hxxp://a[.]com

max time kernel
133s
max time network
136s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://a.com

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\fr-FR\mpio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\wd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\partmgr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tdi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\watchdog.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cng.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\luafv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\mouhid.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\usbhub.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\vdrvroot.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\vhdmp.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\sermouse.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\pacer.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\srv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\BrSerId.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mouhid.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\it-IT\WpdMtpDr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\HdAudio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\intelppm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hdaudbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\cdrom.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\wacompen.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\qwavedrv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ohci1394.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\vwifibus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\sermouse.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\bthport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\scsiport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\GAGP30KX.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\pci.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\srvnet.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\tpm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\msdsm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\1394ohci.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\it-IT\WUDFUsbccidDriver.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fsdepends.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\scfilter.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\de-DE\WpdMtpDr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fltMgr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\bthpan.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\processr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\BrParwdm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\partmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\disk.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hwpolicy.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\rdvgkmd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\UAGP35.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\GAGP30KX.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vdrvroot.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\intelppm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\usbport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\1394ohci.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\RNDISMP.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\amdppm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\cdrom.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdpbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\HdAudio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\pcmcia.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\BrSerIb.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\amdide.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\pcmcia.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\BrParwdm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\amdk8.sys.mui	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DRIVER~1\es-ES\prnrc005.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\AuxiliaryDisplayDriverLib.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\deskadp.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\wpdfs.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\bthmtpenum.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\prnlx005.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\GAMEPO~1.INF\gameport.inf	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\dot3hc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\Groupinghc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\Licenses\_Default\StarterE\license.rtf	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\avc.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\bthprops.cpl.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\choice.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\getmac.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\shimgvw.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\msclmd.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\prnrc005.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\es-ES\prngt003.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\es-ES\circlass.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\ATIILH~2.INF\atiumd64.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\ATIILH~2.INF\ativdkxx.vp	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\vaultsvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\winhttp.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\Dism\de-DE\DismCore.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\avc.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\apircl.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\crypt32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\dsuiext.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\MDEFCC~1.INF\mdmaiwat.PNF	cmd.exe
File opened for modification	C:\Windows\System32\C_20285.NLS	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\aelupsvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\Licenses\eval\HOMEPR~2\license.rtf	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\perfctrs.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\FAXCN0~2.INF\faxcn002.PNF	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\prnge001.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\es-ES\wiabr005.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\ARC~1.INF\arc.PNF	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\KSCAPT~1.INF\kscaptur.inf	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\msadp32.acm.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\AMDSBS.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\prnsv003.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\KEYBOA~2.INF\i8042prt.sys	cmd.exe
File opened for modification	C:\Windows\System32\Boot\ja-JP\winload.efi.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\clfs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\dmdlgs.dll	cmd.exe
File opened for modification	C:\Windows\System32\compmgmt.msc	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\clip.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\sysmon.ocx.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\prnrc007.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\prnep00f.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\mountvol.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\Wpc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\netrtx64.INF_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\usbprint.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\EhStorAuthn.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\LSI_SC~1.INF\lsi_scsi.inf	cmd.exe
File opened for modification	C:\Windows\System32\C_10021.NLS	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\unimdmat.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\ts_wpdmtp.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\FAXCA0~1.INF\faxca003.inf	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\wialx004.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\FAXCN0~1.INF\faxcn001.inf	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\ifmon.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\main.cpl.mui	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	notepad.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	notepad.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_Classes\Local Settings	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	notepad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
760	notepad.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	firefox.exe
Token: SeDebugPrivilege	3048	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
760	notepad.exe
760	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3048	2980	firefox.exe	28
PID 2980 wrote to memory of 3048	2980	firefox.exe	28
PID 2980 wrote to memory of 3048	2980	firefox.exe	28
PID 2980 wrote to memory of 3048	2980	firefox.exe	28
PID 2980 wrote to memory of 3048	2980	firefox.exe	28
PID 2980 wrote to memory of 3048	2980	firefox.exe	28
PID 2980 wrote to memory of 3048	2980	firefox.exe	28
PID 2980 wrote to memory of 3048	2980	firefox.exe	28
PID 2980 wrote to memory of 3048	2980	firefox.exe	28
PID 2980 wrote to memory of 3048	2980	firefox.exe	28
PID 2980 wrote to memory of 3048	2980	firefox.exe	28
PID 2980 wrote to memory of 3048	2980	firefox.exe	28
PID 3048 wrote to memory of 2612	3048	firefox.exe	29
PID 3048 wrote to memory of 2612	3048	firefox.exe	29
PID 3048 wrote to memory of 2612	3048	firefox.exe	29
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1796	3048	firefox.exe	30
PID 3048 wrote to memory of 1252	3048	firefox.exe	31
PID 3048 wrote to memory of 1252	3048	firefox.exe	31
PID 3048 wrote to memory of 1252	3048	firefox.exe	31
PID 3048 wrote to memory of 1252	3048	firefox.exe	31
PID 3048 wrote to memory of 1252	3048	firefox.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://a.com"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://a.com
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.0.256021104\680161057" -parentBuildID 20221007134813 -prefsHandle 1244 -prefMapHandle 1236 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f6e8673-367d-4b04-9fed-a530a2a7a847} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 1308 14306258 gpu
    3⤵
    PID:2612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.1.578704364\17471417" -parentBuildID 20221007134813 -prefsHandle 1512 -prefMapHandle 1508 -prefsLen 21799 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06f1880a-7f3f-4f1f-95db-db6baab86ecc} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 1524 e72258 socket
    3⤵
    PID:1796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.2.973844008\431429187" -childID 1 -isForBrowser -prefsHandle 1868 -prefMapHandle 1856 -prefsLen 21837 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae34f714-bf85-47c3-89b5-1913c23b585f} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 1828 418b258 tab
    3⤵
    PID:1252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.3.1343741959\801848916" -childID 2 -isForBrowser -prefsHandle 2876 -prefMapHandle 2872 -prefsLen 26482 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ab5e8f2-978a-405d-9cb4-3f11f86fa852} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 2888 e62b58 tab
    3⤵
    PID:1520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.6.807456095\1943854370" -childID 5 -isForBrowser -prefsHandle 3904 -prefMapHandle 3908 -prefsLen 26541 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b76784b-b016-4d9e-8bff-8151a36adcac} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 3892 1e67de58 tab
    3⤵
    PID:1660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.5.1716147751\2044081728" -childID 4 -isForBrowser -prefsHandle 3740 -prefMapHandle 3744 -prefsLen 26541 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26028d88-4796-4154-a6d3-b273a9734318} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 3728 1e67b158 tab
    3⤵
    PID:1668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.4.859070062\1615662172" -childID 3 -isForBrowser -prefsHandle 3612 -prefMapHandle 3384 -prefsLen 26541 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5aa5645-68a1-49ba-9823-b630fdd065e7} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 3632 1d38e858 tab
    3⤵
    PID:2104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.7.968722632\1937674417" -childID 6 -isForBrowser -prefsHandle 2724 -prefMapHandle 2720 -prefsLen 27062 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ee117b3-1d71-48ba-87dc-d108967c052d} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 3336 418b858 tab
    3⤵
    PID:2704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.8.1484669821\1022629377" -parentBuildID 20221007134813 -prefsHandle 3512 -prefMapHandle 3336 -prefsLen 27198 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25c9a8d3-d9cd-4f96-af0d-5fb32ab94887} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 4248 21ae7858 rdd
    3⤵
    PID:2816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.9.1411575129\319080189" -childID 7 -isForBrowser -prefsHandle 4388 -prefMapHandle 4384 -prefsLen 27198 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c114f169-6a53-4c00-a4e5-e303f82b6fb9} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 4400 21a1a758 tab
    3⤵
    PID:1800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.10.761273406\1095486520" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 3864 -prefMapHandle 4332 -prefsLen 27198 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8330b589-52ef-444c-bfd7-3903a65e3fc4} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 3872 22cf1858 utility
    3⤵
    PID:3052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.11.124428371\288533991" -childID 8 -isForBrowser -prefsHandle 4524 -prefMapHandle 4528 -prefsLen 27198 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fc0fc1e-a23e-4774-9fb5-615f8b57f20b} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 4388 22cf4b58 tab
    3⤵
    PID:2000

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:760

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\a.bat" "
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s5818u5m.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
f000f36429f33297d9050cb1d2390c4f

SHA1
918081485af841a5a0ac22c54faf183e56d89df1

SHA256
b186f2531fc492517c9903b1d9f24d0dc0d8fd8a474c82a7aabbc0d80c397ae7

SHA512
05c2e576a067e4694057fe7562f4d2192ee1b2cf876c14e2848c9068f78dc4e85636baf9c6cdd63a0faa54ba48d95ad4e048360e0a3e1e00b21630d9af5e2a35

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s5818u5m.default-release\cache2\doomed\1046

Filesize
24KB

MD5
a60b12bbb796bfd8e2023ff4115d231a

SHA1
7dd091db3077b7ffe6a2f87b544025c59a72af73

SHA256
0c11d03d9c2e69a69748d0525fea6d0b20bae3d9ed50ae325cf8bf30497e49dd

SHA512
4331b1fc98f6df31d08316b1fff27996e4574d06c0b292a8df52eda978b85ba5669f2895c6266318173030d05eac6256cdedbbbaad543253af67ace4e95f29ff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s5818u5m.default-release\cache2\doomed\22199

Filesize
24KB

MD5
f62a7ff84bfa7b68113a3b0fbb3583c8

SHA1
244cf2a1b20f21caae2d34f01f206474e6ea34e9

SHA256
10226c0074e294eebeb8e851c91a778fdd58f93f6e2c580f7ffaa642be71dc20

SHA512
5fe378075fd5296e4de306fbfef0fd31a535f23058d252e080b8fea568252fd3c3fd8264473d18583b8c721e151c4c8cc58cd9d5427c5c8489b327a0466d0ba6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s5818u5m.default-release\cache2\doomed\26741

Filesize
10KB

MD5
e1c852cce64e4cb89fbdd9acd88e7406

SHA1
66042c141a06ebbe2b69ac2cf3d95343476ba164

SHA256
ebdd987900f7f0beaa263601413f4b6eaed46d3c05f8a0ef27e03ff86c9f292b

SHA512
ebdd2f886bd794e4feb7106f6ad3264c4ecbb9e4728ce3f1ab24e7d3724f44c9aab7197cb5ca56407330b1c4df24a4bcc491a8605c9877f3af36f266e922ad2f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s5818u5m.default-release\cache2\doomed\6184

Filesize
62KB

MD5
2f9469e5ac54b705c1cec70ef6180f4c

SHA1
ef6b8a5828ce086e7e413be68bf2f08eaf58a499

SHA256
b1fdefbf84902e0d6bbfb68efcda6c15db4bccea7a728823d4d6ac8fc1005b84

SHA512
dede7db5565d033668aefb3bda867db39e02ba762c0b19fbfb29eda695e5fafa390950e3611d4cbc21800ad97882cbe54d9b472c72d3a3e1b036a858dd721874

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\prefs-1.js

Filesize
6KB

MD5
aa5bcc2c58eb4527fa4a87e8a24a7e85

SHA1
a1c3a62168d1751116dbd2e061cdef1501b419c3

SHA256
f0be983f4098fc930274450a37835b802308bf89c5751e4cfc3fc2f1c38aa1b8

SHA512
112743ce88bf9c55bc2ab26c59783bd179be26c1da6422a14b7e6077c3141d245945e89886a04cfa5f9ebb80fa5acc3db1ba2573dd52f8a3e6b7dfa08a5d503a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\prefs-1.js

Filesize
7KB

MD5
0f51bc183ad6adbd34ea1d614cd0ba8a

SHA1
312195c0f130bb5b085f1281c5532f6734d1f49b

SHA256
e5987ba7ce2b0017226a06faedd7773adaf1c18ec60088dd3c1033fb8fa2abc2

SHA512
f92da7abe9ea25b377fd65418a5ee19949dab66446cc8e698abade7bc702c8d50050019e9b3daad7e9a8e36892df144ecc0ec095697607dd48430486d55f0107

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
342b244d6a2ad2b59bd93de21eb8a14e

SHA1
efe698d5dfdbd6a83f13801090a77a520b9fe268

SHA256
21a2ab6f594c349f82a9589e9f28a14c19c065726416fd0109b34e129c4b2dd0

SHA512
5525d65133484ce19b2b4eea5b85c10a2cbf1e188c8760f884b6156a5d559f7c5583cad90f7ce14ac0b9e442a2ff8215c1da0520fc88f9bc1fdf78cbd023dbe3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ef4fa677efdaf3a05770c7d3393444ac

SHA1
d7b093ba0054ffa51ee15e031db618eca6ec87e7

SHA256
5518c68fdbae891c904430a35fdb6fd91dad2f5a15e22c5bd3cd56e24b6b1a70

SHA512
c7574cf09e2ee08af09efa2a2cb669c73f6340941d54d4f87a042ae395737326828533cfde7fec2349452b7442c26be133023f619070f7987aef475961a7fb49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
3958f8197ae20a5b53421a1390b1b228

SHA1
b8975bbc2c955a8a80bee369d35664130d181869

SHA256
f5bcd9e0d669f4063aed5bd53c23653f6a3862fdb10bd0b917a842be98289c7b

SHA512
441bf45ac3111979ef0b9583d66db0fc08c9ac6e5acbc92757ffe5ec812dfc9677004e1c24102301f0e6be94b4549d02144e8f541e3f624c4eb4faac19caadfa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
dedcfe42d24568fadf6af665b1059841

SHA1
0623a4d79b27f1e87611a88cd6aaf01c197a0c4f

SHA256
2cd546166856b829ddbe109abe799fc70c36d31aa5ae720d1cb66ee096d097e0

SHA512
613ae53d27ab32874a8d085cff83d67fe0fd00259704e4e876445525ce100e937c7a9022ab3360ea5a499741f152187aa6e14a93c6f21ad9ceef7a2fac6711d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
999af4298edc7bcd877f0287dfb38058

SHA1
bc8b2993a719f8dbeadf5d0078eb6b35c21a9021

SHA256
990b5b668503631ddc34e652919afb5a1fb118762ae1f7b6cac0c2d560d2a252

SHA512
77b900bd4db490c8af5872bf4d974eec644a79016a791f0ad0032a1c178e27a0cd5fe7587d7cf07de9aa636c038fe53a32113d484b35e6a45fe124b0b89b0eed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
f353d4fd514cc9f6261650071e4b9d21

SHA1
a27be954cfdbc515c459556e8094b0af40865715

SHA256
f31dee07cfb738a841dac3cb07f8a2b60ecb84d02f616b6f6bbd78224a598dec

SHA512
63c79c434628e5e8367d808ad99bbb433998659366eb10d9bae66656ebf796e25e6bf5154487f89cbfa1da2235fee88c7292049241a88d24c62ec9b5ef2dc4ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
41d38dd9e5ff7eee114298460c5059b2

SHA1
a9fac7987c8d69b8385c46b7424769715225ea34

SHA256
86dc8a058a04560b8586ca16134818511781dc1783613afecc9f7d2dbe5dff4e

SHA512
313501d1175c1d31ada80645c1ee1f4e2a97c24d02c789439e2f12fdf4a7603c89099801289176c15af149b55f600df5154559a4de579c2336bf63ad6ea7b8fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite

Filesize
48KB

MD5
c921ee586abc1fa466a177d8a8c89a74

SHA1
bdcc424c6ea25552274308993bf2ad99c790c7e4

SHA256
202bb3a722c03dfe2b3d905ea8768522610196fb9b29677d1bd57c8c58e4a27e

SHA512
3c45868b79b77b2191bbdbd9f22b3ebea1a9e4d9684af70afbc24c91935a3749a8f757bd6e4b6fa7cc90467ee6152a07dbc22320b34e38d3dff61062d0850281

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\674904274LCo7g%sCD7a%t4a2bea3s.sqlite

Filesize
48KB

MD5
a6c681542456e4338a26842c21939333

SHA1
06fa61b16f1ac6666ddb7c7f8375f6ad86c2702a

SHA256
a7f4513a48c7b19c7e9378c1e35c01755f9c0b0486a0b72951d54de404d3e492

SHA512
ca586229d21c2f07e469050016a2577bf5634b628136a06239af755d0030e13fff348e1d4f91c401db78967457ac35f2347e809c84c2183ec97123b07306d380

Download Submit
C:\Users\Admin\Desktop\a.bat

Filesize
28B

MD5
def286bb4c8503830a548dd5274766bc

SHA1
323d019cd15ca86968e9a5dd9a679d78dbfb623d

SHA256
30f6ee8df1aa2bda6b916cfff2216c1a0800486596a1c474ebe2775280eb0047

SHA512
2b5cac11dac6b635dd04ffe1be769bdfc0812c951208104c1ca53e9dab70d05e15b4f719111ac3828927a1a2d8160f3bab6e6763135e18d16aca18e0901bf50f

Download Submit
memory/760-384-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/760-394-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/760-395-0x00000000038F0000-0x0000000003900000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis