11c4c9a0386be71dfe68af6b96ae2d17e89036ef5b62672c84087c3f80706c93

Resubmissions

25-02-2022 16:28

220225-tysw3shhhm 8

19-05-2021 13:45

210519-8m9k3t3eza 8

Analysis

max time kernel
433s
max time network
435s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
25-02-2022 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

179KB
MD5

61fccc142e2bbf498885bb6e42bae62c
SHA1

7f15507c7798d8b99696c19929c86c6c629eb2f5
SHA256

ae91da58a702252cc0dabcf19fa65e9655c7b7143e71e048aad1ebe59a31aabf
SHA512

a3cc95a442581d02c97d4fe48494b157f37e5dff4ddf175723a2c99e442492370ad65f9f22da29ffd020754445193215b7dadc3515ab8cee91b6dd3b1f1202b1

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\AddMeasure.tiff	sample.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertUse.tiff	sample.exe
File renamed	C:\Users\Admin\Pictures\ConvertUse.tiff => C:\Users\Admin\Pictures\ConvertUse.tiff.matryoshka	sample.exe
File opened for modification	C:\Users\Admin\Pictures\DebugRegister.tiff	sample.exe
File renamed	C:\Users\Admin\Pictures\InstallFormat.png => C:\Users\Admin\Pictures\InstallFormat.png.matryoshka	sample.exe
File opened for modification	C:\Users\Admin\Pictures\WatchSet.tiff	sample.exe
File renamed	C:\Users\Admin\Pictures\AddMeasure.tiff => C:\Users\Admin\Pictures\AddMeasure.tiff.matryoshka	sample.exe
File renamed	C:\Users\Admin\Pictures\DebugRegister.tiff => C:\Users\Admin\Pictures\DebugRegister.tiff.matryoshka	sample.exe
File renamed	C:\Users\Admin\Pictures\RenameRead.png => C:\Users\Admin\Pictures\RenameRead.png.matryoshka	sample.exe
File renamed	C:\Users\Admin\Pictures\WatchSet.tiff => C:\Users\Admin\Pictures\WatchSet.tiff.matryoshka	sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

sample.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\LargeTile.scale-125.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-100.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-200.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\ui-strings.js	sample.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-white.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\3px.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_40x40x32.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-400.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_24.svg	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-fullcolor.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-150.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-30_altform-unplated.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo.png	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-125.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\office.js	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailBadge.scale-125.png	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif	sample.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-40_altform-unplated.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MediumTile.scale-100_contrast-black.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reject_18.svg	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\ui-strings.js	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\error-icon.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail.png	sample.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\MedTile.scale-125.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-100.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Landing.svg	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircleHover.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\ui-strings.js	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\ui-strings.js	sample.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\powerpivot.x-none.msi.16.x-none.vreg.dat	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-60.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-tool-view.js	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\ui-strings.js	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-100.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-400.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\SmallTile.scale-100.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-150.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-300.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-200.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-white_scale-100.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\be_get.svg	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\WideTile.scale-200.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons_2x.png	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-200.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlOuterCircleHover.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fr_get.svg	sample.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 36 IoCs

Processes:

firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exefirefox.exe

pid process

2396 taskmgr.exe
936 firefox.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

taskmgr.exevssvc.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	2396	taskmgr.exe
Token: SeSystemProfilePrivilege	2396	taskmgr.exe
Token: SeCreateGlobalPrivilege	2396	taskmgr.exe
Token: SeBackupPrivilege	736	vssvc.exe
Token: SeRestorePrivilege	736	vssvc.exe
Token: SeAuditPrivilege	736	vssvc.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

sample.exefirefox.exe

pid	process
1040	sample.exe
1040	sample.exe
1040	sample.exe
1040	sample.exe
936	firefox.exe
936	firefox.exe
936	firefox.exe
936	firefox.exe
936	firefox.exe
936	firefox.exe
936	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exefirefox.exefirefox.exe

description	pid	process	target process
PID 364 wrote to memory of 1052	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1052	364	chrome.exe	chrome.exe
PID 948 wrote to memory of 936	948	firefox.exe	firefox.exe
PID 948 wrote to memory of 936	948	firefox.exe	firefox.exe
PID 948 wrote to memory of 936	948	firefox.exe	firefox.exe
PID 948 wrote to memory of 936	948	firefox.exe	firefox.exe
PID 948 wrote to memory of 936	948	firefox.exe	firefox.exe
PID 948 wrote to memory of 936	948	firefox.exe	firefox.exe
PID 948 wrote to memory of 936	948	firefox.exe	firefox.exe
PID 948 wrote to memory of 936	948	firefox.exe	firefox.exe
PID 948 wrote to memory of 936	948	firefox.exe	firefox.exe
PID 936 wrote to memory of 1532	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 1532	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3256	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3080	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3080	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3080	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3080	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3080	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3080	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3080	936	firefox.exe	firefox.exe
PID 936 wrote to memory of 3080	936	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffab3e54f50,0x7ffab3e54f60,0x7ffab3e54f70
  2⤵
  PID:1052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:948
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.0.631519261\302609142" -parentBuildID 20200403170909 -prefsHandle 2064 -prefMapHandle 2056 -prefsLen 1 -prefMapSize 216161 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 2160 gpu
    3⤵
    PID:1532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.6.1614987940\1866993424" -childID 1 -isForBrowser -prefsHandle 1960 -prefMapHandle 2008 -prefsLen 708 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 2556 tab
    3⤵
    PID:3256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.13.358960565\2113770606" -childID 2 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 753 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 3036 tab
    3⤵
    PID:3080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.20.1990642490\1605788752" -childID 3 -isForBrowser -prefsHandle 3416 -prefMapHandle 3412 -prefsLen 8151 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 3380 tab
    3⤵
    PID:2600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.27.1255951810\283985959" -childID 4 -isForBrowser -prefsHandle 2860 -prefMapHandle 3304 -prefsLen 9887 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 2884 tab
    3⤵
    PID:400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.34.1997031220\1326932171" -childID 5 -isForBrowser -prefsHandle 3112 -prefMapHandle 3016 -prefsLen 12419 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 3124 tab
    3⤵
    PID:980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5
3f2fc9950237c905650b841809bca2a8

SHA1
89c6b1489d8aa00ccaa3738d72ba6193923e16bc

SHA256
7ca9a484be0f0adb35e1c194191590efb7e22a52a3ab7b2f7c8df0ed596f2a54

SHA512
7420b183cef7509d50427477bdee2df5dceb1d4d694c3b2afd16dd05c3e25edd3de49bd1ebc841de46383a5bef50c9a0d5f43a62071dd114fce0851fbf301ba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5
3f2fc9950237c905650b841809bca2a8

SHA1
89c6b1489d8aa00ccaa3738d72ba6193923e16bc

SHA256
7ca9a484be0f0adb35e1c194191590efb7e22a52a3ab7b2f7c8df0ed596f2a54

SHA512
7420b183cef7509d50427477bdee2df5dceb1d4d694c3b2afd16dd05c3e25edd3de49bd1ebc841de46383a5bef50c9a0d5f43a62071dd114fce0851fbf301ba2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\AlternateServices.txt.matryoshka

MD5
2163808299db50591734821561142111

SHA1
583a912db6bb94190313e92eedc0cb5327540121

SHA256
41e6014fff2f15f039b9d3cc57f92faa3c9cdad9ecb4c9b24fba1dc949753abe

SHA512
3ef7e45948ba6067875bf60d7393e589104f186e96f73ea396bc7819628d70b58550d2516f44e4c631e6780a0359ee9b21808e7c208fa003577cb306806d5e99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\SecurityPreloadState.txt.matryoshka

MD5
2163808299db50591734821561142111

SHA1
583a912db6bb94190313e92eedc0cb5327540121

SHA256
41e6014fff2f15f039b9d3cc57f92faa3c9cdad9ecb4c9b24fba1dc949753abe

SHA512
3ef7e45948ba6067875bf60d7393e589104f186e96f73ea396bc7819628d70b58550d2516f44e4c631e6780a0359ee9b21808e7c208fa003577cb306806d5e99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\SiteSecurityServiceState.txt.matryoshka

MD5
86c9c4536e60892613c0057c4bb7c4ae

SHA1
02e5e4744fa58724823b22f9e389a05824e88aaf

SHA256
decdba0049d707c748efd1a88bd78e39b9fd4c0389698ea7b116039934574f26

SHA512
49e4a413059fe02c4da6bdb4c88a876fc81989796dcce925479fcc115eef4ba0ff5c2b0cd8b28bd024f4558400d36002947302804423dfbc40df50dcf5e548f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\addons.json.matryoshka

MD5
c717c5714cac344946cd0bad6af4fc18

SHA1
3887d326a1277e3a0a4154784d9985f758f7ff3a

SHA256
0f740e09dfd10e554d599bd0b48c42172a383214e49dc5ac1d2e4a88c40d2ec2

SHA512
b092c03212597082adcb19756c1492c921dc98ab0d000b657f416d79f75bd039302c5ff3be56e79d72e0898cbe277612dfbd4ce523d992bc0d312968e7cc95bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\cert9.db.matryoshka

MD5
9a97f2ec7bb0f59e17ad2449f639a5c1

SHA1
5fb109dd08de39a18b323c0ebe8211ceb83ab36d

SHA256
eefa7d3e269bd5b931684ac6be3cc247152b5df1107efa1c78eb7890d915de67

SHA512
7e95e870a5d7a6b25a043537e3b13045488f42bbd7cdd0fb185cd9bae9490a82529145e00cdadba6a4c81c4316fd42007155e2dd2eb997424d2f37733efd2bcc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\containers.json.matryoshka

MD5
8ce1566a0d568178e6dfb1ad0b0a5aae

SHA1
ef05a61902362b547c766abe0c3651c4d3471e98

SHA256
367912bfbe21f600aa2a548d5d08dae155e5e58b8f74d1a41fb1d5e82e24ab20

SHA512
77717296d9e25378f14046446e3063a019b025ac188029dbff8aaeb0859889f39e23b8044f7b5d2c54f20537480c574845e2485dee6bc368307491e8183ef05f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\extension-preferences.json.matryoshka

MD5
772f84e99fd1a24dcdee86cd2ba052e7

SHA1
15447cac68983f72116ca08ec2d34ef80ea9fe86

SHA256
ed5f5858e97c36a8b8f50e96a6c3831870cc068dc7a9423a5597d37b2a329fcf

SHA512
b08a60dbf38563f75bb4cc388e8cc57ec97714ab1cd60a4027d8c8dbd1490d3cbb246f5f2aa372ecbcfd2ea17ba315c652dd7ec6c7d2602009856de45c9105be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\extensions.json.matryoshka

MD5
5f7e3be2e5739788b95d538ee8288c02

SHA1
bc41f46a5df3d07386221841ace2c0ab0c2ed937

SHA256
d18d3ee0447def2b25262e59ad965697470f8907aff29c0ca0efc2dc7e6ff216

SHA512
d60cc480d1b5eb769ae940ba5df8e5421f099939ae3d12e04a3f94e8ca76fbc1a320cc786fbbb8afb81538ba9ee5246bc1f634fcf511c74ed0573ce3efef2ece

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\handlers.json.matryoshka

MD5
87c4a8d9253c092299bd92e320aca407

SHA1
ae78f1260b6acc72c58c4da3ac82be0ed356ce2e

SHA256
3a69e811c926aee4cb1061a49b53acfa010349e8abb0b5772c7cbbe797c7e858

SHA512
a68e539f28cbcdc1d01983a5f2de2fee6ae46b2992caf69708bc3ecf6abde365178df9c3534a9ddfd816bc59dd91d60958070959e7cd7ea527205eb29ea92216

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\key4.db.matryoshka

MD5
005c6a8266f66ed41add4f8710647615

SHA1
3a27e355b46c1c67a271b52689aedaf1611e83b9

SHA256
e4dc369e7914e75e5d1fa2b3e4e7ce7def26a17cef86c9487d5175d0dc114355

SHA512
c7a2c6a321e65ac2e7298afc828246235252a43d5766918fff42aad04a2caea6758075c280cee97036d391c4873d91439c8b3bcb64dec1323405b11c1ebcdaa0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\pkcs11.txt.matryoshka

MD5
a3b08964a35b929ae585eb4bbab23a25

SHA1
b2df7308d10c038457c9ce512ef38f48df5b8bcd

SHA256
4ea048314e39052888fb1bd99c4d5d3f57fdfd6af6739738ac7527194c7a9f1b

SHA512
e823323f5ae6e786796df028b1fe95957cc7e80e6fb1cfaddc00bdd2a2bcf7da0d1ca5a9deca7b8ae980d9d1bc7eba741236d29add1dc16ee32f82822fcd09a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\pluginreg.dat.matryoshka

MD5
b109ce5949b56dacbc0a6e954c497232

SHA1
b8860456fccad8ec4ce6b67f89aed663a31a74f3

SHA256
826dfe3504871543c0504859cc5f741470c593ccc3ffedc618be223d486bcf8e

SHA512
31a072a721702fdb0811d4ad90aab91305b492a1706a68aeff3c328644d7e37767618954531c74fdc2a207eec3774178d81d4e4ad2b7705ff1c948abf229369c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\prefs.js.matryoshka

MD5
f9c0c05a892d1fc881c68acb650d7f61

SHA1
1d4955b4a7a2a72c1f14632e57cd1570cf60992a

SHA256
558701d1f64af0ed44cc4111a623c0e623dc9d220960b8b2d9800310462745f8

SHA512
dd4f79be91baf0b8ffb1536e62c5b25eadf47a9c979a7124855065e8701fb667a2493a477fa026cae402b395734f15940e8a2ecb2f6fcd6487dd0392d45776e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\sessionCheckpoints.json.matryoshka

MD5
4c30f79545c005c9bef45aaadab989a1

SHA1
24d902a82e2dd3d4fa947563c41e4ebd1378414a

SHA256
e3cd253dbd46204fcd911e62a22f85ce195dcd26f83f6e286635f8968b293002

SHA512
3f0c1c8d9d0cd44031441573c450e0ba62fff54b9f3dadbe5375bb8ad7b447f392d40ab8a90bb8492dd9ebda6181698398e684ffaacd272dc0e8b4ed2e18c905

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\shield-preference-experiments.json.matryoshka

MD5
4e2588317574321d6d874515399e4922

SHA1
4c75018e712b3a8ea5be38d95a4f722a3c194638

SHA256
543eef9ee28bcd2f050a04f8bfb2c8f41c0d92452ce72f7d90f08578e2b9f0b4

SHA512
069792e7689e14c72762be4596e6f4a204e82f3ec0b675ce3eba17dab93d957dbaaf4682bacdf6143609a21aeb16889efb6388b2b2a50c7a83882c5118859c25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\times.json.matryoshka

MD5
f06c8025b0db893094b492c287ad181f

SHA1
04aaa72697b2c985bb584fcad22296658f505eca

SHA256
786ecf451c875d3692002d8f5220a262687639b08ff5201751dc8bc7c2736d92

SHA512
7aa49fccfffdc385e6f02a6a03bbb37a883b0b5cb5ed7bc91db6a62ff372188bbd20c9a0feed715d9e82377c4d42373ac890a04b91117e4cfdeb29ae6e511483

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\xulstore.json.matryoshka

MD5
28760dd8b9541231eb0dad7e5ecfb21a

SHA1
b64e8d2a93d9fe5e7d4c38fc8d9a7db42df6ee1f

SHA256
d5e375e17582d7fb727dea2fdd5e67f8df0c493da22d5e9c1c787a4c459ca72f

SHA512
6f0616f0797a789f71b1ddee1488596c77f54caaa4d7722a5722ae6d64826900e5477ed392f8bf299c88acbfa58d77578ac96971d0561bd09169167572685ed5

Download Submit
C:\Users\Admin\Desktop\GroupBackup.txt.matryoshka

MD5
6dcde22b432b25950279618aeeaf8a70

SHA1
6f83fd27fe9c89748a7f4afd84701df669ea1038

SHA256
8aea3775c67c8f9ef8d936a46f001acbe5819ad098e7c908c06af67222cf1a07

SHA512
000ee1471bcbcf66671e342edef0df552fca0add0d9b1ee0c9d2be6c545b9376897eea94e29b70cb33cf2fad408bf864269e135634a16b7dd5ff6488dcfbcf2a

Download Submit
\??\pipe\crashpad_364_FFHVBPHIBGAHOIGK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1040-135-0x000000001C4F5000-0x000000001C4F6000-memory.dmp

Filesize
4KB

Download
memory/1040-130-0x00000000002E0000-0x0000000000312000-memory.dmp

Filesize
200KB

Download
memory/1040-132-0x000000001C4F0000-0x000000001C4F2000-memory.dmp

Filesize
8KB

Download
memory/1040-133-0x000000001C4F2000-0x000000001C4F4000-memory.dmp

Filesize
8KB

Download
memory/1040-134-0x000000001C4F4000-0x000000001C4F5000-memory.dmp

Filesize
4KB

Download
memory/1040-136-0x0000000025A80000-0x0000000026226000-memory.dmp

Filesize
7.6MB

Download
memory/1040-131-0x00007FFAB04E3000-0x00007FFAB04E5000-memory.dmp

Filesize
8KB

Download
memory/1040-137-0x000000001C4F7000-0x000000001C4F8000-memory.dmp

Filesize
4KB

Download