Resubmissions
26/03/2025, 17:15
250326-vsy2ksy1cy 1026/03/2025, 13:00
250326-p8xwkavzc1 1026/03/2025, 12:53
250326-p4qlpaxkz6 1026/03/2025, 12:50
250326-p3esssxkx7 10Analysis
-
max time kernel
292s -
max time network
301s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
26/03/2025, 12:53
Static task
static1
Behavioral task
behavioral1
Sample
AxoCheat.exe
Resource
win10ltsc2021-20250314-en
General
-
Target
AxoCheat.exe
-
Size
10KB
-
MD5
0d84b857213666d2946cd162f32d28d0
-
SHA1
856e6f634ae15e27550cbfb1210a313174a2deff
-
SHA256
297304093913381095220c0fc22bc6a4c64f4ed2f05a8bc0d71453fa6b7860e5
-
SHA512
7e42b0f5d9089417ce51384642dad234885465d490ee36e05ac43d9e8ab7b4bdc701cc7e57c03da37edf9683590e992a51b0baba61e91f325012e53a77b4df8f
-
SSDEEP
192:d950dmo9JSL75DuLzozbBLVbL/LaTSK0euttj+exz:d950dmo9JSL4LEzbvbL/LiSjeu7j+ex
Malware Config
Extracted
xworm
89.39.121.169:9000
-
Install_directory
%AppData%
-
install_file
RunShell.exe
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000028141-36.dat family_xworm behavioral1/memory/1476-66-0x0000000000F30000-0x0000000000F46000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000028143-49.dat family_stormkitty behavioral1/memory/1000-60-0x00000000009C0000-0x0000000000A04000-memory.dmp family_stormkitty -
Stormkitty family
-
Xworm family
-
Downloads MZ/PE file 2 IoCs
flow pid Process 12 5552 AxoCheat.exe 213 1320 firefox.exe -
Uses browser remote debugging 2 TTPs 5 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 4128 chrome.exe 5020 chrome.exe 5092 chrome.exe 4908 chrome.exe 2348 chrome.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation AxoCheat.exe Key value queried \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation blue.cc.exe Key value queried \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation fontWinnet.exe -
Executes dropped EXE 11 IoCs
pid Process 4720 blue.cc.exe 4792 blue.cc.exe 1476 XClient.exe 1000 Build.exe 1020 DCRatBuild.exe 1452 fontWinnet.exe 2568 backgroundTaskHost.exe 4556 portmaster-installer.exe 2480 portmaster-start.exe 2680 portmaster-start.exe 3064 portmaster-start.exe -
Loads dropped DLL 5 IoCs
pid Process 4556 portmaster-installer.exe 4556 portmaster-installer.exe 4556 portmaster-installer.exe 4556 portmaster-installer.exe 4556 portmaster-installer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Build.exe Key opened \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Build.exe Key opened \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Build.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
pid Process 3652 powershell.exe -
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\D: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\D: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 11 raw.githubusercontent.com 12 raw.githubusercontent.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ipinfo.io 23 ipinfo.io 25 ip-api.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\Windows Mail\winlogon.exe fontWinnet.exe File created C:\Program Files\Windows Mail\cc11b995f2a76d fontWinnet.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\explorer.exe fontWinnet.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\7a0fd90576e088 fontWinnet.exe File created C:\Program Files (x86)\Windows NT\dwm.exe fontWinnet.exe File created C:\Program Files (x86)\Windows NT\6cb0b6c459d5d3 fontWinnet.exe File created C:\Program Files\Safing\Portmaster.lnk portmaster-installer.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\SystemTemp chrome.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\portmaster-installer.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1200 4268 WerFault.exe 150 -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language portmaster-installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DCRatBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AxoCheat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5620 PING.EXE -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 5468 cmd.exe 4688 netsh.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F00FB48-65D5-4BA8-A35B-F194DA7E1A51}\LocalServer32 portmaster-installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node portmaster-installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID portmaster-installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F00FB48-65D5-4BA8-A35B-F194DA7E1A51} portmaster-installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F00FB48-65D5-4BA8-A35B-F194DA7E1A51}\LocalServer32\ = "\"C:\\ProgramData\\Safing\\Portmaster\\portmaster-start.exe\" notifier-snoretoast" portmaster-installer.exe Key created \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings DCRatBuild.exe Key created \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings fontWinnet.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\portmaster-installer.exe:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5740 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5620 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1000 Build.exe 1000 Build.exe 1000 Build.exe 1000 Build.exe 1000 Build.exe 1000 Build.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe 1452 fontWinnet.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2568 backgroundTaskHost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 4128 chrome.exe 4128 chrome.exe 4128 chrome.exe 4128 chrome.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 5552 AxoCheat.exe Token: SeDebugPrivilege 1476 XClient.exe Token: SeDebugPrivilege 1000 Build.exe Token: SeDebugPrivilege 1452 fontWinnet.exe Token: SeShutdownPrivilege 4128 chrome.exe Token: SeCreatePagefilePrivilege 4128 chrome.exe Token: SeDebugPrivilege 2568 backgroundTaskHost.exe Token: SeShutdownPrivilege 4128 chrome.exe Token: SeCreatePagefilePrivilege 4128 chrome.exe Token: SeShutdownPrivilege 4128 chrome.exe Token: SeCreatePagefilePrivilege 4128 chrome.exe Token: SeShutdownPrivilege 4128 chrome.exe Token: SeCreatePagefilePrivilege 4128 chrome.exe Token: SeDebugPrivilege 1320 firefox.exe Token: SeDebugPrivilege 1320 firefox.exe Token: SeDebugPrivilege 4556 portmaster-installer.exe Token: SeDebugPrivilege 4556 portmaster-installer.exe Token: SeDebugPrivilege 4556 portmaster-installer.exe Token: SeDebugPrivilege 4556 portmaster-installer.exe Token: SeDebugPrivilege 4556 portmaster-installer.exe Token: SeDebugPrivilege 4556 portmaster-installer.exe Token: SeDebugPrivilege 4556 portmaster-installer.exe Token: SeDebugPrivilege 4556 portmaster-installer.exe Token: SeDebugPrivilege 4556 portmaster-installer.exe Token: SeDebugPrivilege 4556 portmaster-installer.exe Token: SeDebugPrivilege 4556 portmaster-installer.exe Token: SeDebugPrivilege 2480 portmaster-start.exe Token: SeDebugPrivilege 2680 portmaster-start.exe Token: SeShutdownPrivilege 4268 wmplayer.exe Token: SeCreatePagefilePrivilege 4268 wmplayer.exe Token: SeShutdownPrivilege 1924 unregmp2.exe Token: SeCreatePagefilePrivilege 1924 unregmp2.exe Token: SeDebugPrivilege 3652 powershell.exe Token: 33 2720 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2720 AUDIODG.EXE Token: SeDebugPrivilege 4764 taskmgr.exe Token: SeSystemProfilePrivilege 4764 taskmgr.exe Token: SeCreateGlobalPrivilege 4764 taskmgr.exe Token: 33 4764 taskmgr.exe Token: SeIncBasePriorityPrivilege 4764 taskmgr.exe Token: SeDebugPrivilege 1320 firefox.exe Token: SeDebugPrivilege 1320 firefox.exe Token: SeDebugPrivilege 1320 firefox.exe Token: SeDebugPrivilege 3064 portmaster-start.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4128 chrome.exe 4128 chrome.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 4556 portmaster-installer.exe 4268 wmplayer.exe 5740 notepad.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe -
Suspicious use of SendNotifyMessage 61 IoCs
pid Process 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe 4764 taskmgr.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 1320 firefox.exe 4556 portmaster-installer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5552 wrote to memory of 4720 5552 AxoCheat.exe 89 PID 5552 wrote to memory of 4720 5552 AxoCheat.exe 89 PID 5552 wrote to memory of 4792 5552 AxoCheat.exe 90 PID 5552 wrote to memory of 4792 5552 AxoCheat.exe 90 PID 4720 wrote to memory of 1476 4720 blue.cc.exe 92 PID 4720 wrote to memory of 1476 4720 blue.cc.exe 92 PID 4720 wrote to memory of 1000 4720 blue.cc.exe 93 PID 4720 wrote to memory of 1000 4720 blue.cc.exe 93 PID 4720 wrote to memory of 1000 4720 blue.cc.exe 93 PID 4720 wrote to memory of 1020 4720 blue.cc.exe 94 PID 4720 wrote to memory of 1020 4720 blue.cc.exe 94 PID 4720 wrote to memory of 1020 4720 blue.cc.exe 94 PID 1020 wrote to memory of 4008 1020 DCRatBuild.exe 95 PID 1020 wrote to memory of 4008 1020 DCRatBuild.exe 95 PID 1020 wrote to memory of 4008 1020 DCRatBuild.exe 95 PID 1000 wrote to memory of 5468 1000 Build.exe 96 PID 1000 wrote to memory of 5468 1000 Build.exe 96 PID 1000 wrote to memory of 5468 1000 Build.exe 96 PID 5468 wrote to memory of 5948 5468 cmd.exe 99 PID 5468 wrote to memory of 5948 5468 cmd.exe 99 PID 5468 wrote to memory of 5948 5468 cmd.exe 99 PID 4008 wrote to memory of 1352 4008 WScript.exe 100 PID 4008 wrote to memory of 1352 4008 WScript.exe 100 PID 4008 wrote to memory of 1352 4008 WScript.exe 100 PID 5468 wrote to memory of 4688 5468 cmd.exe 102 PID 5468 wrote to memory of 4688 5468 cmd.exe 102 PID 5468 wrote to memory of 4688 5468 cmd.exe 102 PID 5468 wrote to memory of 5364 5468 cmd.exe 103 PID 5468 wrote to memory of 5364 5468 cmd.exe 103 PID 5468 wrote to memory of 5364 5468 cmd.exe 103 PID 1352 wrote to memory of 1452 1352 cmd.exe 104 PID 1352 wrote to memory of 1452 1352 cmd.exe 104 PID 1000 wrote to memory of 4616 1000 Build.exe 105 PID 1000 wrote to memory of 4616 1000 Build.exe 105 PID 1000 wrote to memory of 4616 1000 Build.exe 105 PID 4616 wrote to memory of 6084 4616 cmd.exe 107 PID 4616 wrote to memory of 6084 4616 cmd.exe 107 PID 4616 wrote to memory of 6084 4616 cmd.exe 107 PID 4616 wrote to memory of 4548 4616 cmd.exe 108 PID 4616 wrote to memory of 4548 4616 cmd.exe 108 PID 4616 wrote to memory of 4548 4616 cmd.exe 108 PID 1452 wrote to memory of 3036 1452 fontWinnet.exe 111 PID 1452 wrote to memory of 3036 1452 fontWinnet.exe 111 PID 3036 wrote to memory of 5604 3036 cmd.exe 114 PID 3036 wrote to memory of 5604 3036 cmd.exe 114 PID 3036 wrote to memory of 5620 3036 cmd.exe 115 PID 3036 wrote to memory of 5620 3036 cmd.exe 115 PID 1000 wrote to memory of 4128 1000 Build.exe 117 PID 1000 wrote to memory of 4128 1000 Build.exe 117 PID 4128 wrote to memory of 5988 4128 chrome.exe 118 PID 4128 wrote to memory of 5988 4128 chrome.exe 118 PID 4128 wrote to memory of 568 4128 chrome.exe 119 PID 4128 wrote to memory of 568 4128 chrome.exe 119 PID 4128 wrote to memory of 568 4128 chrome.exe 119 PID 4128 wrote to memory of 568 4128 chrome.exe 119 PID 4128 wrote to memory of 568 4128 chrome.exe 119 PID 4128 wrote to memory of 568 4128 chrome.exe 119 PID 4128 wrote to memory of 568 4128 chrome.exe 119 PID 4128 wrote to memory of 568 4128 chrome.exe 119 PID 4128 wrote to memory of 568 4128 chrome.exe 119 PID 4128 wrote to memory of 568 4128 chrome.exe 119 PID 4128 wrote to memory of 568 4128 chrome.exe 119 PID 4128 wrote to memory of 568 4128 chrome.exe 119 PID 4128 wrote to memory of 568 4128 chrome.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Build.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AxoCheat.exe"C:\Users\Admin\AppData\Local\Temp\AxoCheat.exe"1⤵
- Downloads MZ/PE file
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5552 -
C:\Users\Admin\AppData\Local\Temp\blue.cc.exe"C:\Users\Admin\AppData\Local\Temp\blue.cc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Users\Admin\AppData\Local\Temp\Build.exe"C:\Users\Admin\AppData\Local\Temp\Build.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1000 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:5468 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:5948
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4688
-
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵
- System Location Discovery: System Language Discovery
PID:5364
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:6084
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4548
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff9a2bfdcf8,0x7ff9a2bfdd04,0x7ff9a2bfdd105⤵PID:5988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2052,i,4608863673703390032,16404000571921033769,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2044 /prefetch:25⤵PID:568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2300,i,4608863673703390032,16404000571921033769,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1688 /prefetch:35⤵PID:1520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2444,i,4608863673703390032,16404000571921033769,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2616 /prefetch:85⤵PID:552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3292,i,4608863673703390032,16404000571921033769,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3316 /prefetch:15⤵
- Uses browser remote debugging
PID:5092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3320,i,4608863673703390032,16404000571921033769,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3340 /prefetch:15⤵
- Uses browser remote debugging
PID:5020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4420,i,4608863673703390032,16404000571921033769,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4008 /prefetch:25⤵
- Uses browser remote debugging
PID:4908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4880,i,4608863673703390032,16404000571921033769,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4428 /prefetch:15⤵
- Uses browser remote debugging
PID:2348
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinnetCommonSvc\EF1rb20B7Zp52f5Q8odTU.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\WinnetCommonSvc\ckg6ORaGrHhdrhoaDEIfOHU33jMcFfgqQelkNCXcy5pLINkbo7vRcc.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\WinnetCommonSvc\fontWinnet.exe"C:\WinnetCommonSvc/fontWinnet.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t42QY3qFUB.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:5604
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5620
-
-
C:\Recovery\WindowsRE\backgroundTaskHost.exe"C:\Recovery\WindowsRE\backgroundTaskHost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\blue.cc.exe"C:\Users\Admin\AppData\Local\Temp\blue.cc.exe"2⤵
- Executes dropped EXE
PID:4792
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:4988
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:5688
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Downloads MZ/PE file
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1320 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2004 -prefsLen 27100 -prefMapHandle 2008 -prefMapSize 270279 -ipcHandle 2084 -initialChannelId {13d92063-a523-4a8e-a68e-957be17e6206} -parentPid 1320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1320" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu3⤵PID:5800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2444 -prefsLen 27136 -prefMapHandle 2448 -prefMapSize 270279 -ipcHandle 2460 -initialChannelId {472a996c-24a8-4642-958d-8769ec801731} -parentPid 1320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1320" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket3⤵PID:2752
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3780 -prefsLen 27277 -prefMapHandle 3784 -prefMapSize 270279 -jsInitHandle 3788 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3796 -initialChannelId {13612400-24f5-4d9d-8224-e52461c85c83} -parentPid 1320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1320" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab3⤵
- Checks processor information in registry
PID:5052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3948 -prefsLen 27277 -prefMapHandle 3952 -prefMapSize 270279 -ipcHandle 4040 -initialChannelId {75cff6bf-4053-4dfc-a90b-9fdb5c9cfb5b} -parentPid 1320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1320" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd3⤵PID:5080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2624 -prefsLen 34776 -prefMapHandle 2856 -prefMapSize 270279 -jsInitHandle 4436 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4472 -initialChannelId {bf0e6b55-def2-49ed-81cf-7f096492ba1f} -parentPid 1320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1320" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab3⤵
- Checks processor information in registry
PID:5488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5152 -prefsLen 35013 -prefMapHandle 5148 -prefMapSize 270279 -ipcHandle 5116 -initialChannelId {a90fc834-418c-4a1b-8777-30e08c33838d} -parentPid 1320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1320" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility3⤵
- Checks processor information in registry
PID:1864
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5356 -prefsLen 32952 -prefMapHandle 5360 -prefMapSize 270279 -jsInitHandle 5364 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5328 -initialChannelId {d14b16fd-0445-4a60-bcde-4ef62a454140} -parentPid 1320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1320" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab3⤵
- Checks processor information in registry
PID:5648
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5544 -prefsLen 32952 -prefMapHandle 5548 -prefMapSize 270279 -jsInitHandle 5552 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5560 -initialChannelId {396d9c7b-772d-42ef-ab55-5e11a41c706d} -parentPid 1320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1320" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab3⤵
- Checks processor information in registry
PID:3308
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5732 -prefsLen 32952 -prefMapHandle 5736 -prefMapSize 270279 -jsInitHandle 5740 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5748 -initialChannelId {aba63b82-eec7-421f-ac01-f5324c91e620} -parentPid 1320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1320" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab3⤵
- Checks processor information in registry
PID:3316
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6588 -prefsLen 33071 -prefMapHandle 6360 -prefMapSize 270279 -jsInitHandle 2976 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4432 -initialChannelId {354d4b18-e8d2-4b67-9590-b19568d36e6c} -parentPid 1320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1320" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab3⤵
- Checks processor information in registry
PID:1300
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6236 -prefsLen 33071 -prefMapHandle 6240 -prefMapSize 270279 -jsInitHandle 6244 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6468 -initialChannelId {464c23ad-8fb0-4707-8330-24b7b8079bad} -parentPid 1320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1320" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab3⤵
- Checks processor information in registry
PID:5024
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 1 -prefsHandle 6168 -prefsLen 35201 -prefMapHandle 6172 -prefMapSize 270279 -ipcHandle 6588 -initialChannelId {53158dde-55aa-4f73-a7cf-3afb92415c8d} -parentPid 1320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1320" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 utility3⤵
- Checks processor information in registry
PID:940
-
-
C:\Users\Admin\Downloads\portmaster-installer.exe"C:\Users\Admin\Downloads\portmaster-installer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4556 -
C:\ProgramData\Safing\Portmaster\portmaster-start.exeC:\ProgramData\Safing\Portmaster\portmaster-start.exe clean-structure --data=C:\ProgramData\Safing\Portmaster4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\ProgramData\Safing\Portmaster\portmaster-start.exeC:\ProgramData\Safing\Portmaster\portmaster-start.exe update --data=C:\ProgramData\Safing\Portmaster4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\ProgramData\Safing\Portmaster\portmaster-start.exeC:\ProgramData\Safing\Portmaster\portmaster-start.exe install core-service --data=C:\ProgramData\Safing\Portmaster4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4268 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
PID:3240 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 25042⤵
- Program crash
PID:1200
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:4584
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:4712
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\RequestUnblock.ps1"1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:5740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4268 -ip 42681⤵PID:5560
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Desktop\RequestUnblock.ps1'"1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x340 0x4f81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4764
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1988
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Defense Evasion
Modify Authentication Process
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
7Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54127655a53873418d8645d9be78bc1b9
SHA16457a1636db69a3a4a18fda4290eac2d9bca0372
SHA2563f34fb180cebd8e3694182a079f3a0de5f1aff6b5f999e85f5bd6ee43e8e90dd
SHA5128bcb97f6d08dc12a3ca0a1526b4c44fc60ea593a99ec62043dfeca755d87fccee4dc0b571b027d5ab287ed9e1b269012f551347c0a9532eb1e893c05f84bfe95
-
Filesize
12.4MB
MD5b3a42120e87026f23babfe1476adbd0b
SHA1a5b95f933bedc2c6a051d6e94b3f5d22283927ae
SHA25693183497329e05da3a0e4aa0b5c10c0001ff4455915e7a1d32cd931bd47d57bc
SHA5126c44b12caf28eeeafc5aea469a389395f07c631dec436268de137eb966d2e2ea373d414021c6015b05d2f2c8453fdac20ef41a1b366b99fddeef29b78974edfe
-
Filesize
369B
MD5ace9b0bc5611ec2737ea92b34feb7898
SHA1c3a169351680f6011ce4b10735aae5af93330e8e
SHA25676417e19c88ed52f4d6c18ea08ecd562646f433899c5a2bc3676e007c4f67229
SHA512365ec095607912a6bcae36e754cf37eacd88fdd2a33a379495cab293a3bf994e0795dc84ecd5cfb852e12c27c7d26ef6703c28c367ef14336e8cc7d5d31ddc90
-
Filesize
2KB
MD5ebe266a5236dfbc4f928d2cff10f77f9
SHA1828ebc1c5c2066a2597db54293b25047cc6c33d4
SHA256f79bb420bdd4ac24a8c9bcc0c72162625774eea023278aa5b43687701e5b1afb
SHA5122c9edf8c1ee1fcf31b5efb6612ff8a8722e1de8b512ced7042ef6c49c45982eeb9e5dc8808f1c3b16223814140ab62a6a263948901225096106a86244bb45e3c
-
Filesize
457B
MD5f3fceaecd769693e1ae42ce6d4f19d31
SHA117a44a105bc9c5c1e9b974cc2705f823289f1d7a
SHA2563887addc54e68ffb4bf2438b929a13d47f310ad1cb405c12dd22dc9029848c55
SHA5120d79d3c9e8a941f53a616d36f31c0969296d3870c1879e7361fbaca5024912a9eb089a7433db23d7fc24b8c818afa86e45b0375dcc8539c896b3dea1be940855
-
Filesize
12KB
MD556f72698f7a98294bb4571c387ee65e6
SHA1ba0d6855c931f455aa8377d86bdcbc6b1e89d8b3
SHA2561f8937873dc1eef1b3a9800d7d5d51ac7caee6f9e16ea918654f0ef20a702176
SHA512d895cdc1e9dd6140897fafb5b51e4101f58acf8d32d080f2ebf820f6bb81fe0a8c5254a84aa80c31e13f2719996dbb9c0c1d4f7009be98c1af52ece31a1f5eb5
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
80KB
MD5d7057c0f04b1f747c80077027768c821
SHA1e4144ee2eaa9ec06bba46df9071d524a90b7c58b
SHA2568d0ff10d10b8986fe3ed9097a7b4134e0e988302dc975dbbb7e49141665980d1
SHA512e6df6263d123fcdce8b23527bd2e0e7f629dbb3957e6ec804892cda82bb82fbdbc0273e9a8586faf0d7025010fe4bade28ae64eaa7547262ecf33e1e812a6c99
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
Filesize
896KB
MD5f02a2da4ee9b86c641b29f5a659066f0
SHA1db6771d040e2d3a34a29c6dd1ab6661f0a0446a2
SHA256562fa26e10c0247d0b3c2bf51f556161ab2c5c7dab4366991b183031c4f6ecc3
SHA512a1e12fc71deb7761228fb91cd42dafb6fd9e8519f75e725d29380f23d78e55801bcdb44a4f43f34a631b2ce3812fc534f9982ba1a2b769460069ee8124c865b4
-
Filesize
1024KB
MD535789f8bba07d7d2b305fe22b7032d68
SHA1ac1ff71fc099f9c0ec0e2e42a38447e1973828f8
SHA2566d0fa873a77301a6dfd750d74e3a818732900a87147c6d59b579590da0a05d3a
SHA512389b270f2f9fd22bd9cb11410cd66d43e83892f5d56532612107a18bca8e6de2e219d7d429bd5e20f3439c73a0495a5b4bd800fd8bdcd9f7c1fa6d86ffd18075
-
Filesize
68KB
MD54d5f104d5285f0af142fce4a8f64e71c
SHA17d2f360262044d715039117e65373ade633dcc4c
SHA256b977f132bd95647b9d22f70ae2782da8e5bbeb6b49924f717269fece5e81775d
SHA512c2843f17085ffa9d2dc7d966d4e0889867c91680e898358f556ec54c17b5031123b3aa6ba9505533a85756517b53d71759c4f2c3f0f90bee87aa11fb090146b1
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ptqf56iz.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD558b50c608533656ddaa80d1cf57261f4
SHA156f4dbf6f17d4a11346a01c666a540b603f5bbff
SHA25625689a95891349e27c90a5a49f97669b787961b6fe7dc293d4bd7908f82611b2
SHA512e663b2d9a0e74bf45f930711a8abacd639336ef5e8d3973187ddba3d78c7b2a5984c8761dd82fa7d43a0a1c97de224572cc8855ca66876925490e668f5d658cb
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ptqf56iz.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
Filesize13KB
MD56e17610bc77225ac8122ff8d6707bab9
SHA1c680e5763df532a7a5c01a6eb0d92a838fed00d5
SHA2562e76d1e16d61dc3e632c82c06172115ed6604e2c35f5d0e5cc73118dc86eba3f
SHA512ec9f3b0b193542de7218d7cfb4ab8dd69d69b64b0dc84f1b527967ad5579f02b2a56c2ccc20fab6b318673a191ade840e96b110635833307e8fb85b35d8a93c8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ptqf56iz.default-release\cache2\entries\BCE77F27AF7DB788AE98BB53D806DDBEAF80E5E1
Filesize20KB
MD58427dfb290c0982b5bbb3817d45dfbc6
SHA13f2e16cbc07b570be9200ffa65dbcf83e832716e
SHA25634998040086a58c9bc8ef64510b54dd0dc8ea2ef2374805f4ecbf1cbad1228c2
SHA51269e74583849213d272850580591b87c44abc8b44dbe37ff664e968328b22810a3ea6ea9feeb613d6b6363bb3e8f80f66f6c43cb74efc279c15f900e2ec831f88
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ptqf56iz.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD
Filesize13KB
MD594204cb77879a7b808fb5cc42c565ffc
SHA14cf617ba8a36c21e7e49d4801374929aa84f0903
SHA256a5f4f5b726b2497a683e8a70c1185df071986f12d52a344b64d4d25af6173176
SHA5126dab4d0b5154cfc02341dc7655c0c46e8df2ea022cc0b4a2edabf088e52f95eb6626b6202c858cce6729e680a03eb8e507a5e31655696fbd9cc569e49af86549
-
Filesize
81B
MD5ea511fc534efd031f852fcf490b76104
SHA1573e5fa397bc953df5422abbeb1a52bf94f7cf00
SHA256e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995
SHA512f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae
-
Filesize
4KB
MD581cd0bc0ad9455dd5d8aacb9635265bd
SHA1515bcc09f1ccbd82742050fd65a812dfae76870c
SHA2561edcac36cbd2b2a7761e814bf345cff69fb9e6dd271a85c988107f6a01f4d66f
SHA51209da88c3af5ca8cfd381bc49de3b811e1811a04dfb5de88a730d42ce016f298e25a989ef1b367f0df6c08b33906eebdcb78659874d4934270d967cf51168a47c
-
Filesize
250KB
MD5b8f3934b55afbaa069717cd2e2eda6dd
SHA1b33071c576f2637bd679002f01ca68e4df5112ec
SHA2567cd58601d62de54c16bf279d2eb477a0e5b85f62cbe387268c1bec578db2a1e3
SHA5122bab25ed6f190e56a96986400e5004956d44e3c9fe6e95e0b6540e503ad232ed3c08c85aaf3926a7bab3041fdbe64e363785c07fce9c011fc09abf2c39fde0c1
-
Filesize
2.2MB
MD5730239632db99d16b9f2656950408bcc
SHA1ae877e836becf0b7727cf61c0277446c1c5ed381
SHA2566dbcdb70833bb9ac5656887e6eae082ade4d197bcf6516c70e10ab196a23d292
SHA512bd3b2973c54ee9754f19ef5eba73d9252de285c5d574611b01db0ea3f0c3c145686e319dc2a9f6b8aff94728eb1bfb8485a98152175cca5deed52b6318c16da5
-
Filesize
64KB
MD531d745f5009eeda2da51b2d05d9711c5
SHA126c27b236bed8cb2046acddcc1c7d7b642b7c610
SHA25637330d19e9479d225bf3934cf1b7bb233adc6bf0c8c876f181b814759d7c0b0f
SHA5128319478d1ef266243e26592edbef9acbb07eb6de059043981e7f824424501691d41eef4736f6fe05e7ffc718ed0133489d22bd850c7a6773f7f50bf34207da4b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.9MB
MD540be43dea63f04904cfd432ef46013f3
SHA1deefadb6117beb3f0ef9e05224ca8893b50752ea
SHA256a84860a7eebe804c80b1e8e7b295dbd44fc3cfe196b3e92739b4bbbc145a8796
SHA512f147eed51daec60c3212fcaae7a1b4cebbd87e87edb7f84e3ad235e5f34b2ae5aaa6fbcbb92b4fb682e9ab66b3bdcb35be905a8284bf7aa9dc68ab7a7cbd5b8c
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
9KB
MD5ec9640b70e07141febbe2cd4cc42510f
SHA164a5e4b90e5fe62aa40e7ac9e16342ed066f0306
SHA256c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188
SHA51247605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe
-
Filesize
7KB
MD5f27689c513e7d12c7c974d5f8ef710d6
SHA1e305f2a2898d765a64c82c449dfb528665b4a892
SHA2561f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47
SHA512734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc
-
Filesize
172B
MD5a299db0065faa1f694d4bcd1886b7036
SHA1c8edc42c25de36282494837c281359f5931e1855
SHA256026132bfcd51ddde2635b0e9a3e2385cca39f4f564df716397ab7ec241b6ada7
SHA512246d735935bb91d6a1654aa2270c24322e84614694a8601136b503717a345627e66223278bc414ef9ed58bb297fe97ae7dd5a63a6371aaf3f674875fe5f4ddda
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
Filesize
1KB
MD5eb944b624533f3bfb8d39460d6645b76
SHA129d4564d310b4359b256e4d2d71708ea9c3c6a8c
SHA256283a5618196fd20b3ed32894c58a3fc969869d56c5abb750fc0b3d2d339c7b59
SHA5127f61880de9f05df00b59b4819a66c7ceaec52d4919b0e64c4d2c1c6966477d4d88af2fc3bcca60e4dfb7f292c5be5ba4465b7d7a280d2129255b9cd89a7a133a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize1KB
MD5cec67b40adb2caad19ae61b78fe83abd
SHA172b4509b61782984fb1c0ef39d4ed577195d65e9
SHA256ef3a8acc03672181b35858845ac8ab0bb4460ead3a183a282e1362528b5170a8
SHA51273beec2cece339d5bab9ca663ed7eeef1cd08e7563e6fe491bb9422cc26a3f409b78c688104b19786d3c4f3d0d59226223a2c2a8e3ced13470a555df2bd1a133
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize3KB
MD5749e2082741ecef1a2fed27bf48c0f07
SHA158a4744fe97c102a653251b40d9c85398a17f04c
SHA256cd2184cfc13af4f903b7f4ba1e3b1232736800e92a4d1f7c71bfb3d7d8cc05d5
SHA512e077e6b89109eb8dcdfc96877f04a33ec9c79b3f9017ca9157326d62a675f9fcddfdf69feb77d87c4f702704112776a22a0e61f6f5141319c2384e26a6673ad0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\AlternateServices.bin
Filesize6KB
MD52ede3cdbd219c7e5d3a111e7fd9b57f3
SHA19f2d311429f6d63ca997893fe16c1464746dd7a9
SHA256136833af1b310bfe758c8b0fc15ac902c19882b1b1afb8a3067cc76924b67d6b
SHA5126ea667176c374cc8ef19dccdf1276e087cb658d0c39d7e239a682ecfee82bc16ce185dfd9ee8947e87a43a8d79abb869e552e89119a946b44fc82dfdc018cd03
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5e400267152240bfc9c858ac6eedbc6f5
SHA1a5d36887bb6a93a966c19fa0cfaed59877145227
SHA25633df9810f65eab9f84019e5943cad72f73cd4a2644c2e1af7d68966097e4c799
SHA5120372acfdc4b64a1de757d090ae62ed365a02e11664160247ea4d9c8b0cf4810cc79bb2f3440f1c43a7db2a67f822126d382f02fe9918abf5952e50892d919f88
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD536031ce4fb40505b1a3f9529504eb6ad
SHA162c91aeef0581a9c6a8874d0070e92e1f233f0de
SHA25663a97da708f0bc389f5014a91a2d4696d1acc824e42382ffd760f1818d8b3c1d
SHA51293c332b03b89a1302a8d88d1fa04be1785db209e9e6dac1d6527d3d29e3b7b6e12ebd98175b94e087e6d6f4fa9ce8d0b984e014d79635b6321fcdfbd859bbdcb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\events\events
Filesize5KB
MD57129a79c42aa62f947bf2ffa1f51639f
SHA183bf08872e8c7795120305e3f9e711598daf0805
SHA256b751fc7e770e6dec71feaf0d7ba2b4a876bd5c07d69e050bb850632b741efb46
SHA51295ab680c758010a112934fa65719835b896beaf78f1ea8439e390fc6701cee086e4749e91bcf1888d7212f7ad33d5901d25f5a677421449ff3d57bd8940c698a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\events\events
Filesize1KB
MD5e10e907fb75c3cbdabe7be3d26a2062d
SHA1cc544e03f08c5d6867811ac36263ee161dc1b4c8
SHA25658a059485af76ea0719eda94d49c1198c3c164fb2db9087dc32650204b87c74d
SHA51250dee3fa0b90b032e9ddede1b9658288f32b9e8a9091a0b30bc159a44928bb4bd4d98f96b7aa59284682eff53cac1ef5767c65e0d97c10ba9c7ad5f040c84183
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\0231b93b-6de8-474d-b7cd-9ebe4eaf064e
Filesize235B
MD5c75abc6895d2baf70e64b5eddb593f4e
SHA1910937e094348b024b2138be11290c556906d3b6
SHA256de44e7fb1333af15542e527691443d92b237bdec278aadf067bdb1b528faa66c
SHA5126b8de6d408eea00c21f8b90b21a3cc14a602cfc6d445df19dcd2623e3b825aa51ddf3af51ed8e24726294a573823f7bc2e4b4073d7e7934d9eaed1e40db55099
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\02715ee1-b1de-4f26-9057-e9d10736ff41
Filesize235B
MD55b7dbf58daf28a18e8512a3357cd6651
SHA10b0e8f9932c51b26ba725e1124eab2844b7e1195
SHA2563486878f157426a5dc78a6e00dbc0629fae1ef9a85e63830ef49d55de94c4001
SHA5122d0d99db0cd37456b2b5bfb405569470f3a224183c99d912f07300b824f3a20e4a7436ba1ad4dfc3a25721a5871358dac5e35665e53634847e6ab0cead2e4a4c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\2454c4e8-d426-4f5c-b290-c42f4053ef6d
Filesize886B
MD574c1b38d87c8504a39e5ecb0d1ba8c76
SHA1d2d3973fee9e06b5e0fa5f5a1953c5260ce07fa3
SHA25605d58b869c86b6930000d87a6200aedafccd54f509edb1d75cab557800923230
SHA51296d441d62e0c75292b390007b01341c456a10b993e46948ed3093ea95e2abdbd4afaab6d01c750c917f35961a4cd4c95d587e391fc84b6c3239bd021719cfa63
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\87d45133-31de-40ca-a373-dafd0060c9a7
Filesize17KB
MD5a3006d024576e94dac9005156c05f2e6
SHA13bd5b4a1f26e2663f7f3b3ce9b407dbadba454c6
SHA2567c2da17c14883b2d445c59f7348b3af692a7aea797c421a82b6df633afab9ebb
SHA512c300dd3cc505650a139487601cde71c0a76d9712cdeb23b5e9d43ec93410ae0f233207566189c2e55f48274a1ba19aa7abb17edca557bd400b85c40cd688da52
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\99689b50-593f-491c-add3-46458f99d984
Filesize2KB
MD520feba2212c2d411d651f26e58d05364
SHA1c049c934f1387d6aeffa354e9d6fefcaf1a1de78
SHA256c6f774171a4d8fa39c44e54ef9e61f39d93bb6e509804e9d23b5aa41e8439e4c
SHA512501fcae24da1ee0d4ba821beb2beba6ca89a79459bf58044eb5caa47e3f88370e3bc003574ea4f36df0c46e13e76088ee712f8f5c0e65a1866dd17fa0827881f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\d99632da-ef00-4c63-a8f8-a22aa6455315
Filesize883B
MD5686d82267c4aaeed127f3f7c1abbea28
SHA16957d5c605323657f6d7d086dd2e6ad28fcc43e2
SHA2562f9c90c8c82a39129255ede0a88e9eec84ecb8add00a408b0194af453a089595
SHA5123ee94331d4a5f0503c3ebae9decb42a718d671ba65f3f7826aed86027c9e4718bcb0eec4f7fe500e2641993bdfe2c7a55cfecb37505eb9af664a46724ca7a64f
-
Filesize
16KB
MD5d517326fdba2df3e325b4f120802d5d5
SHA17904ff09ee31c4c64037bf52409195009b49602d
SHA256a62d0abdc710af1ba04d2c462e2238f11882c5c6a160d2e02fb06c182f932bc0
SHA512d3305374b94650bd957a43a564fc33e34e42316cf0106d014a581aa9dbd62c822e0ee69e88cd2b305c83f44a80be5ff07e84676da3c9b62931b6ea7ff154248e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
10KB
MD503889e4089cba5db87fe96f5a2e6e795
SHA15204e2f8260a44234899a68c4c76636e7a0f6b5f
SHA25656fb1f380ee531a3e242a823beec697339e2aa1528fcabb2a07a9c95a4916209
SHA5122af3da5671a3a1a981a29e2bb1a9a5ec7411015eb5372238575291f62a41eecdc3cd060972c6cdfc4752b70fbde6b7ef09f13694b9a375cfcae9579dddeb93ff
-
Filesize
6KB
MD5edd3ac58f2f4bc0601f6cde5fcf47ec8
SHA108a0372405e1d467a301b66896248affe71a5875
SHA256910547946ba5c4b683ba9686f6d490ac9a8a3e48895dc766386bea7697fff2bf
SHA5120cd3a225159ad5b97d0446060c2949bc38322570ecc682194efd8f0986f53a607c70333e00311616dcd6a42938efaeafb896ed3bd67f0cd906340daf7c981905
-
Filesize
7KB
MD5af03283394e8204a2db1b42ca27b05d2
SHA10b154d8916f76d6825db32b129f1f68ca8b2bea7
SHA256d482062f89b4833d7f2f030a43c976fa2ec51f4d9b27938431b2d833b48dfbaa
SHA512c9122a5bec9b868c58965a717f411f55ac6251415d04e1174b42257f6f07f66109162491f7927f8c809110380c13ad1ee630e73bdf56961621f753b4e0d7e7a1
-
Filesize
7KB
MD5ea458ce65f63370cf997680101aa0565
SHA14ba278e4f697c1297c82975787dce7052ad1267b
SHA2566d5fe9eca7800379173f76726f7df89a76a6bd1a352f5f08c8055937b6b3316f
SHA512380f9389d21cd18e1d2c1173401164885e249cdbf41a397979dd69e22f3245a3422b4ca7294e23203c7a4dc254db61ab6ba25fd63f13b460a24cee9fffeb24ea
-
Filesize
7KB
MD5f25d0c5c2cbda9a8aa28363a812f903a
SHA12365462471363eaefa10cc644499ebc854fa2814
SHA256611dfa3e6be93420e7aa884b40ed93e2b9b324a98406b0e397fd43d686e47bbe
SHA512942283b4f923096aa18c6098ada65cdd743b11ff2e813c43173142f69fab190c0b82ea4e117ce66bfcde23e0e68fa5ff9a58abb94bb7b441025a93e3ac066507
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD52cd0d97f1d94e53fa6a5abe30266e353
SHA1a6e60ded21449ca34031e008591841d3375fc200
SHA256ad280d9388b32e5dfd4a1070f50e91225d4e2215b5c2d643d430fd684e40035e
SHA512fad52259f4d48e2d6923da9459547ed55c923c068194b489d9ba6e5f3d784fc6669bba722a63f505f0ee8ed41cfea69259324d85aadf1651598a8aabe4ffd180
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.8MB
MD5f72a1b33885f96d9b2bd19c9d4cc1b86
SHA1afa07901f9c37eb5dd8fc51a5ae595f51d24f222
SHA25698e5ac1c1f3220ae141ddea5ac35e3f962345358eace9cdef45a3bd0d7bbe75c
SHA512f2461d48be97ac7d8eed7d99759d21fffbee987daff87bd121748908d5f4d7af6cc7e171dbfb81e4888f107a21eba250c17340537c6b5a8ce86008a2f2326217
-
Filesize
6.2MB
MD56a1673929b17a59e4b26c1bd00b92e6d
SHA193e6d222c35fc77a0f013db152bbbd71f8065d2d
SHA256f43a3e6eef805925d8c3d5bdbe6aa1848bb5b4d8fca55c1e7e291e20c6a10c92
SHA5129806ee915cfbd6c29aa78ab27ef674567709f618e2351cdf9dc78e48c70113037c3fa8564174b23144b5eaa43a9567323dfd2a91415551910617b8d5ff438c24
-
Filesize
247B
MD58fbc46f9794e1b89929cd710e53f0459
SHA115453a386f1c94b5ea4cd0ec41aa3c79c5dd2f54
SHA256aaa6ca00879bea0f370824f57a72071aea49ae438ad2abb3eb4c9faddbab3d86
SHA512b9fe28c4b771eae1f2261e4e17ec9e6d6055e17a5a2a5a32f8ecc7aaba9cf73f14e89ffafcc3455ed57cfa48fdde6d393630f585349f8ce4d2302543f323dc9b
-
Filesize
89B
MD5f2c017fa853e79d1fc9f0ef254fbd9b7
SHA1911039790cbad8fd3d7ff7d5dd3ed0099adc4ed9
SHA2568848856354f6c99d5821c08136a03c75597f43dbfe1f8475998db4b19e833b13
SHA512ec1af3b307d7c7d30011ef7a9d0d1b7c53f15cdc7f028163fa40db3711e9d83271dc4a089160d9c9a6b4687ddd87b0cd6fd5bda2e375a080c8d0a6badc4885ca
-
Filesize
1.9MB
MD5a5696185d5f9c88887e304e46944a366
SHA1dd3daef6d70edcfbff6e58a123a25e212534941f
SHA2563672ce6a54d5f04368c85ca8d46b2f0d67b548d05703bb14cf3492dc21fff8da
SHA5129dadc5dfec936039b09aeed6c49a58cbe1162a9939283efa27d8660ea8aeeafc28d246ddf4270df93d89af15822d1f8b4aebc8d74ba040969753975013b3d579