f74f698b717

SHA512
96d43d2e68d90b7a1122688c8d14494724521af2a3923a5585764ef2e0bb7b8f615ca9a9c17b650a1b9c1efa9cb2adf8e33a597a1ae2e0dffe249c2cf86d9d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.log

Filesize
702B

MD5
0516caa6b6b00fb8c4e90c43abad9d2a

SHA1
e9fc7dfac10a441a68d64bb711de356fd20777a9

SHA256
24e7fef7cf564d72381e91b0c7fd56c7b6207f60d59a28859df2d8394a06c978

SHA512
bfb8f8a7c6c00d23c15682a76a483248ce59b755688294656955f7b3701568fe8834eb03ab7609b30fb0568d08282022b10f9ba8e8f2d411f1f77efaa153103f

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.log

Filesize
698B

MD5
aac71a775e2b9694984091c7e966440a

SHA1
a8c1ccbc10caa7a7349c2225b8ea74425b389662

SHA256
6dd4c3375ed3a5f2f0611c5b79284da792c3cc3480839556c7a50f9f25891208

SHA512
c38acececc7726fb2e55572b11404f19d2ee4b07fac391222d4b49dd5cd9396ce0197044c11b752ea36f6ea7e624a3e212d71fe572d4e2ae287d1269a0dfc2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.log

Filesize
702B

MD5
c124a41978ae3592aede3f7d39593dd2

SHA1
dad5f81aae4b6c7167320c34d719c9bbf03dd1d9

SHA256
e4f7167e47f49af843d69a18d7c923e15314edcd79ca5624cf76fd74276983c7

SHA512
895a7b74da3d863405c7b5b5676000e80d482392b934f4ac98f84821da57a8f1ee72be7e1c7801265f34b53c827b9dd87d14eeee16d544a55729941b4f4407ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.log

Filesize
702B

MD5
1db18791eb6ad5eee1cda9fce316693d

SHA1
e9641a174cc09b9d925614ea6bfded9f47c32d5f

SHA256
45767d1748fddf41d2f1fa152fd642a2d7c6c4c4bea4dbf91afce62229d3d0a0

SHA512
eafa5c25a3bf64e125b1a6dbc9c394b632563253abfdd04b2bfab9b27d3c2e2e49f6211adab2572273915a7c463ba934bf547bb9183c9cba74900349fbcf0f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.log

Filesize
702B

MD5
c63cc8fef84c90ff750619e9f7a070a1

SHA1
c34208e9ccaf5a27978d35d5c071da6d510d86e1

SHA256
d60aee132728e81ef906fe62829129579b72b443cb3e936f40b055dcb9cbb62f

SHA512
a6211e21704cd02acd753ebc13377a4a68a3aa17746f3d351ac8afde5d50f59f21a50a99616cc48ca67b7bea8b66b4f274c7ba1201d8f385e8007ee9e129b35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\002cd0a287904698870dbd4375e8565a\taskhost.log

Filesize
702B

MD5
a28b29f5d66bc88a23e484171370febd

SHA1
5afd5a62fab353509ba2d1917ceb761c57adb1ef

SHA256
36c65919462b4bdd46a4a38f7d9779f9d5877b9018f9a7ac5d57e5ff6b5391e7

SHA512
a193ecf96bccdf6e281e6bbd3ee0f6dc774c470e5cb49fa2384fa8fd7cd579443a3ab0b2825a8cbea1aedd3ad2259e037af020f48696c37d28a4de9273177835

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
f43cd99ff87cf76c84000496b003b4a8

SHA1
e0bd287e8c21f2b0068fa5a89a9f7536608b19da

SHA256
43b1da365ce88f71c1e1ade59910fef29fa8304bf88d70ea38bccc34536f5ea0

SHA512
f27a439cf85445ee34af6c9a1822ebb8bdb1c5e27607d364f396291e351f68929ad591f5faeb294c25363022e385db6cf021c70f5e5646cf51e6b3f42d50b640

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\bookmarkbackups\bookmarks-2024-12-13_11_nY2UnmWF4+eIKcjWweMRDQ==.jsonlz4

Filesize
1004B

MD5
580409605ef85cc2128425544df54d84

SHA1
324444a53dd6d0c6451f327dc2faf09c95e1a31d

SHA256
00f4c64feb590d8264a9bd4747b1edcade36bcaf70861ec0424163d24e97713c

SHA512
32ce3bafd40566af19718745d510153b1128c0c68db399d8fe9d3d7e38acf0589cc8bedc2f2a5e3caab8039826ce6a987c2cf30e0fff3d5dfb349171b9c326c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e57e3bb2012a75685c896f4d29292247

SHA1
93f7f48dfb03a6741d913a269eb22a167cf19c71

SHA256
5941024302c98b3fdc09d00957370cc549111b15dea318a84b2a4acba8d4ff4e

SHA512
07534fcbcd99225a22315a7197c72a7837198a6f87da8bad36db602da61f27e5e7c75431bf923bfd70c2e68cc16559d8764ed877d69d6732303a13ac3fd11572

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\db\data.safe.tmp

Filesize
12KB

MD5
0302f968683af24f5b319b757dec42cb

SHA1
b1cab7743fba32f9e2699cc0cac8d3239ec5a11a

SHA256
b982d1e7bac23eafd6de0dc6b7c519d335007a5a5b32f1ea43fafadf9218b1e1

SHA512
7d795830d056a5ddd3770718f16441c57f0ba68330511be032d94d4952bd4f5a9cc78c0bf56e11f863da2c8158a6d4cde46c70f12939d4119d80d3c32f0810bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\pending_pings\ca6a6138-06fc-4a1d-9866-fac45c5988e6

Filesize
982B

MD5
36e4e95f4ee06890e95a37b919414076

SHA1
64877d3d12633fa30ed7c49b2d6ba16289d50181

SHA256
f4653d3d720749ca090adc541045750b807a06fdad2a1223a65cc02c02bab583

SHA512
d8ba4c3d6243dafc5af964043a7b531b4af62d6e0cab9a7aa6d302bcc90bf9dca9082ca53571ea981930fa50d46d5ff6d36d2f53e4dc2af52bf29442b4983ae5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\pending_pings\deb8726f-87d1-4e82-98e2-f6d12660d30b

Filesize
671B

MD5
8825a2b92145a4444843fbbd658d9f9d

SHA1
c7b2ff2998e18d3db6c8eac132bdc2000472ce18

SHA256
a9ca0599c88edc4386bfeecf2239e7be50b3eafc57297da588319f9fb542d0ad

SHA512
ab628fcb54eb0e7a96d53b0ce07cb2c2a422d95ee6fa9a8bf0d51798b15a2432c376bd5cd9da3d755fe2497cc9c69467d2ce3a8efe7eb095538f693d0ab21fa4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\pending_pings\e09664bb-1d8a-4814-a81b-3d71aeb47837

Filesize
26KB

MD5
3f6d7b1455aec03dd52fd7e963c00ded

SHA1
e4fed91ce2b1eaf5ce017e152db41aed8589c800

SHA256
22d85c0046dbba4883bcd97aabdb87b8e7a8cf32d163d5e51f8368860d191efe

SHA512
28113833e6eb152061e6f577ab3efa8b792becd140a87fc9a87cde292efe3e7635e81163aac06b880794ecd7ec1080dacdfaa297a2b7f970b9c7926c0b69b6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\prefs.js

Filesize
11KB

MD5
07c23d59e1309f08f9a96c35c40c54a2

SHA1
bb52d307c0cd3c9df7bd59921b3b0f36558502cb

SHA256
542d850d60d580fae1e003e3d599f9f59f85797271271f156acb910b23196d55

SHA512
bcc0e03aedaf8ec6fcfb33468c5340f9a92f8e85d24113b0507bbb45eae4c5d81e5c43faf3c8326bd87559f6538ef77b3448df2681cf429b99f1a6c8436bae45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\prefs.js

Filesize
10KB

MD5
f8cee1cea951cd9ff602e5a785284913

SHA1
05f187cafce155a1f721e6aa4d6a82a567bcb4bb

SHA256
878e5ca27d560f8e836671ff15eac6789307328004e6435d4e4b697d0409b8a0

SHA512
a592c059db97ba9c4dabdda8e8509d1fe48963213556629e1b54951a47a42f707a1fc6cc92f640537b00586a4486ae5bc9f408e274cdcd053065500b88d66438

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
bf46919ed2f20a6368d1c9dd620319c3

SHA1
8c34c8221987165a3ebfcbe6385c7113df0e24d9

SHA256
9877fbe94f518a7a2395d201aab6a21daff71cdb1651289d0861bdca91d98f89

SHA512
6812904b69abd4bd0166364d71cbb9845704958f2deccb7b6d112e6edd201978682beb6906015a9edc2e8a73e98ea4cf04895149014053889280b88b7bab6593

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
66d550cd7a0fbb970afd74cc96f04d3b

SHA1
b38765fadcd767bf75b7c39c4283acc0a917ae70

SHA256
6b7ef7de99f4cbeaa7b063528417cfc05dea046e0e666a14a7d4767b89fea519

SHA512
f139990e4b6f933fc2fef438c3d11acff7fcb2a5888ce85ebae867407e20d6fd76a5dfb4b0c1061dde9a1eab21be1e8a31bd28aeee301088bdd1a3a08e0f654c

Download Submit
memory/320-162-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/644-141-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/924-99-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1072-133-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/1176-49-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/1516-73-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2220-57-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2280-23-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/2280-34-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/2308-63-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/2416-112-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2480-81-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/2504-155-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2576-170-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2600-104-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/3060-118-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/3368-176-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/3448-157-0x0000000074810000-0x0000000074FC1000-memory.dmp

Filesize
7.7MB

Download
memory/3448-178-0x0000000074810000-0x0000000074FC1000-memory.dmp

Filesize
7.7MB

Download
memory/3448-1-0x00000000002B0000-0x000000000085C000-memory.dmp

Filesize
5.7MB

Download
memory/3448-3-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/3448-128-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/3448-0-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/3448-2-0x0000000005880000-0x0000000005E26000-memory.dmp

Filesize
5.6MB

Download
memory/3448-10-0x0000000074810000-0x0000000074FC1000-memory.dmp

Filesize
7.7MB

Download
memory/3816-91-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3900-147-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/4240-19-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4240-14-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4376-126-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4588-42-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download