umbral | hxxps://github[.]com/nika123geimer/test

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/nika123geimer/test

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00040000000162b1-368.dat	family_umbral
behavioral1/memory/4612-423-0x0000019CC9E60000-0x0000019CC9EA0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
4612	moonloader libs.exe
1712	moonloader libs.exe
5512	moonloader libs.exe
4780	moonloader libs.exe
5732	moonloader libs.exe
5712	moonloader libs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
114	raw.githubusercontent.com
115	raw.githubusercontent.com

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 597680.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 155089.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5876	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2412	msedge.exe
2412	msedge.exe
2496	msedge.exe
2496	msedge.exe
2304	identity_helper.exe
2304	identity_helper.exe
3732	msedge.exe
3732	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	firefox.exe
Token: SeDebugPrivilege	4788	firefox.exe
Token: SeDebugPrivilege	4612	moonloader libs.exe
Token: SeDebugPrivilege	4788	firefox.exe
Token: SeDebugPrivilege	4788	firefox.exe
Token: SeDebugPrivilege	4788	firefox.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
4788	firefox.exe
4788	firefox.exe
4788	firefox.exe
4788	firefox.exe
4788	firefox.exe
4788	firefox.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
4788	firefox.exe
4788	firefox.exe
4788	firefox.exe
4788	firefox.exe
4788	firefox.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4788	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 1328	2496	msedge.exe	20
PID 2496 wrote to memory of 1328	2496	msedge.exe	20
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 4824	2496	msedge.exe	89
PID 2496 wrote to memory of 2412	2496	msedge.exe	87
PID 2496 wrote to memory of 2412	2496	msedge.exe	87
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88
PID 2496 wrote to memory of 3348	2496	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/nika123geimer/test
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb49046f8,0x7fffb4904708,0x7fffb4904718
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3732
- C:\Users\Admin\Downloads\moonloader libs.exe
  "C:\Users\Admin\Downloads\moonloader libs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Users\Admin\Downloads\moonloader libs.exe
  "C:\Users\Admin\Downloads\moonloader libs.exe"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,11186933533116742766,2206337451263670968,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5528 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1844
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.0.1517109403\848537278" -parentBuildID 20221007134813 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eb31330-0f90-433c-b58d-2154fcc48cfc} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 1880 29d75acc758 gpu
    3⤵
    PID:1948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.1.663457192\1306393665" -parentBuildID 20221007134813 -prefsHandle 2268 -prefMapHandle 2256 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3ca3dd4-55b0-4781-8274-e5998aee57e2} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 2280 29d62572e58 socket
    3⤵
    PID:4260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.2.1765155834\2038825018" -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 3100 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e80e67b9-0d70-4ec8-971a-936dd92e0c0e} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 2904 29d7a18c258 tab
    3⤵
    PID:4764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.3.958601620\172839471" -childID 2 -isForBrowser -prefsHandle 3572 -prefMapHandle 3328 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dd3f9a4-fa5c-4902-9e2e-be71d0680b66} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 3584 29d62569058 tab
    3⤵
    PID:2072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.4.697666002\1858909437" -childID 3 -isForBrowser -prefsHandle 4016 -prefMapHandle 3960 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d77ac7d5-6363-48f9-8b4d-17a139c09473} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 4028 29d7b108458 tab
    3⤵
    PID:1444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.5.541838767\200391326" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5032 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba804bad-338f-4549-adf7-2f1fcb7b7074} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 5048 29d62568a58 tab
    3⤵
    PID:4108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.6.1969607070\1867449743" -childID 5 -isForBrowser -prefsHandle 4652 -prefMapHandle 4664 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2e77334-84ac-4c29-905d-73ece7fd2932} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 5000 29d7c69fd58 tab
    3⤵
    PID:3280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.7.1527517586\318422891" -childID 6 -isForBrowser -prefsHandle 5300 -prefMapHandle 5308 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {985149ba-227d-4e5a-b4cb-90a4ec15e4b3} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 5048 29d7c845b58 tab
    3⤵
    PID:4376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Dagerxat.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2892

C:\Users\Admin\Downloads\moonloader libs.exe
"C:\Users\Admin\Downloads\moonloader libs.exe"
1⤵
- Executes dropped EXE
PID:5512

C:\Users\Admin\Downloads\moonloader libs.exe
"C:\Users\Admin\Downloads\moonloader libs.exe"
1⤵
- Executes dropped EXE
PID:4780

C:\Users\Admin\Downloads\moonloader libs.exe
"C:\Users\Admin\Downloads\moonloader libs.exe"
1⤵
- Executes dropped EXE
PID:5732

C:\Users\Admin\Downloads\moonloader libs.exe
"C:\Users\Admin\Downloads\moonloader libs.exe"
1⤵
- Executes dropped EXE
PID:5712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\moonloader libs.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\15b4232a-1943-4718-aa2e-bc261b21b278.tmp

Filesize
12KB

MD5
1e17fe558cf0d1009b447496709770f0

SHA1
bf5301c3b34654075d8991b689d674e472cc3066

SHA256
6419bfc21900ce6e480756af4af4d858c532c05381b3d2f342ac5f78ad1e6315

SHA512
60b89681c4c9f4c11460473645dcd2c63f83fb58dc9855372b71d677a3b378808ef4d8fd80fe15a4e9902a20686a0ef5c5699fb7b3d1ca3cb9cdab5409566e02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84381d71cf667d9a138ea03b3283aea5

SHA1
33dfc8a32806beaaafaec25850b217c856ce6c7b

SHA256
32dd52cc3142b6e758bd60adead81925515b31581437472d1f61bdeda24d5424

SHA512
469bfac06152c8b0a82de28e01f7ed36dc27427205830100b1416b7cd8d481f5c4369e2ba89ef1fdd932aaf17289a8e4ede303393feab25afc1158cb931d23a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\56a1188f-35f9-4046-9c77-0a5f066c2d6a.tmp

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
229KB

MD5
5de00da489b1318030b2e2bbe9d30720

SHA1
b97621eb26581e46dd4929e974b8397096cb0688

SHA256
7ceff8174f4a1d8f3021dfa1a518b6f3886e3f8ffdfb27143990eee5d03c2f69

SHA512
eb21d9d0c4f552df4878ef4be401cc54bb1706b784f888b99886e2ed9d7ce8605decf9c63d8dae5386c4c8284b793643bc2348c2c2d1b97e2e7330b0e92a0fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2d02e05a9f118d4df490ce1364ec21f7

SHA1
8cb5bc0878274555e0ae5be8e41752df18d17dc0

SHA256
ba960a5521b120277ebbdad68359a277487aae01f3da1b09f216c45c3ac741b3

SHA512
7d7640be9892664b8dab8bab5765d5289c8bbb20c24993b2ea0b13fce9be9cc959dc839494bfa40e0336d8d32d0d32b83ff8ff5c5ba528ed457fe0fb12ae4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9018ef8905da4a7006e6ff5ae258fb57

SHA1
ff6237b22df9f2e58d192f6f4112e2a94402d62c

SHA256
7778da3c01b1f2ee2c113341ae194fca9384e451f6915e5b935c1a0c7302e996

SHA512
9186ad017b387ccbb501e61d57fa218f1e9927f0c5d34f650b9b298e4ba498a0bedcd7904c854a2033c15013dbfc8388cbe32d10e84ad87e6f07e6207bd1c3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
22f9219db085824bb6a7f9bfe914cbbe

SHA1
14e1cab074af65f50ac84d03c870d95e4ab2ee59

SHA256
41bbe5880ba5e40b17110a4068d3ceef16ec53a1ba9d8d503147f22da008c41c

SHA512
835a3fbcec38ea3019616a953925658e854cb381f2930a0b043cc77902f5bf1e022b0df6dca72c42360ac57cb37763899fd8513e49771121e64203b70305156c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
a7d1701142cca705f833d70023ef4e1e

SHA1
1b76853132abfcddb4fefac42bf9df5d013c9815

SHA256
6c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7

SHA512
806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c637e0ebd90a00523536674dab32e6d

SHA1
e889152df9a96b3a99f8a4aedcfeb9ea1acced78

SHA256
7328efd249d1055d59d2e23202210507a348a5af4227caf5138070820a966264

SHA512
df654c2925815ff6548d568ce8242022fabcffed787c4021fb2a96ba01818faa5fcb50c390dc255dac7bb92d4e46f1150b391e9fb6eea728669cda8cc827f1c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4de2ef25460b881dbf8fb383067d4193

SHA1
10db1152ddd02aefc5356a1daf7e4775b243fbfc

SHA256
3fd9329ccbfd5d3e417a9850d3c9433dc58dfefdf9d0a6d3b7518a88f15c79b3

SHA512
45dd8ca1fd810745776208546e020597a4340e7bc89fe7fc8dfdeef9b6b284622453eba0d9bb0f3b3a17414a15c12c294797577822023bc67ccd68a83f74ccae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de5dcc45ee5f8a0bfec1744d75fc21bd

SHA1
415a256ca22ddfbc2ec5b25146ab5b54e888979c

SHA256
0ecf6085225eb4625ca7d295e05231ba38291a86d96e190e5da8a6316b4be917

SHA512
e28ca2eb8a043e4161e43adbdfcc74a5e675a2c59b893df4f582a093974f487aceb3f222d7930d5ffe8fcf8655ab3d78e1e3fb34d8c92480e98e94f541722eb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
52b671566cfe2674699ea8fd51d572e0

SHA1
add16bac7f7290d8a7c0fd61cf086f4ee67d6098

SHA256
b761d722e0579a25201cb89b3e7371d3d49dca8de59d3a7fa19505b5babbd253

SHA512
503e69df9237a1900f1332c3be9eb7aab5bbe64f0ab8e49ff423b708330055897583b71c58f9db47bff3349a41b61015584fbe06d7c48a497c6b2c5a180c49d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d9489493c21ef3f45a9cbd25ca850ef

SHA1
264252f4f23d77c77460005974b5293f9daeaffd

SHA256
a0ed647d0436f982ef805b9450a19e205332ec18fda1b39fe8e6584faf0ca225

SHA512
a7467f119b3a7c7282bcc1f61cf88ac035e3427a62853368218f270bf9ac2d799436e3ef5dd793150e43cee2997ab729b18acdadd2e53975d8dc3d5c6d328971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dcea037210d8ea17f4d917a6b90d0dc5

SHA1
06b530c3184a3cf543451cdff299fe4e06db3d3a

SHA256
4d6ffe09aa2a8400496bc2141ed6dfb4cc52606b157385187f60e88381e1b48b

SHA512
0373ec9d50e90facc22f3542a71143f97ba7a55e58df21a2038d937a6a511a5c046bfa85ae4b1d921226e8af83813be30414673e797610681f43ca4fd4d8d051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
35f77ec6332f541cd8469e0d77af0959

SHA1
abaec73284cee460025c6fcbe3b4d9b6c00f628c

SHA256
f0be4c5c99b216083bd9ee878f355e1aa508f94feb14aeebcfba4648d85563a7

SHA512
e0497dbe48503ebbf6a3c9d188b9637f80bccf9611a9e663d9e4493912d398c6b2a9eab3f506e5b524b3dabbca7bb5a88f882a117b03a3b39f43f291b59870c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
65fc0979b540461671811c9d83b93cb5

SHA1
105b1597de8a52f4cbef6c7f25a9af1ff9fa9fd2

SHA256
2ba3616ac08b9b9720d91c95e28ef2b82c0d7d6adb0316c2d87171af4c9acfd7

SHA512
1a24635da00444bd011a89de5ea3ae07a292f2ffe61275c8ef24959a49595f80b7a4789aeadf25a95015abeeb4f4a78ddd95d679a88a804c17cf74e62521d70c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
c7f913bd319f26a59d7d08fe96a657b4

SHA1
ddd77ed03e742569b6ef24d0866bea3bf6a63d1c

SHA256
c2e7de5c7bf61f01732f1d70fbe369251f3ed697bec5faede48ac29910fb7a96

SHA512
553575f6357a9661b2a9f2f474c2f8c50db472ff107d57f7977730edea7eebd8a8c5e69067eaca43643b175e8c9c9cf3e118114334c198dac4bf4488d7c54d74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57db3d.TMP

Filesize
706B

MD5
38211634de36c6bc69f82b4fd84c8a18

SHA1
a749d2b8a5bbd3b9c3e80035872f82b760e33a70

SHA256
455dd4f833dc926af98d4271b96d4919f49aae544970403b92ec0f013ca34f3c

SHA512
aacf0c67297d2e4b815d59973dcb7bc07fff806baf19324afa10d0e3630c8e75d5c562d76c32e68336a9b1aa1ee21257b41b8815e2f220ff985114cdd2479652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
af7ec2d7e84c9f9f3d33b02c810710d3

SHA1
a9cf6cfedbf383ace230d180238fd5443f6de0ad

SHA256
03bf70fd942a453c1730d68ebae03bd29752e9b286128dd304fd0f4168131ff9

SHA512
90e1414bd5a8725cabb21cc370d688f245a0a648091f4cedd1bbc97c662214597ff986b04b100037cff0c84391a6ffde2c946e402a6daf3d0a5ab701afb66c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d04082b18df1dc20815c8492b5dd6c57

SHA1
b005a0f3f87c24fe34888c69face1f6fe61eaa1b

SHA256
53427542191adae9d6c58e91c58d1eab69a0909d8e214a7c9750a3f348352429

SHA512
04ae74a814c550dde51c5251ff5325912c9e02d985baf5ba73ce2aa8bc3c8cb41c024814e803d690841ead3cf227ba09a305b453447c8f2ae88d237cb39c5aa6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
9f4ec70ff67d1c7bcdad9890039c934d

SHA1
9da1c7b84168524c310a4acb2b0f01cd63ee3a74

SHA256
4c25057afbf38f7207b130fe59c0fffe57776a997ae5af45177855c37c76ab95

SHA512
a5cac3676ae3e3dcdf776ac991245c61c5adf8ae2e7556023b8aebfbb6cf63513eca01c1f95c12500e86ecb9380646841fc5e0b509c1db94962dc8dd6f8b8fbf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\datareporting\glean\pending_pings\67e710c5-f1cd-4fe5-af0b-a5e924669381

Filesize
1KB

MD5
9e515574446dd624c1cb0c7c191205b6

SHA1
8d9e3e71cb15ba850d5359a7d491b045674aa647

SHA256
b520bc1c39900697db169dfc7ab4c8c35dd3d95b070abde2dc81437345e12c20

SHA512
0a689aaadaadcd08364d96b44b35f9f05924d981fe7f6afdc35012c7f12a65ecaf83134d521dbeeeb4d404759b1401ff0ba83d548fba1ca1d4a2ed7e45250e9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\datareporting\glean\pending_pings\693405ed-2576-40af-83ed-dff7fbe518b5

Filesize
746B

MD5
c4e86d8f87629d78d72a565f06722e87

SHA1
f49e47b097e7ff57949b18dd1c21a48230d31567

SHA256
74f20379a841ff341324e829a886128d08b245c9ccf269aa4e3d07accecefd80

SHA512
1fd71dd8363adbdad00f1919a1b405210edab0d75692a9a8aad4bd6cfc30c7a624906b2a88a91100aa7473e2e6c1341351956e42ab0b923416b1768e00b261d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\prefs-1.js

Filesize
6KB

MD5
2851a50a40cc81e466ceb0660d866082

SHA1
61aafb02b6151ff95d047b398f00e5f37c7ead3e

SHA256
df44d378a30c632ff4c8ae97ba42a8e85e5422528cc84c0ed133b058926cab51

SHA512
24a44bfcf3ab86815467b5bb4ca27ae71a1571605e134ff2ce4b7b2d1b626a2f6d4126623e079a631bb504de5038dba5c0982172de683a7b50b90dfe3aad9fab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
1c6169bd62c98d86b8dec1d293c510fa

SHA1
83b05dd62effa89e98b0c8ee052f6ae0c32de344

SHA256
b5283d501bced0262d786bede9c4a0c5b64f00b381f96c00787e30871df0ed63

SHA512
f62c4f0d15747b9da3a8fa2a907130499781e21a1a9a694f4d00b065f1a6d324e9ce289de732990fb4884850a4b4580d8fefffa320cd1b31dc313db0a3c84b26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
25c432a4aedf444e7d680a7059495b27

SHA1
de69a92a5572a2de0a77a2c805e2b6fd26c7d804

SHA256
80dbd5298a2e38aa2f4c882ee9fa3fa2a60dc321ead4b3c217a0ef342ba80413

SHA512
fb58f80f04e7989118466c7e1a9741d5bb5c32de02d55e17104852629961708840558f1f18f54bec3cf1a5703052efdffe9998b6b0d610d47a4964d48e5cb2b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
153KB

MD5
bb8db5bb2fcc4b9bd078ab39cefe379e

SHA1
68f70a37eb992ac81e4736a6ae8edf2f41e3777a

SHA256
fe858e1235e345d1f3107fd12d11250e71d3153e1102f451a54b9fdd83a6a864

SHA512
e0eeeb7fe4928da7ee9dd31138c5b3b887772a57ea7c1ec0a0489441177145b056df83b64d6980866fbed2c58926ba7c13d88aaf9e5b3950f94ffcb764db12d1

Download Submit
memory/1712-428-0x00007FFFA10B0000-0x00007FFFA1B71000-memory.dmp

Filesize
10.8MB

Download
memory/1712-490-0x00007FFFA10B0000-0x00007FFFA1B71000-memory.dmp

Filesize
10.8MB

Download
memory/4612-423-0x0000019CC9E60000-0x0000019CC9EA0000-memory.dmp

Filesize
256KB

Download
memory/4612-489-0x0000019CE44A0000-0x0000019CE44B0000-memory.dmp

Filesize
64KB

Download
memory/4612-486-0x00007FFFA10B0000-0x00007FFFA1B71000-memory.dmp

Filesize
10.8MB

Download
memory/4612-425-0x0000019CE44A0000-0x0000019CE44B0000-memory.dmp

Filesize
64KB

Download
memory/4612-424-0x00007FFFA10B0000-0x00007FFFA1B71000-memory.dmp

Filesize
10.8MB

Download
memory/4780-497-0x00007FFFA10B0000-0x00007FFFA1B71000-memory.dmp

Filesize
10.8MB

Download
memory/4780-516-0x00007FFFA10B0000-0x00007FFFA1B71000-memory.dmp

Filesize
10.8MB

Download
memory/5512-493-0x00007FFFA10B0000-0x00007FFFA1B71000-memory.dmp

Filesize
10.8MB

Download
memory/5512-506-0x00007FFFA10B0000-0x00007FFFA1B71000-memory.dmp

Filesize
10.8MB

Download
memory/5712-505-0x00007FFFA10B0000-0x00007FFFA1B71000-memory.dmp

Filesize
10.8MB

Download
memory/5732-499-0x00007FFFA10B0000-0x00007FFFA1B71000-memory.dmp

Filesize
10.8MB

Download