Analysis
-
max time kernel
1800s -
max time network
1597s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
10-04-2024 07:37
Behavioral task
behavioral1
Sample
qrcode_i.ytimg.com.png
Resource
win10-20240404-en
General
-
Target
qrcode_i.ytimg.com.png
-
Size
10KB
-
MD5
4e4f0d47eb4da8097c9a5516a0d444eb
-
SHA1
34896ac01ecb210faa72d5040de6c57394ea25de
-
SHA256
c7c2b2c73f6ae3c30477b2577c0e97c86c1a8af5752efd32e7603b55b5c12aa2
-
SHA512
12997530870d436874600c23881b3098c28edb85f9f369a6543a9ac7e85aeec9e9401861c64564d5b393996f0662b544c032fb91e7103b1c1f5a16e35c432027
-
SSDEEP
192:JboRHxiCP0J+99Axey9E+g4i50w1aeqvO0fiQGHUFGE/4g1bzQuTRg:GRHxg+9axfNk5dwibU8khQuTa
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 2496 MEMZ.exe 2408 MEMZ.exe 4584 MEMZ.exe 4432 MEMZ.exe 4104 MEMZ.exe 2972 MEMZ.exe 1400 MEMZ.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 123 raw.githubusercontent.com 124 raw.githubusercontent.com 125 raw.githubusercontent.com 126 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 2408 MEMZ.exe 2408 MEMZ.exe 2408 MEMZ.exe 2408 MEMZ.exe 4432 MEMZ.exe 4104 MEMZ.exe 4432 MEMZ.exe 4104 MEMZ.exe 4584 MEMZ.exe 4584 MEMZ.exe 2408 MEMZ.exe 2408 MEMZ.exe 4104 MEMZ.exe 4432 MEMZ.exe 4432 MEMZ.exe 4104 MEMZ.exe 2972 MEMZ.exe 2972 MEMZ.exe 4584 MEMZ.exe 4584 MEMZ.exe 2408 MEMZ.exe 2408 MEMZ.exe 4104 MEMZ.exe 4432 MEMZ.exe 4432 MEMZ.exe 4104 MEMZ.exe 2972 MEMZ.exe 2972 MEMZ.exe 4584 MEMZ.exe 4584 MEMZ.exe 2408 MEMZ.exe 2408 MEMZ.exe 4104 MEMZ.exe 4104 MEMZ.exe 4432 MEMZ.exe 2972 MEMZ.exe 4432 MEMZ.exe 2972 MEMZ.exe 4584 MEMZ.exe 4584 MEMZ.exe 2408 MEMZ.exe 2408 MEMZ.exe 4104 MEMZ.exe 4104 MEMZ.exe 4432 MEMZ.exe 4432 MEMZ.exe 4584 MEMZ.exe 4584 MEMZ.exe 2972 MEMZ.exe 2972 MEMZ.exe 2408 MEMZ.exe 2408 MEMZ.exe 4432 MEMZ.exe 4104 MEMZ.exe 4432 MEMZ.exe 4104 MEMZ.exe 4584 MEMZ.exe 4584 MEMZ.exe 2972 MEMZ.exe 2972 MEMZ.exe 2408 MEMZ.exe 2408 MEMZ.exe 4104 MEMZ.exe 4104 MEMZ.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1000 firefox.exe Token: SeDebugPrivilege 1000 firefox.exe Token: SeDebugPrivilege 1000 firefox.exe Token: SeDebugPrivilege 1000 firefox.exe Token: SeDebugPrivilege 1000 firefox.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
firefox.exepid process 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
firefox.exepid process 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
firefox.exepid process 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe 1000 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 512 wrote to memory of 1000 512 firefox.exe firefox.exe PID 512 wrote to memory of 1000 512 firefox.exe firefox.exe PID 512 wrote to memory of 1000 512 firefox.exe firefox.exe PID 512 wrote to memory of 1000 512 firefox.exe firefox.exe PID 512 wrote to memory of 1000 512 firefox.exe firefox.exe PID 512 wrote to memory of 1000 512 firefox.exe firefox.exe PID 512 wrote to memory of 1000 512 firefox.exe firefox.exe PID 512 wrote to memory of 1000 512 firefox.exe firefox.exe PID 512 wrote to memory of 1000 512 firefox.exe firefox.exe PID 512 wrote to memory of 1000 512 firefox.exe firefox.exe PID 512 wrote to memory of 1000 512 firefox.exe firefox.exe PID 1000 wrote to memory of 652 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 652 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 5040 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 2136 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 2136 1000 firefox.exe firefox.exe PID 1000 wrote to memory of 2136 1000 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\qrcode_i.ytimg.com.png1⤵PID:2324
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.0.1073067006\570924553" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cd348f8-4bcf-43e1-8b67-13d6a953f865} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 1812 297f49d6558 gpu3⤵PID:652
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.1.2115949036\1772614955" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {330f526d-28f3-4c95-9a69-5c6a104bab5f} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 2168 297f48fb058 socket3⤵
- Checks processor information in registry
PID:5040 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.2.516777584\925253619" -childID 1 -isForBrowser -prefsHandle 2784 -prefMapHandle 2800 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb812088-10ed-4695-8292-1da88bdf1ea7} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 2924 297f495d558 tab3⤵PID:2136
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.3.506150478\600665705" -childID 2 -isForBrowser -prefsHandle 3412 -prefMapHandle 3404 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {476e5634-25fa-4666-819d-37866572a4a3} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 3420 297e2667558 tab3⤵PID:3484
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.4.2104936914\930037441" -childID 3 -isForBrowser -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f480b01e-cfc9-4f2a-bac5-05a7599d9e1d} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 4280 297fa905c58 tab3⤵PID:2376
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.5.1614004139\1819132578" -childID 4 -isForBrowser -prefsHandle 4752 -prefMapHandle 4820 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2be1fe52-c0f6-461b-b569-04d4a12f2847} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 4792 297fae0fb58 tab3⤵PID:2604
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.6.206451373\1397990850" -childID 5 -isForBrowser -prefsHandle 4972 -prefMapHandle 4976 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9adb0fd0-845f-4d31-b9de-dbb2a3e320fd} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 4964 297fb066058 tab3⤵PID:5032
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.7.262197437\235657700" -childID 6 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5faa983d-212c-495f-9242-ed08d6cb72ee} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 5164 297fb065a58 tab3⤵PID:1868
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.8.2078102733\233183501" -childID 7 -isForBrowser -prefsHandle 5528 -prefMapHandle 5548 -prefsLen 26514 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a345481-f582-4557-bd0f-fcd98950f1f7} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 5512 297fc006b58 tab3⤵PID:2352
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.9.2085787977\6726559" -parentBuildID 20221007134813 -prefsHandle 5552 -prefMapHandle 5572 -prefsLen 26689 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdb6f51f-3187-48af-b300-417595a9ed39} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 5528 297fc85f558 rdd3⤵PID:504
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.10.533708466\1146182956" -childID 8 -isForBrowser -prefsHandle 5972 -prefMapHandle 5968 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {078973d6-7fb2-41dc-84ce-b2814de40868} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 5992 297fca11558 tab3⤵PID:3604
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.11.1626873027\591988426" -childID 9 -isForBrowser -prefsHandle 5144 -prefMapHandle 5060 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd04c833-29af-49cb-af12-7038545c51e8} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 5044 297fa95c958 tab3⤵PID:824
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe"3⤵
- Executes dropped EXE
PID:2496 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2408 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4584 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4104 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4432 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2972 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /main4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1400 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.12.704822124\1211129702" -childID 10 -isForBrowser -prefsHandle 4796 -prefMapHandle 4344 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {febe637a-66b4-4bcf-944d-f3fe4ef13572} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 5180 297fae11358 tab3⤵PID:5096
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.13.797474319\1254072715" -childID 11 -isForBrowser -prefsHandle 5672 -prefMapHandle 5736 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c56fa42b-366d-48b2-a6ac-c7b81311ba1e} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 5680 297fcf3b558 tab3⤵PID:4592
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1000.14.1712336903\349770030" -childID 12 -isForBrowser -prefsHandle 10296 -prefMapHandle 10120 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2264678-28c6-4ab8-8a45-e28e61bfe0ae} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" 5508 297fc006e58 tab3⤵PID:4656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD5265b60e4559708dc23d41f4715a005bf
SHA1b4b37ed025fc87533cb0ba612821f83bd80e4713
SHA2567826b99921eb9bc312f353e266e21a9b4fe7618da99b4d25cc2b85eec291b063
SHA512ddb75433f669d67ef68015fa914666c3b7e70878589e5680786ccd8f4525a6726ffa76b26c7d919d30da15f8f637a602c088e8059f8848ab8b96f3b5047b0968
-
Filesize
71KB
MD5e638e3b153dd62c45c556a91a8848a68
SHA1a52c871f9b3c150b9a6c7666bc624a9da1fb32c7
SHA25660d3bd15f325ae94eae9fa33d3689b20915204c1aeff8908766917fdb3a730b5
SHA5128b2fa9deb685a8beb6bf81ef6cbedb8fcf8c5f75f9cb6206251e055a7a21e68984e18affe26eaa514df3f1aac63bbb96af71d46d84445d71a4b1cd824b7cb064
-
Filesize
41KB
MD53e798c9ded13bf3d98898e1c569a52bc
SHA18868be1c37deb5bd1744dc26eea75ebf658063a2
SHA2561bc57b7b15c7f0f1791e821c6b30a19bd6c89514c19bc9ffa4296e0c146fe5b3
SHA51256ccf18c6eced1e8d01e6fb7e28979512af02ed3835c49fe07d167945f418e5792a54e1938e5d2878403a088837490bfe7934c03b9e272a9f828663b2ead69cc
-
Filesize
9KB
MD5273f6dfe692bfd9f2775a48566d8245d
SHA13ddc4386c852b3500328b4d3531dfe8e7715acd3
SHA256d4f7b47ae9c497db5c084ef87f04b6957b5d36aa70ed821b69e6b33b92bcf3ea
SHA512dc97a07ceceeadcd6a50ae8e9b4c1dd3296ef74ef44d7c37b67635f08d10b17be3077cc71465b716b57e0b788aa915a9344f6dfd52dfe9ab4ddafae459da8503
-
Filesize
27KB
MD5738cae3322c4aaee77bac3c98f271365
SHA1efbc96a6b5b13c5870a6cc572b5df09792ec0f56
SHA2567f82dd9b8e53fe42e846a23a5b6e39ad44a0436c1b59711004ccabd78cec18d3
SHA512388e2d0d545a527d65d52cb2dd7debc787af3b8c97acedda4c8353f6189e03a4825245966c1eb89f13dd2d46e6641d4bb6e96902dc475fefd5e54bebafd5fb74
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD512d986e3002240ff70817aafaaa5d65d
SHA1f5a8f1b87df3dfeaac9ac346dbaa8a98322d176d
SHA256f126889544cd65bddd5b894ff9efcf04605362d42877b02ba22ba117aa621bf7
SHA512222159d7834dd1c01c09bcd2059b7b0e802cc6f6d4df685a0398d824c8ee99125f4c9c290e7fe320c8235d0b0a9b95e7dec4e53ff85739d9fc82e8aa0323d4e0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\91600d37-270f-403d-a466-2b014e4ea4e6
Filesize10KB
MD5ef55c0e1295d5601788fd1dadfb2d886
SHA1b2277875b9b3955d39cd26ea366630647678c77c
SHA2561042d34fad9db027a60fe649995080be4e1b3a1dfc2bda7c256bfa3752a4641a
SHA51259dcfe4b1298a82a4e45e9244a4983bf4d471c1675b8226663160e308525d0d9a7b37018b1a63d4966afb78cb88064b3e42f6d9a3477d1d9778022567bd65575
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\96e97991-6c81-4895-9afd-6a71d9058c08
Filesize746B
MD574ab9e73b99afa029ebeeaa1fd89de5e
SHA168a15baf846cb458971613938e9c057ebe6451d2
SHA25614e5a88402955fda9587cd22b762c5f5785ceaed89a4a024904b4dbce969f0f9
SHA512542fd264af3b878595e5d467ea77299d7c75c0ae57b8f0c9eeaadb77acae5fac2dc187edebf501ed1201ae01cfd24b597a73477da464bb1eb3cde748e0f68449
-
Filesize
6KB
MD5f7e824689b8992070045e87ef0b354f7
SHA183dcceaddd185fd070478404f577bc811d6a84c0
SHA25609135e7e28988126c2be65d679e4d6e4775a1294dd18e1b4dce3b2b9aa81dd06
SHA512a1217f1bdb8e1a7dd7f5b9efcdc129044a2d36e987f063bacdbd8a21a96e24a299ac6d30727c5e78082fe1402f8a1aa51d94482bac00a03bb43db16cf13b951f
-
Filesize
6KB
MD5bf48422a5d3a62b289bc7d218ea9ff04
SHA1421a2829d40a9da8359c139e15292edf0be4be7e
SHA2562358667ec0e8b7c6bfe7a2751a969a3dd0e229c7712e69a646e9e3c12b4797ab
SHA5121c0b0217aa4d9dd96dbf37a91acbc137088a0b8cbf8b036be7eda67e03334cb9b34266694e61405b1098a032a41e6bda6b445dd536ef52aa89b8aadbed0b1478
-
Filesize
6KB
MD52a4ad19ecd7341cb9d383729ec424a44
SHA1b8872d4157520989622992ac44d51a3f06c87a17
SHA256003b1162ed44d5a603f5f349433d2c521057ec679509b4835df8566b3827d9a6
SHA512c9869fb0cfcee62f22903e4905bc891d82cc9e21a7eeca7c60f0518c90badd8d3693681a4b1174c35ce6e29504a0cb0c1bfb09545fdc91e06b10f16e1f65cc94
-
Filesize
6KB
MD54de4b2faec2f66a1f8ac1428a73e6ac6
SHA16ce55b33618bf4782c28529c0ca8c0cbff4db6cf
SHA25637d6c349bcb085e5f31ba688edd42fa41125c0a9133bde13b2cb9efcdd6f829b
SHA5128ccb2a7d54145cfa136720a89c271a24ee2be7dfb852817678fffa41cfd1ee07fb47b3a26ec02c63fea2ac0ecafafba82a41b0aac939921c9a6a3b14854b27e0
-
Filesize
6KB
MD5ad5c39702c19ebe15549edb6809cb492
SHA1698b1843618e1e827b3d12b718eb6e64c6b1a18a
SHA2563dd16730c0d6fbfef82d9c8eb8e1b7501bad8e3e251ae263fd9b9ad1c71aa474
SHA512793da8cb1bd847e36c3f0dc7ce74cf8173ff1f3f47d930f26c0c86064177a69bc7b8eb4b1276f25569e7b7447a6ee14ecdd26f9e83e39808015223277473e097
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD53e54833dc88d91d98dfd5b598afc1082
SHA1346fe2553b2828ec1ba1ce2379843c09103e2ec0
SHA256d9078a9cc5ac2982f8d2e904ba16a418a422a6c325940f6875eae685e14abc8d
SHA512425982190d8b9693974944cbf09515677a0ec6f235081ecaffa6fc3e8e0bad110bcbfb8abba15b28c05641b252111c8e5ffa46788646180d25398c80b45acd91
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD542ce03367fca5e47454eb5ea53b7e6fa
SHA197afc97206e1edd7987021edeee7d1566820ea64
SHA256b7f5b49634f6b34b22a248f7238cbf1d6f32da983603f49dcb280b2cb62971d7
SHA5125fd597f91f14ab069dc96179c5dd2aa4429a9369c44431292657f1bc47b0f7272549d58d04352b4051bc34ce264523326a84f819da34eaacf40ddf3fb5f999e7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD5fc38ed614a3540de0ccfd4f8dadd70f0
SHA19dd56f8a91d302c66ace79cfb38e0513a2bfd6d9
SHA25668fe32d711b4394825d9dc339c201e79f3d16aaf8a20ca331d9c201119f2bd92
SHA512bd1d962bc817b6e1ab06168c50fb7f495f5131e2353aa9953d7c91f54097ac3d9ec05ef2cc847df111d37d7d77ece6282d3a49d98cf39ae55f6474dd0f4f12b1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD535f245956725728237221b4ad3449fbe
SHA1a68cfd4090b1729a6ca3b74813d5249c5a860933
SHA256ce1132fc8e2ea1b16a9b4fd190a90a29a1ae41d954cb5b199c9c2f6e04e9b0d8
SHA512cdf248a02403ca90720ecf1694792010de9abc7a0beff0f62f32d044174a491ccc83abf705ae2c9d267b4b9d61f6e2e119d97bfb86c1901e8d5875292c44efa4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD521842306982ca6b1ced57d439eeaffa3
SHA1251d59f03908246a4bbc451a104c3ee087830c5a
SHA256be1c4384315a6402a1cebb2bf69104503779ca95d149e2323890623e9658cec5
SHA51265832ded65b01900056025fe08680e8f811209498fe537fe6488d520bfab1335b339172c43db753bbcbab3717bdc142e148688fb90fb6762bcce19926c9dccde
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5c7407624b09537c41b20e584abcf5e0a
SHA1077aca09378a7a3e5f2b45780276d844ff9f37f0
SHA2565e18fe8e62866907d2f0cf86c2fbf3fc32c94b25bd21394ec4214784398164a3
SHA512b80e6df17fe50e2a2931f420274c1ad4c1d0563aa2e28c07b5e4800b50006485196adaae737f041cfe4d091be8670bebf06cd06844144dd8a2ff47132e06234e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5b0327f28eb03839057e4c93f5e35fb66
SHA1d82f09fef3726903287135b9fecda015e3cae4f7
SHA25663929bb50fb7b8cf26725c656485c89f7a6866e5882ada11e0640a3441df5c3c
SHA51219ccfc4e80c60a2d3235520fc38ea039f70995a4b67eba4df986071f5e57cb93a54480973fe804f1956b0a13e2f11ea5a1dffed4accf94133d8117693244e84d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5e68ef8bb590a0b93fb168808b30677be
SHA15e44f61d9e288ef0d5c3db30e73f34dc02992b90
SHA2560d3b19fee11be366a960c1fcfb385c0e2c94b041dce0747586d6f53578d8f51d
SHA512ca9abd79dd2a5612cfe04868d72d718e5456eed6328a47c77fd1309d83d03753c9cb4a7863e7fffe60a7795753a51fafcfd1589f9c365c677b9dafd8525498c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD53e28cd41a1fbb0d3703f4859d51e1db3
SHA1e6b28f7633814db7ea6fed893f5143341b15b882
SHA256618161de6bfd9c130094b2ae4baba684dae4384b8fc73578791076d6c7ed9999
SHA5123ddfa1c5977e8ee56a5135e4a76a91ab9b7699fa6a22bdb5c8dd478dda107d26fd77534e93ae6a522fc0c8e07620c82365ad11428cd56e74248d3fd71894b900
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD5c0bbdd7029ea46e57caaf3b9b33c27c7
SHA1d987db5dd130016d1c41d99af35b8e776ae7207c
SHA25653380a80ada4f5bed0c9ec5e9cb4cd060984839e9428d9bedccbc2e3cb891805
SHA5127a857e088a715c8a1537e12ee17c84d9b1274fed2d896b365b80b07207a896717315538c1e9ee0645f377af3fd2d59e5c9548afe7cea87750aafa283d5fd746e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD56b811e1e9deca8b78803e3619fd8eaee
SHA172819c8505bd92b77fce05d97a484d99631eff09
SHA25651d5abdeb49e25476fdeb0d44c80b7a684308dfd3e65f85c13e095fd3d4bcf8f
SHA512c893e5b56f3bca5d4b73c0b5c27c96ecb43729d3dc98dbecc850175bf1e6612095924fe216a047b807e6123fe9537f25e11522d72a8299aac7eb60963fec13e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD5ed3672ef7493f445366c6493d405129e
SHA11d22087f998f607606649985e591cd685aeebeb8
SHA25694b58051dc293c96a05ad41cb19b189f17adff1a50511a7f396f5bbbb148773b
SHA5123ebc53098111eb797545f074b563c6b68593e1165a526cbbf7947c8271eb03dbbc62d137d7345d5e45096f308e3eebd2007d56cb57ed6b4ab91f8a33504f97d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4
Filesize7KB
MD59b442eda5dd96bac0a5a91c645cf4944
SHA1c95e4c94d69752d81f4f01c3b10699aecc603315
SHA25644afd193ad7789e9400ec5bf909579167292fcbf46e0a40ee23743d4d237d127
SHA512f6845ae2646d04cabe46add788a4650f9e2142cbb547e7041d83feb17af01c4a11b0ac391fab5f497ade487b1d33682cd9a67f220c3ec4333dc9ffb716e0c891
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++app.innovamat.com\ls\usage
Filesize12B
MD5820740e338909dc92d872c6faf187d77
SHA19aaa382bb08efa7004765805f7f4cfa93c8d5a3e
SHA256de9d34b5e6c380f877ff4efdc01a643e654e164c104b131d4fd3b8cd14e1dfe4
SHA51228bc5b45ce04ede009d2de9bbec2efae67930141a53c52316a7db4c2cbb4d083f0c2a4dbea37856e6c72e8a640e7a8786b3254f6ab3e600bd1ffde24287ed6b2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++applets.innovamat.cloud^partitionKey=%28https%2Cinnovamat.com%29\idb\3470826767CtascehueqdeFRehtc.sqlite
Filesize48KB
MD5a47d17d17be67e776a7472421cf53654
SHA12e8d342fcf683d8f87f75cb642d5fef53fa5f924
SHA2560e5f43cf8235dde149c26ab34aa6a047ef997560be9b421b648820d9e9ab2f90
SHA512cec2db10b7eb452559c40d3b24536d879bfedbbae67db65956c7d23198a641b447d37afd9f937b39958a805eece7e1af3130f80c6c8af7fd61d34ab54731145f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++student.innovamat.com\ls\usage
Filesize12B
MD557fb6a8e57193e75d033402687e3be4e
SHA18252252cba3b1aca39c44b259e2970513760a922
SHA256fb2a8a53ba1824e3409b112873bcab98cec37df11b12a80927bccf3493fe60bf
SHA512e1fabdda9a7cc2c82ff25e322f5ad4e650830fb8f66b04557f1b433ebf5b51a7d4610d7e5402bf7081167eac043403bdd9c5a82517ba794be16afdbcfa2eca43
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++student.innovamat.com\ls\usage
Filesize12B
MD5cd78fdf22acef3382e352ca0da560f78
SHA16b0b0652cf0694644cbe501e6a3868801cbf7b88
SHA256d53c3c884859fc16fcba4cb3b473b18af27499bf32151f6e874f13ecf80ff55e
SHA512577f6f056495a644453a4d23949dce78cfce21191c7eb7d091fa523b1f36237f8e68916114896c78283fe375db0b58034d22edee7aa5bddbd995ddf9990d1b36
-
Filesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1