Resubmissions
24/09/2023, 00:13
230924-ajabmsba4w 524/09/2023, 00:13
230924-ah2phacf96 523/09/2023, 22:16
230923-161efscd76 7Analysis
-
max time kernel
1689s -
max time network
1158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
24/09/2023, 00:13
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://oopatet.com/r2.php?e=YMXHgsRzZJeUNOOGeIlCY349flJJQzRBRHQyQ3hYcUJxRzdpU1FTSFNKSTBLekc1UUgxSUYyRk11VmViZ3NDbmxxMStzbFkyQXU5OFA3bHV2QzFhNVJQUWhZUzlYSWJJTEI5WTkrc3hXbXFwVUFzc0tmcGJJU3QzL25MUW5nYnhnRTdnL2dqNlJRQlUwSThHT3dkVVpkL1I2dFFWcXdHS1pOdFNkLzJIWitBcGtRazhDamVjaVYzSFZ6dk9ub3FoYjIwdzNUVUhXUmJvT1NXbkhkL1BMcU92Z0RqOVdtL29YU3VtaHBPQmgvSkdRQWFKL2tlWWh1bWxXYlpnUzlreHIwMnlLdm51bzBlaTl5VnFIc1ZuOXNrM3BoODMzazZVZlRhbUdYZ0EvbXo3dVFzcWNEb0ZWTVRqRGF2enQyY3JHdlVNcENBSGRzZklPOUowNUx2czhVVlFrckFDU2ZDWHdubHBEN2pVUEJyS3VNRTNNajlzcnFQbEtKNXdCTFRycWhYZWgvNEt1QXdiWmdQczNLTlN5UnVJVzYzMHE1dzZEWHduUHhOV0dRaCtGK055OEVXSEVzUXJ4K2lPUEtaUXRYT2xCSFBEbm00R2Z5RjNrdDN2ZU9MY2lMS1JQTDd1emlqUkpYRUd2RnMzazVOZkpsQkVVWWdnOUo3YnIwQUh5WDZkMjdpTTUrd082amh2RnlNYm1NZHFISHlZRGkyYmhYVVZIQ0orVW1lY016cWloN0FUdFA5cmdJOGFuQzFXUDFsVEV0WnYxeW5Wd2pTZFBkaGtONTRJVXRkdGJDRGprMGxhWC83cDhrWnJJVURZczg5TG5qRkI1c2MwTzZPVjc1cXJNYTdNQWdxdHdUTDVlUjZBOHk0amEyeTV4N2RMdEVMT2NSbG5GclBad0NLUlFRZ0pnZkRZRTduUWVOMDhIenVEVUw2WnRHL3BnWDdVNkN5Y1dFSHQ3dldIWFA5eGRYT2xUZmRQczRiQ2xGelZTdkJtRDBtRCtJZTFBd0c1Sy9rcW5rNUhRemxnQkh5cnowYUFWb2FXd2JuUi9OZVlRNUhhNEx0WkQ3NzFsRjdrZXIrNDhrVEUwdHVBa3p4YStzR1BnZDB6YVdHQ0NobXVaaitUaGJHbzBuMFVPdmxSVitGLzFwRDZOM1I2ZncxWjNMVlB2eWxsejlZUVRTV3AwaEpSeE1IZHFEM3FaT3V1Q2xYc3FQZmJkZ1RweENCSGNvZnZNMFJEOFByeG9mUDFHTWcwZEZ3REVGcWRsVT0%3D
Resource
win10v2004-20230915-en
Behavioral task
behavioral2
Sample
http://oopatet.com/r2.php?e=YMXHgsRzZJeUNOOGeIlCY349flJJQzRBRHQyQ3hYcUJxRzdpU1FTSFNKSTBLekc1UUgxSUYyRk11VmViZ3NDbmxxMStzbFkyQXU5OFA3bHV2QzFhNVJQUWhZUzlYSWJJTEI5WTkrc3hXbXFwVUFzc0tmcGJJU3QzL25MUW5nYnhnRTdnL2dqNlJRQlUwSThHT3dkVVpkL1I2dFFWcXdHS1pOdFNkLzJIWitBcGtRazhDamVjaVYzSFZ6dk9ub3FoYjIwdzNUVUhXUmJvT1NXbkhkL1BMcU92Z0RqOVdtL29YU3VtaHBPQmgvSkdRQWFKL2tlWWh1bWxXYlpnUzlreHIwMnlLdm51bzBlaTl5VnFIc1ZuOXNrM3BoODMzazZVZlRhbUdYZ0EvbXo3dVFzcWNEb0ZWTVRqRGF2enQyY3JHdlVNcENBSGRzZklPOUowNUx2czhVVlFrckFDU2ZDWHdubHBEN2pVUEJyS3VNRTNNajlzcnFQbEtKNXdCTFRycWhYZWgvNEt1QXdiWmdQczNLTlN5UnVJVzYzMHE1dzZEWHduUHhOV0dRaCtGK055OEVXSEVzUXJ4K2lPUEtaUXRYT2xCSFBEbm00R2Z5RjNrdDN2ZU9MY2lMS1JQTDd1emlqUkpYRUd2RnMzazVOZkpsQkVVWWdnOUo3YnIwQUh5WDZkMjdpTTUrd082amh2RnlNYm1NZHFISHlZRGkyYmhYVVZIQ0orVW1lY016cWloN0FUdFA5cmdJOGFuQzFXUDFsVEV0WnYxeW5Wd2pTZFBkaGtONTRJVXRkdGJDRGprMGxhWC83cDhrWnJJVURZczg5TG5qRkI1c2MwTzZPVjc1cXJNYTdNQWdxdHdUTDVlUjZBOHk0amEyeTV4N2RMdEVMT2NSbG5GclBad0NLUlFRZ0pnZkRZRTduUWVOMDhIenVEVUw2WnRHL3BnWDdVNkN5Y1dFSHQ3dldIWFA5eGRYT2xUZmRQczRiQ2xGelZTdkJtRDBtRCtJZTFBd0c1Sy9rcW5rNUhRemxnQkh5cnowYUFWb2FXd2JuUi9OZVlRNUhhNEx0WkQ3NzFsRjdrZXIrNDhrVEUwdHVBa3p4YStzR1BnZDB6YVdHQ0NobXVaaitUaGJHbzBuMFVPdmxSVitGLzFwRDZOM1I2ZncxWjNMVlB2eWxsejlZUVRTV3AwaEpSeE1IZHFEM3FaT3V1Q2xYc3FQZmJkZ1RweENCSGNvZnZNMFJEOFByeG9mUDFHTWcwZEZ3REVGcWRsVT0%3D
Resource
android-x64-arm64-20230831-en
Behavioral task
behavioral3
Sample
http://oopatet.com/r2.php?e=YMXHgsRzZJeUNOOGeIlCY349flJJQzRBRHQyQ3hYcUJxRzdpU1FTSFNKSTBLekc1UUgxSUYyRk11VmViZ3NDbmxxMStzbFkyQXU5OFA3bHV2QzFhNVJQUWhZUzlYSWJJTEI5WTkrc3hXbXFwVUFzc0tmcGJJU3QzL25MUW5nYnhnRTdnL2dqNlJRQlUwSThHT3dkVVpkL1I2dFFWcXdHS1pOdFNkLzJIWitBcGtRazhDamVjaVYzSFZ6dk9ub3FoYjIwdzNUVUhXUmJvT1NXbkhkL1BMcU92Z0RqOVdtL29YU3VtaHBPQmgvSkdRQWFKL2tlWWh1bWxXYlpnUzlreHIwMnlLdm51bzBlaTl5VnFIc1ZuOXNrM3BoODMzazZVZlRhbUdYZ0EvbXo3dVFzcWNEb0ZWTVRqRGF2enQyY3JHdlVNcENBSGRzZklPOUowNUx2czhVVlFrckFDU2ZDWHdubHBEN2pVUEJyS3VNRTNNajlzcnFQbEtKNXdCTFRycWhYZWgvNEt1QXdiWmdQczNLTlN5UnVJVzYzMHE1dzZEWHduUHhOV0dRaCtGK055OEVXSEVzUXJ4K2lPUEtaUXRYT2xCSFBEbm00R2Z5RjNrdDN2ZU9MY2lMS1JQTDd1emlqUkpYRUd2RnMzazVOZkpsQkVVWWdnOUo3YnIwQUh5WDZkMjdpTTUrd082amh2RnlNYm1NZHFISHlZRGkyYmhYVVZIQ0orVW1lY016cWloN0FUdFA5cmdJOGFuQzFXUDFsVEV0WnYxeW5Wd2pTZFBkaGtONTRJVXRkdGJDRGprMGxhWC83cDhrWnJJVURZczg5TG5qRkI1c2MwTzZPVjc1cXJNYTdNQWdxdHdUTDVlUjZBOHk0amEyeTV4N2RMdEVMT2NSbG5GclBad0NLUlFRZ0pnZkRZRTduUWVOMDhIenVEVUw2WnRHL3BnWDdVNkN5Y1dFSHQ3dldIWFA5eGRYT2xUZmRQczRiQ2xGelZTdkJtRDBtRCtJZTFBd0c1Sy9rcW5rNUhRemxnQkh5cnowYUFWb2FXd2JuUi9OZVlRNUhhNEx0WkQ3NzFsRjdrZXIrNDhrVEUwdHVBa3p4YStzR1BnZDB6YVdHQ0NobXVaaitUaGJHbzBuMFVPdmxSVitGLzFwRDZOM1I2ZncxWjNMVlB2eWxsejlZUVRTV3AwaEpSeE1IZHFEM3FaT3V1Q2xYc3FQZmJkZ1RweENCSGNvZnZNMFJEOFByeG9mUDFHTWcwZEZ3REVGcWRsVT0%3D
Resource
macos-20230831-en
Behavioral task
behavioral4
Sample
http://oopatet.com/r2.php?e=YMXHgsRzZJeUNOOGeIlCY349flJJQzRBRHQyQ3hYcUJxRzdpU1FTSFNKSTBLekc1UUgxSUYyRk11VmViZ3NDbmxxMStzbFkyQXU5OFA3bHV2QzFhNVJQUWhZUzlYSWJJTEI5WTkrc3hXbXFwVUFzc0tmcGJJU3QzL25MUW5nYnhnRTdnL2dqNlJRQlUwSThHT3dkVVpkL1I2dFFWcXdHS1pOdFNkLzJIWitBcGtRazhDamVjaVYzSFZ6dk9ub3FoYjIwdzNUVUhXUmJvT1NXbkhkL1BMcU92Z0RqOVdtL29YU3VtaHBPQmgvSkdRQWFKL2tlWWh1bWxXYlpnUzlreHIwMnlLdm51bzBlaTl5VnFIc1ZuOXNrM3BoODMzazZVZlRhbUdYZ0EvbXo3dVFzcWNEb0ZWTVRqRGF2enQyY3JHdlVNcENBSGRzZklPOUowNUx2czhVVlFrckFDU2ZDWHdubHBEN2pVUEJyS3VNRTNNajlzcnFQbEtKNXdCTFRycWhYZWgvNEt1QXdiWmdQczNLTlN5UnVJVzYzMHE1dzZEWHduUHhOV0dRaCtGK055OEVXSEVzUXJ4K2lPUEtaUXRYT2xCSFBEbm00R2Z5RjNrdDN2ZU9MY2lMS1JQTDd1emlqUkpYRUd2RnMzazVOZkpsQkVVWWdnOUo3YnIwQUh5WDZkMjdpTTUrd082amh2RnlNYm1NZHFISHlZRGkyYmhYVVZIQ0orVW1lY016cWloN0FUdFA5cmdJOGFuQzFXUDFsVEV0WnYxeW5Wd2pTZFBkaGtONTRJVXRkdGJDRGprMGxhWC83cDhrWnJJVURZczg5TG5qRkI1c2MwTzZPVjc1cXJNYTdNQWdxdHdUTDVlUjZBOHk0amEyeTV4N2RMdEVMT2NSbG5GclBad0NLUlFRZ0pnZkRZRTduUWVOMDhIenVEVUw2WnRHL3BnWDdVNkN5Y1dFSHQ3dldIWFA5eGRYT2xUZmRQczRiQ2xGelZTdkJtRDBtRCtJZTFBd0c1Sy9rcW5rNUhRemxnQkh5cnowYUFWb2FXd2JuUi9OZVlRNUhhNEx0WkQ3NzFsRjdrZXIrNDhrVEUwdHVBa3p4YStzR1BnZDB6YVdHQ0NobXVaaitUaGJHbzBuMFVPdmxSVitGLzFwRDZOM1I2ZncxWjNMVlB2eWxsejlZUVRTV3AwaEpSeE1IZHFEM3FaT3V1Q2xYc3FQZmJkZ1RweENCSGNvZnZNMFJEOFByeG9mUDFHTWcwZEZ3REVGcWRsVT0%3D
Resource
ubuntu1804-amd64-20230831-en
General
-
Target
http://oopatet.com/r2.php?e=YMXHgsRzZJeUNOOGeIlCY349flJJQzRBRHQyQ3hYcUJxRzdpU1FTSFNKSTBLekc1UUgxSUYyRk11VmViZ3NDbmxxMStzbFkyQXU5OFA3bHV2QzFhNVJQUWhZUzlYSWJJTEI5WTkrc3hXbXFwVUFzc0tmcGJJU3QzL25MUW5nYnhnRTdnL2dqNlJRQlUwSThHT3dkVVpkL1I2dFFWcXdHS1pOdFNkLzJIWitBcGtRazhDamVjaVYzSFZ6dk9ub3FoYjIwdzNUVUhXUmJvT1NXbkhkL1BMcU92Z0RqOVdtL29YU3VtaHBPQmgvSkdRQWFKL2tlWWh1bWxXYlpnUzlreHIwMnlLdm51bzBlaTl5VnFIc1ZuOXNrM3BoODMzazZVZlRhbUdYZ0EvbXo3dVFzcWNEb0ZWTVRqRGF2enQyY3JHdlVNcENBSGRzZklPOUowNUx2czhVVlFrckFDU2ZDWHdubHBEN2pVUEJyS3VNRTNNajlzcnFQbEtKNXdCTFRycWhYZWgvNEt1QXdiWmdQczNLTlN5UnVJVzYzMHE1dzZEWHduUHhOV0dRaCtGK055OEVXSEVzUXJ4K2lPUEtaUXRYT2xCSFBEbm00R2Z5RjNrdDN2ZU9MY2lMS1JQTDd1emlqUkpYRUd2RnMzazVOZkpsQkVVWWdnOUo3YnIwQUh5WDZkMjdpTTUrd082amh2RnlNYm1NZHFISHlZRGkyYmhYVVZIQ0orVW1lY016cWloN0FUdFA5cmdJOGFuQzFXUDFsVEV0WnYxeW5Wd2pTZFBkaGtONTRJVXRkdGJDRGprMGxhWC83cDhrWnJJVURZczg5TG5qRkI1c2MwTzZPVjc1cXJNYTdNQWdxdHdUTDVlUjZBOHk0amEyeTV4N2RMdEVMT2NSbG5GclBad0NLUlFRZ0pnZkRZRTduUWVOMDhIenVEVUw2WnRHL3BnWDdVNkN5Y1dFSHQ3dldIWFA5eGRYT2xUZmRQczRiQ2xGelZTdkJtRDBtRCtJZTFBd0c1Sy9rcW5rNUhRemxnQkh5cnowYUFWb2FXd2JuUi9OZVlRNUhhNEx0WkQ3NzFsRjdrZXIrNDhrVEUwdHVBa3p4YStzR1BnZDB6YVdHQ0NobXVaaitUaGJHbzBuMFVPdmxSVitGLzFwRDZOM1I2ZncxWjNMVlB2eWxsejlZUVRTV3AwaEpSeE1IZHFEM3FaT3V1Q2xYc3FQZmJkZ1RweENCSGNvZnZNMFJEOFByeG9mUDFHTWcwZEZ3REVGcWRsVT0%3D
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3472 msedge.exe 3472 msedge.exe 4312 msedge.exe 4312 msedge.exe 3468 identity_helper.exe 3468 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1292 firefox.exe Token: SeDebugPrivilege 1292 firefox.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 1292 firefox.exe 1292 firefox.exe 1292 firefox.exe 1292 firefox.exe 4312 msedge.exe 4312 msedge.exe 1292 firefox.exe 1292 firefox.exe 4312 msedge.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 1292 firefox.exe 1292 firefox.exe 1292 firefox.exe 4312 msedge.exe 4312 msedge.exe 1292 firefox.exe 1292 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1292 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4312 wrote to memory of 4596 4312 msedge.exe 43 PID 4312 wrote to memory of 4596 4312 msedge.exe 43 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 1936 4312 msedge.exe 88 PID 4312 wrote to memory of 3472 4312 msedge.exe 86 PID 4312 wrote to memory of 3472 4312 msedge.exe 86 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 PID 4312 wrote to memory of 5000 4312 msedge.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://oopatet.com/r2.php?e=YMXHgsRzZJeUNOOGeIlCY349flJJQzRBRHQyQ3hYcUJxRzdpU1FTSFNKSTBLekc1UUgxSUYyRk11VmViZ3NDbmxxMStzbFkyQXU5OFA3bHV2QzFhNVJQUWhZUzlYSWJJTEI5WTkrc3hXbXFwVUFzc0tmcGJJU3QzL25MUW5nYnhnRTdnL2dqNlJRQlUwSThHT3dkVVpkL1I2dFFWcXdHS1pOdFNkLzJIWitBcGtRazhDamVjaVYzSFZ6dk9ub3FoYjIwdzNUVUhXUmJvT1NXbkhkL1BMcU92Z0RqOVdtL29YU3VtaHBPQmgvSkdRQWFKL2tlWWh1bWxXYlpnUzlreHIwMnlLdm51bzBlaTl5VnFIc1ZuOXNrM3BoODMzazZVZlRhbUdYZ0EvbXo3dVFzcWNEb0ZWTVRqRGF2enQyY3JHdlVNcENBSGRzZklPOUowNUx2czhVVlFrckFDU2ZDWHdubHBEN2pVUEJyS3VNRTNNajlzcnFQbEtKNXdCTFRycWhYZWgvNEt1QXdiWmdQczNLTlN5UnVJVzYzMHE1dzZEWHduUHhOV0dRaCtGK055OEVXSEVzUXJ4K2lPUEtaUXRYT2xCSFBEbm00R2Z5RjNrdDN2ZU9MY2lMS1JQTDd1emlqUkpYRUd2RnMzazVOZkpsQkVVWWdnOUo3YnIwQUh5WDZkMjdpTTUrd082amh2RnlNYm1NZHFISHlZRGkyYmhYVVZIQ0orVW1lY016cWloN0FUdFA5cmdJOGFuQzFXUDFsVEV0WnYxeW5Wd2pTZFBkaGtONTRJVXRkdGJDRGprMGxhWC83cDhrWnJJVURZczg5TG5qRkI1c2MwTzZPVjc1cXJNYTdNQWdxdHdUTDVlUjZBOHk0amEyeTV4N2RMdEVMT2NSbG5GclBad0NLUlFRZ0pnZkRZRTduUWVOMDhIenVEVUw2WnRHL3BnWDdVNkN5Y1dFSHQ3dldIWFA5eGRYT2xUZmRQczRiQ2xGelZTdkJtRDBtRCtJZTFBd0c1Sy9rcW5rNUhRemxnQkh5cnowYUFWb2FXd2JuUi9OZVlRNUhhNEx0WkQ3NzFsRjdrZXIrNDhrVEUwdHVBa3p4YStzR1BnZDB6YVdHQ0NobXVaaitUaGJHbzBuMFVPdmxSVitGLzFwRDZOM1I2ZncxWjNMVlB2eWxsejlZUVRTV3AwaEpSeE1IZHFEM3FaT3V1Q2xYc3FQZmJkZ1RweENCSGNvZnZNMFJEOFByeG9mUDFHTWcwZEZ3REVGcWRsVT0%3D1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8899f46f8,0x7ff8899f4708,0x7ff8899f47182⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,9604924586472228321,7829373685370221275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,9604924586472228321,7829373685370221275,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,9604924586472228321,7829373685370221275,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:22⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,9604924586472228321,7829373685370221275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,9604924586472228321,7829373685370221275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:4268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,9604924586472228321,7829373685370221275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:82⤵PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,9604924586472228321,7829373685370221275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,9604924586472228321,7829373685370221275,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:12⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,9604924586472228321,7829373685370221275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:12⤵PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,9604924586472228321,7829373685370221275,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:2124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,9604924586472228321,7829373685370221275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:3428
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:904
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:988
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:2408
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1292 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.0.1697848283\690006338" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9e51769-42d4-4722-9607-5043f78b17f4} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1972 208ed6f5458 gpu3⤵PID:2204
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.1.139898954\1339532091" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c556d641-7c3c-4b76-b777-859f4332450d} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 2364 208e0b72b58 socket3⤵
- Checks processor information in registry
PID:2324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.2.462187632\654444311" -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3192 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e991576-f90b-4393-baf9-3ec581a0bec5} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 3208 208f15b5958 tab3⤵PID:3576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.3.1595258972\781698480" -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d595ad80-5244-4534-96e4-9f2ea65cd3ed} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 3680 208efd6a058 tab3⤵PID:5284
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.4.1143996378\729089006" -childID 3 -isForBrowser -prefsHandle 3824 -prefMapHandle 3832 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf200ce4-1cff-445d-b1a9-4da27613f056} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 3964 208e0b62558 tab3⤵PID:5296
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.5.1797340957\522535372" -childID 4 -isForBrowser -prefsHandle 5060 -prefMapHandle 5056 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5fc7477-45e2-4c22-a73f-3822ac80da48} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 5068 208efd69758 tab3⤵PID:5800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.6.1871186021\1408971987" -childID 5 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc6ffe70-8a87-4447-8ae1-5f993b0c5555} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 5196 208f3a1d558 tab3⤵PID:5808
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.7.2111400018\403305542" -childID 6 -isForBrowser -prefsHandle 5392 -prefMapHandle 5396 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e896ee06-4d8b-4d66-918a-7c044b3c64ec} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 5476 208f3ac7e58 tab3⤵PID:5824
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.8.870784447\367296653" -childID 7 -isForBrowser -prefsHandle 5848 -prefMapHandle 5840 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8c75ef5-a556-48b7-995e-cb3b852e6785} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 4156 208e0b62558 tab3⤵PID:5344
-
-
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵PID:5264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5bf009481892dd0d1c49db97428428ede
SHA1aee4e7e213f6332c1629a701b42335eb1a035c66
SHA25618236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD558448dea3e890ab44f9641db24dc00d5
SHA145347fbf494290905dc0361688d4be5e8cbc08c8
SHA256bf3d9e706338f229887ab4cfaef638f90802f5bc6106b81d4ba515599acae4d5
SHA5125d39055d83682434fc45796d9dbd4e0ad6ebc4414516de7b63328e4701fde4513de9addc5c901044599f404f8a7d4ed550badb768d0cdd65af6a5cad64f1c1b5
-
Filesize
5KB
MD5c0a30522f95756c20b106e948c3e81de
SHA1a73d2b1f30e2a10e0ef159be0a0f8310fff2c8bd
SHA256a0cd7bfeb5733c3b83d5ec5f3935c5c31bfb3982a37f8448d079e301cb910a61
SHA5124e8b0797af4535d321eb70728b4f9311f464d31c176c7dec60661c6bcdba9e0fb1fbaf8a304b74c35f07aca5c115796013339e4ec78fca689ab9558b877a2cd3
-
Filesize
6KB
MD5ec7c966b5119e593b2de35ccf97e4ece
SHA1eabc049935802595e8f4462c97697e8eb367055d
SHA2560abe179b3537aed606d501199e65dab51d102b6e0d80b6112d98234d32bc5667
SHA512c4c7e3cac42f1c00b188d8096a5accc09cfa110fe11276fc2efdbd5578ab7cf0829b68437208d89d5f99cc19c498a01ef963fc2a02619408ff13f4ede14d8f02
-
Filesize
6KB
MD54656500611c087b967767740aec5f7c6
SHA1182f00e61d669e09b0fa53acd0cc1e7345d0a9a1
SHA2564589f1015f07699225b3a2d6801a7bab99a62b75fab599fd6a84b115a6755f50
SHA5127ed53c5d23d8612dcb32e5d8104c2710da4a4ea879a1d42a1e1316dbbe853c3026516ec8f60905a65f0da0033bad8756e5a8bee17b385c1148a5d062de547295
-
Filesize
24KB
MD525ac77f8c7c7b76b93c8346e41b89a95
SHA15a8f769162bab0a75b1014fb8b94f9bb1fb7970a
SHA2568ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b
SHA512df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD56d9fc2a87898eb15203a9196e449b914
SHA1ad7718c1491c14a63ffee2dc31664a3020fc421d
SHA256cb099d420a1c62fcdd7472102bb1737d8ae3f0032582ec7d8a0b67a3b4b0e00f
SHA512548fe602720ba6009056b1abe2dd637eb0d9f5514697a3deabcccbcae40d93b8746daade219a98f35ce94e0c74a9d3aa43c82991188a47da62906d6445731a33
-
Filesize
10KB
MD50dc0e3114ee5b020ac95bbf2cbf54857
SHA1350258170c3fe058ae662e21128206f291d4d57f
SHA25688920e8db0a593e9c385d23e03856004628d20aa81d5781a0d8e729b07102057
SHA512f2ddd26361f98325847c3729b124e5594849526768a9f27c9ba6a9b25fa7fb6fe55e83e87d3eca37f2af72cee9315768965766bfd5998125a03b1c38a7407509
-
Filesize
10KB
MD53596a5c2ff138c803657a61f7e033d3d
SHA1d77f9eaeeb7418a882ab6079c8fd7e68502f0768
SHA256bfb2d80be0a9afa473de074c9a1130d4e154d26a070ad42081192cb5c6bf64c7
SHA5124b5a6c5c964eefe3d5eee98b952fb69023fa44990aa611536838e3e200ca9ebba3a8b22fcff50a282ea275048e90991e4f17f9f46609dd7ae4d2d7ccdd26df90
-
Filesize
6KB
MD52e179d98b2b54c385ce5e4cca6a44ae3
SHA19ec95b486dbbe77dc9d2c5318b45f809bcd0ca74
SHA256a971283b32ec4cc383c6cc64cc88e8463bde77deab23e0b7352a9a84f1c69ae3
SHA5127065f5f7b54e98c6af462824a4a5d1d6bba11eebda70408f592d238b3e30930e4e9f620b88caa2b973dc9eaf7c0e6aaa5f3205444770677067429b5995016a50
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b7jtu2fw.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5f45dd660ee5deda2557bf94e0ab1a896
SHA176db3330b82e8d60c075dfcb4b56955e12ba3ff4
SHA2569a4b28c86d798f6ceae3878667ba8e820930bf8fb2805c7d4a18a38041ef05a5
SHA5127deffe22f0af38a95d213fa7d14051c88a9e353c97f733c1bf0989ee6e27e630a7b7a3db44b2c8a4f5fc41e55a987812f0f31f743e3a379732fc1fdf9f8cbc92
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b7jtu2fw.default-release\sessionstore.jsonlz4
Filesize2KB
MD58333815738a8dd85b05dc9c2de2d8025
SHA1506f60bd94feff87ea16e7df461de5864bbb81f2
SHA25675b5f2b6d59ca2c50950f053185510bbe4a06ee2aad7b21f10a9e0aa9d8fcd59
SHA5129c1c421a9b01971032a70a27a2c51c82e6b1997f3c69ea4730f721a42bc989bfbb2ab41309fac6c7476c51c1364421853b7dbdbe57557599e1322a85b49ded8d