42c77f89ea1a298098ecf3e8939f6c5ccd005742d0482047ee26fbf56728c684

Resubmissions

23-05-2023 13:55

230523-q8krnsfe54 3

23-05-2023 13:40

230523-qyzg3sgd21 8

23-05-2023 13:38

230523-qxc8fsgd2w 8

23-05-2023 12:40

230523-pwbskafc46 10

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2023 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.bat
Size

370B
MD5

1157be1803e2f740eec3a0c69aa44625
SHA1

5963efa7895a6748e74f0aeb94a3b3856787b8c5
SHA256

42c77f89ea1a298098ecf3e8939f6c5ccd005742d0482047ee26fbf56728c684
SHA512

04d698560789eb87f9fdbc32468557d05655558d289749f263fba4cdeb26b1cf83c214c316d60184856a935a9da757a62c361ca8e41804b59606a068a18f3899

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
203	4360	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 55 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1200	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1376	msedge.exe
1376	msedge.exe
220	msedge.exe
220	msedge.exe
4360	powershell.exe
4360	powershell.exe
4360	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1336	firefox.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
220	msedge.exe
220	msedge.exe
220	msedge.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe
Token: SeDebugPrivilege	1336	firefox.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe
1336	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 4216	4600	cmd.exe	84
PID 4600 wrote to memory of 4216	4600	cmd.exe	84
PID 4600 wrote to memory of 4116	4600	cmd.exe	85
PID 4600 wrote to memory of 4116	4600	cmd.exe	85
PID 4600 wrote to memory of 4444	4600	cmd.exe	86
PID 4600 wrote to memory of 4444	4600	cmd.exe	86
PID 4600 wrote to memory of 2088	4600	cmd.exe	87
PID 4600 wrote to memory of 2088	4600	cmd.exe	87
PID 220 wrote to memory of 3504	220	msedge.exe	92
PID 220 wrote to memory of 3504	220	msedge.exe	92
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1332	220	msedge.exe	93
PID 220 wrote to memory of 1376	220	msedge.exe	94
PID 220 wrote to memory of 1376	220	msedge.exe	94
PID 220 wrote to memory of 544	220	msedge.exe	96
PID 220 wrote to memory of 544	220	msedge.exe	96
PID 220 wrote to memory of 544	220	msedge.exe	96
PID 220 wrote to memory of 544	220	msedge.exe	96
PID 220 wrote to memory of 544	220	msedge.exe	96
PID 220 wrote to memory of 544	220	msedge.exe	96
PID 220 wrote to memory of 544	220	msedge.exe	96
PID 220 wrote to memory of 544	220	msedge.exe	96
PID 220 wrote to memory of 544	220	msedge.exe	96
PID 220 wrote to memory of 544	220	msedge.exe	96
PID 220 wrote to memory of 544	220	msedge.exe	96
PID 220 wrote to memory of 544	220	msedge.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" ver "
  2⤵
  PID:4216
- C:\Windows\system32\findstr.exe
  findstr /i "10\.0\.19045\."
  2⤵
  PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" ver "
  2⤵
  PID:4444
- C:\Windows\system32\findstr.exe
  findstr /i "6\.1\."
  2⤵
  PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa232a46f8,0x7ffa232a4708,0x7ffa232a4718
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12377164746174577003,16036402631348030339,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,12377164746174577003,16036402631348030339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,12377164746174577003,16036402631348030339,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12377164746174577003,16036402631348030339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12377164746174577003,16036402631348030339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12377164746174577003,16036402631348030339,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:4408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4404

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\test.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:1200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1824
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.0.619025120\1258643356" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {045ac8a9-989c-4c17-acf0-8934108c93ab} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 1932 15be7116e58 gpu
    3⤵
    PID:4248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.1.1276184822\453165461" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29d1bbc6-aaf2-4def-9381-e7796d28197b} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 2332 15bd9172558 socket
    3⤵
    PID:4004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.2.1942635356\266742727" -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 2836 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {123f6577-d494-4ffd-8910-5034b8681e87} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 3124 15be9df7558 tab
    3⤵
    PID:3312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.3.1892867537\492710714" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00dde68a-6f86-40dc-b008-895e539eabe7} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 3564 15bea9a7e58 tab
    3⤵
    PID:4336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.4.700483522\1424315666" -childID 3 -isForBrowser -prefsHandle 3724 -prefMapHandle 3940 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef71f9b0-1c62-49f7-b963-971f59ce0920} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 3584 15bd915ee58 tab
    3⤵
    PID:960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.5.938012916\856754996" -childID 4 -isForBrowser -prefsHandle 5196 -prefMapHandle 5192 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fcf188f-488d-4e10-a157-0f07e826dc3e} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 5208 15bec553258 tab
    3⤵
    PID:4324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.7.1522608066\1780127278" -childID 6 -isForBrowser -prefsHandle 5464 -prefMapHandle 5468 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a19ebe0d-fb94-4388-8f13-2242f6d93304} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 5456 15bec5c6f58 tab
    3⤵
    PID:3816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.6.424311349\2134100297" -childID 5 -isForBrowser -prefsHandle 5380 -prefMapHandle 5384 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {959bc0de-18b0-437c-898f-cb173bd8f501} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 5368 15bec5c5a58 tab
    3⤵
    PID:4848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.8.300012371\1616240904" -childID 7 -isForBrowser -prefsHandle 5872 -prefMapHandle 4292 -prefsLen 26832 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e163211-97f9-4942-b6f1-5fbcf90b4454} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 2876 15bec59f958 tab
    3⤵
    PID:3808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.9.2085174436\390713562" -childID 8 -isForBrowser -prefsHandle 5152 -prefMapHandle 5328 -prefsLen 27042 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bae8697c-80d0-419c-9e4c-16a0658d34b8} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 5268 15bd9171958 tab
    3⤵
    PID:1396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1336.10.1810868728\111494840" -childID 9 -isForBrowser -prefsHandle 3140 -prefMapHandle 2888 -prefsLen 27307 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ca91913-c6e3-45bc-8710-6cf4c1df9d7d} 1336 "\\.\pipe\gecko-crash-server-pipe.1336" 3168 15bee5d3a58 tab
    3⤵
    PID:1784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:4820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aaeb1f5e097ab38083674077b84b8ed6

SHA1
7d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2

SHA256
1654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef

SHA512
130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
42f45fe60d4fc7b74fca481a35dfb6dc

SHA1
cc94dbd2fc84990d3ca849deedbe78d37331c735

SHA256
0ff81bfe8be0518d8f0d6ac60e1782d0c04745701c9ec549404fddf3e0604f8f

SHA512
c8855091db9b73ca924a8d3c8c84edba9bc5cc4766816872561d7f2b0d09874636247db6f82815f3d8dfd7a2202e8d664f7b8668925af166cb3e4b01163a2bf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
d6c92ffb83956a742450e2e85c2b42db

SHA1
219d06cb2c91da6328bdc639a8426b42f7b6f15a

SHA256
9c9cc251b70be28080309931c2466ca53fa6d12640a3e7f369747685c64c5885

SHA512
ce71fb28213b26cc42180b59c31d11597ab2b9610375c6be31c01d6114c0c977129194176a46fa77dd21e1549f4c1712237f125a5ee5a9c132f5aca76a06ce61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
fc75c0e431c3649f05d0457d7fc3f766

SHA1
f4a91ce3986190dafae6953a3ee52de973464b13

SHA256
d60a5ebfdc15ec2ea14dca19ccc5da27dbb051625d6ebd0ce2bddba3aa0e1810

SHA512
fcff8f58dde84f2bb7883df88fade7aa2553c6761bb83f0ab0e2c824eae2c99a9f7cfe25a6a314caae71321bfd03586b87e628916e6e967f38ffd36f53d260d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2b0f13dc1204b1b48af269fb00760a8e

SHA1
86cc65a896766688efef17db936e23fa9a9f314c

SHA256
03c184cbd2bc2fd382a98dbb898424705c4d81b1596b919b518632b0c8077b2c

SHA512
99327c2c705191c71a9d7752cc7e7fed2299324fd6397f18fb4ae2cbd7de703b5a9c6be1f6d53ee1e67fab96c0835d30ba88f62f0cf6bbdb85062eaddb9300f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
47e94a96372e6f095b8a3fd7edc48ec0

SHA1
377b68f34e5964ca8be1b1b0c1507dd7f0e5f005

SHA256
15c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e

SHA512
5bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9f0074fde03e4044b487d6e7074a831c

SHA1
0c6245cd015a6803ee32cb6f7796b7fc3a5712a0

SHA256
26e93f435b81ede0d1d67fe45b24e35447011b3f911f6784e7062dba54376ec3

SHA512
6d758fa72be7c15ab96b84b59c57b2b2573ad167e12a587cdd378972c6ba54265383c77735ae8a14fe018387c7d1a0bcb2dd29965126780be8a2d40f14c3a1e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b2c840a6-9fcc-4bb4-94c9-543222b998f0.tmp

Filesize
9KB

MD5
0b4c3b38faa0646db5b4b12e722affd7

SHA1
5315979e9fbcdef2ab42c0c3fb4f0af99d0cb13f

SHA256
9c6b487db923b053b7b6e46ed935cdb773b234cf51de64059e6bc9f7a5fe184d

SHA512
e6669e974e8f78e1f9badad85933c349c40b055dc4b1817f96e0c00e7edf6a01c9fd763e6fa7709f4e75f66f5f20e34b6236c97d4311a988310b222e9201aafd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\activity-stream.discovery_stream.json.tmp

Filesize
156KB

MD5
953d81ec25d188a3f275118bc08f9ed6

SHA1
1a1d81af20094aa8e847889e303c8ea5046717ed

SHA256
1de702b027afc4884c5254974ee7c97aa1c60658e504a1e6c3443e247d735df1

SHA512
208d680e4c03932e4d9f48e606587ca42d59c60fd4781dda829180f156bd09ca91883705e4740d02bd999d6812e0436e8f3878c9cdef41a46b375d2bb93b0da4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\entries\3D1339565A2C7A95B097D97B7372A0877F72E01E

Filesize
54KB

MD5
f35518e5312f55970ca015863da56acd

SHA1
3417860ffa147c38c76566a7ac074075661e0f08

SHA256
621ca5f612dab2728fd35915ec5d0b947af1c88b3d2227eeadbf2ec5aa4a3469

SHA512
c321dcb4c15551106a05744f7e515b4f7e2544e89b01af58bacd9002ebe97e06c1989e11862e32ccc91446cd8370aab5f7ed885d6c826266eb24cab27d17fe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3o45t4ho.g1x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.bat

Filesize
204B

MD5
0ddb39419f005923ee2777b95e3dd524

SHA1
5d02d5fd182fb4af1e5f5a4d22451fba746bd0b5

SHA256
1ca1d94d8fd25f3189152ac0b077e7790e4aa3d0d4cb83d2db3b9ff32c74dfba

SHA512
391fb21b18e4d67baf37c7a58aee52431f23085e902a44a9bf0a68aeeb7f8672ff04276ec1f8cd4c20a6d0092b9d8f1c37ae91c9df428f44ee978829f54421c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
d6c92ffb83956a742450e2e85c2b42db

SHA1
219d06cb2c91da6328bdc639a8426b42f7b6f15a

SHA256
9c9cc251b70be28080309931c2466ca53fa6d12640a3e7f369747685c64c5885

SHA512
ce71fb28213b26cc42180b59c31d11597ab2b9610375c6be31c01d6114c0c977129194176a46fa77dd21e1549f4c1712237f125a5ee5a9c132f5aca76a06ce61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
6KB

MD5
fc7249137ed7ffdedef76afbb7926df9

SHA1
df2dc730fb1e1a2ee6fe00253f400ef3d1c8a88b

SHA256
1d6cb7476392aa634f2940a2568df24fae9f202463ca82680ff463f74608d589

SHA512
2386869e7339cd31afb3890c29e2bb9f2c676962f635d9cbd1cba0f15350c748c5d03701dcb5bd019a9a3ccd0276b54b88e64d736217ad28f8ddef25f7f37153

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
7KB

MD5
923fd3bc8583027534ce9235ec7e64ed

SHA1
fa0fa0ae582efdaaf648378a1c44710d40585dba

SHA256
d6e5b66b31afb58ba5db83c5ec63d49e523b3e323c31eddb369df918b2c90bf9

SHA512
dad74954f20c05275104b3f835ad4e4294bdcb86c88c4ffb0415d4d63e8d150a5e4e1644d6025e3d35d8edc46c3e2f05fd8fdb7463c6e9e82af9184d2e8e73f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
7KB

MD5
33ed7be738cbe9789f2b311fdf6f879a

SHA1
2bb095c132b010e55069dd6036c33f0c049658fd

SHA256
00dbce8a5712b5a799c1ba9e2b81c0f466f23aec2d6c49850f61797da8d5f59d

SHA512
16a9d857d5d2798e7deb73ab0b0ecf625d366ecab0c7159b751b48df7ac828e3d1c368b30a84b7e51ce65dbe18660e373570f5682efe328dac62c009e7486de9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
6KB

MD5
93cec5c2b5ab7e37e1f06478414944c1

SHA1
b20eb1516e8e220650eb4eddb48c7e542a887c0d

SHA256
f35589b6cbd7611e957963d89828693dc616c1b04d1c5eb84b7c641690cdd5be

SHA512
18bde477e3e474cec089e18cefc931de40b30a0653bc3cca3af3b398ba326e204d0596b27d2e090aaf628bcd47977ccb77041e2796cc9b42036fe90494d35cb5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js

Filesize
6KB

MD5
108b97b1ff7efbdb1aecce96d55ff2e5

SHA1
bb72b2e0c3d859fe5e821632307a32df331b55e1

SHA256
c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

SHA512
e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
737daf7d832f3b6748291bf51193b556

SHA1
ce71687b4ffb158a81e498dfb390987676f8e0aa

SHA256
ee3deb47ba19004e73af875d3483bfa90a1ea77c1f3cc93e9c7713965db507eb

SHA512
af09c8cef333b4da350a550d0caa0433c19d4af880cc0946385c2cee6f99ba542e820d53cbb10104d9a6cbb73947c27b9f7307c21324f7ff828b1efcafb0312a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
7924da239695844addadc9d83b4ea14c

SHA1
5a337268b932263c854bef03819b9203f1d25978

SHA256
f443f34ea69604e0557e3e6c85d4fd328106a8b0feb4baf9d90e2e9a05a0d2d9

SHA512
c0c30e7be9d326bf6dea81a1e7ce9687da0e2d86e09ad1e4401147721f5bf18103d60b37295a25e8199aeeb71fd4c06244c40d4f9e9ccd306a1e39823b17cdc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\weave\toFetch\tabs.json.tmp

Filesize
10B

MD5
f20674a0751f58bbd67ada26a34ad922

SHA1
72a8da9e69d207c3b03adcd315cab704d55d5d5f

SHA256
8f05bafd61f29998ca102b333f853628502d4e45d53cff41148d6dd15f011792

SHA512
2bce112a766304daa2725740622d2afb6fe2221b242e4cb0276a8665d631109fbd498a57ca43f9ca67b14e52402abe900f5bac9502eac819a6617d133c1ba6a3

Download Submit
memory/4360-1421-0x000002C757C90000-0x000002C757CB2000-memory.dmp

Filesize
136KB

Download
memory/4360-1444-0x000002C73DE30000-0x000002C73DE40000-memory.dmp

Filesize
64KB

Download
memory/4360-1445-0x000002C73DE30000-0x000002C73DE40000-memory.dmp

Filesize
64KB

Download
memory/4360-1443-0x000002C73DE30000-0x000002C73DE40000-memory.dmp

Filesize
64KB

Download
memory/4360-1442-0x000002C758290000-0x000002C758306000-memory.dmp

Filesize
472KB

Download
memory/4360-1441-0x000002C7581C0000-0x000002C758204000-memory.dmp

Filesize
272KB

Download