33eee5f66a38fc66f52d7346251d1017d9a02aac7cc4c7a9cb367549d577b886

Analysis

max time kernel
954s
max time network
959s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kav21.3.10.391en_26074.exe
Size

2.6MB
MD5

db7a22234425b05bb4a1f560e112ce24
SHA1

efac3e678234ac987c7f206f9f65b7de283307bb
SHA256

33eee5f66a38fc66f52d7346251d1017d9a02aac7cc4c7a9cb367549d577b886
SHA512

39ab0d09cd0dcb442c4fc12a07da92351f3e12a63307064573722aba02a7d2cce5d5b46dde4d3f158b96b80efb95ddf7f9e6219b979eb501b95051394a948ce8
SSDEEP

49152:u47Nlau3ZHJvDrOV9Gcwb/alTe/iXMNLdcE/EBSDre/2jX8oa:ueNlau3RJOV9GvZbRDe/2zU

Score

7^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

kav21.3.10.391en_26074.exekav21.3.10.391en_26074.exe

pid process

212 kav21.3.10.391en_26074.exe
2676 kav21.3.10.391en_26074.exe

Checks for any installed AV software in registry 1 TTPs 64 IoCs

Security Software Discovery

T1518.001

Processes:

kav21.3.10.391en_26074.exekav21.3.10.391en_26074.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Settings	kav21.3.10.391en_26074.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseSWRender = "1"	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\4	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Animations	kav21.3.10.391en_26074.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no"	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Anchor Underline	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XMLHTTP	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION	kav21.3.10.391en_26074.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Move System Caret	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable AutoImageResize	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\International	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\4	kav21.3.10.391en_26074.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no"	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Move System Caret	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\3	kav21.3.10.391en_26074.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseSWRender = "1"	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Print_Background	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Styles	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Videos	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay	kav21.3.10.391en_26074.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Cleanup HTCs	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DOMStorage	kav21.3.10.391en_26074.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\KasperskyLab\IEOverride	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\KasperskyLab\IEOverride	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Show image placeholders	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Script Debugger	kav21.3.10.391en_26074.exe
Key queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\RtfConverterFlags	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseHR	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable AutoImageResize	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\RtfConverterFlags	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\CSS_Compat	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Print_Background	kav21.3.10.391en_26074.exe
Key queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Images	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Videos	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Text Scaling	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Settings	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Text Scaling	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Show image placeholders	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XDomainRequest	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Background_Sounds	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\SmoothScroll	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XMLHTTP	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XDomainRequest	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DOMStorage	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseHR	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\MenuExt	kav21.3.10.391en_26074.exe
Key queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Q300829	kav21.3.10.391en_26074.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

kav21.3.10.391en_26074.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kav21.3.10.391en_26074.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

kav21.3.10.391en_26074.exe

description ioc process

File opened for modification \??\PhysicalDrive0 kav21.3.10.391en_26074.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

kav21.3.10.391en_26074.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN kav21.3.10.391en_26074.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	kav21.3.10.391en_26074.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	kav21.3.10.391en_26074.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

kav21.3.10.391en_26074.exekav21.3.10.391en_26074.exe

pid	process
212	kav21.3.10.391en_26074.exe
212	kav21.3.10.391en_26074.exe
212	kav21.3.10.391en_26074.exe
212	kav21.3.10.391en_26074.exe
212	kav21.3.10.391en_26074.exe
212	kav21.3.10.391en_26074.exe
2676	kav21.3.10.391en_26074.exe
2676	kav21.3.10.391en_26074.exe
2676	kav21.3.10.391en_26074.exe
2676	kav21.3.10.391en_26074.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	4944	firefox.exe
Token: SeDebugPrivilege	4944	firefox.exe
Token: SeDebugPrivilege	4944	firefox.exe
Token: SeDebugPrivilege	4944	firefox.exe
Token: SeDebugPrivilege	4944	firefox.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

firefox.exe

pid	process
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe

Suspicious use of SendNotifyMessage 41 IoCs

Processes:

firefox.exe

pid	process
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe
4944	firefox.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

kav21.3.10.391en_26074.exekav21.3.10.391en_26074.exefirefox.exe

pid	process
212	kav21.3.10.391en_26074.exe
212	kav21.3.10.391en_26074.exe
212	kav21.3.10.391en_26074.exe
212	kav21.3.10.391en_26074.exe
212	kav21.3.10.391en_26074.exe
212	kav21.3.10.391en_26074.exe
212	kav21.3.10.391en_26074.exe
212	kav21.3.10.391en_26074.exe
212	kav21.3.10.391en_26074.exe
2676	kav21.3.10.391en_26074.exe
2676	kav21.3.10.391en_26074.exe
2676	kav21.3.10.391en_26074.exe
2676	kav21.3.10.391en_26074.exe
2676	kav21.3.10.391en_26074.exe
2676	kav21.3.10.391en_26074.exe
2676	kav21.3.10.391en_26074.exe
2676	kav21.3.10.391en_26074.exe
4944	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

kav21.3.10.391en_26074.exefirefox.exefirefox.exe

description	pid	process	target process
PID 212 wrote to memory of 2676	212	kav21.3.10.391en_26074.exe	kav21.3.10.391en_26074.exe
PID 212 wrote to memory of 2676	212	kav21.3.10.391en_26074.exe	kav21.3.10.391en_26074.exe
PID 212 wrote to memory of 2676	212	kav21.3.10.391en_26074.exe	kav21.3.10.391en_26074.exe
PID 1692 wrote to memory of 4944	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 4944	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 4944	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 4944	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 4944	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 4944	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 4944	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 4944	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 4944	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 4944	1692	firefox.exe	firefox.exe
PID 1692 wrote to memory of 4944	1692	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 2684	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 3024	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 3024	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 3024	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 3024	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 3024	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 3024	4944	firefox.exe	firefox.exe
PID 4944 wrote to memory of 3024	4944	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
"C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe -sendDump="C:\Users\Admin\AppData\Local\Temp/KAVINST.21.3.10.391_05.21_16.18_212.SETUP.full.dmp"
2⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:3472

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4944.0.825419954\1894260010" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7215db62-e5e2-4dcd-8310-b6cafdbc5576} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" 1852 214c6421d58 gpu
3⤵
PID:2684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4944.1.21125663\1362729091" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ae7f34b-e286-4ae3-a269-d0d9022f1e5f} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" 2420 214b9689658 socket
3⤵
- Checks processor information in registry
PID:3024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4944.2.1980477106\2039038444" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cde7455-0ce4-43b4-ae79-3ce2ae0ce947} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" 2972 214c8debe58 tab
3⤵
PID:380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4944.3.817190993\1175041208" -childID 2 -isForBrowser -prefsHandle 4296 -prefMapHandle 4292 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f67f9eb-f1eb-4e8a-b77a-dbadf32223dc} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" 4304 214b9640058 tab
3⤵
PID:4956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4944.4.1674861062\646365497" -childID 3 -isForBrowser -prefsHandle 5072 -prefMapHandle 5064 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2b32b0e-ece7-484b-9968-9498713e9e3f} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" 5080 214cd7df158 tab
3⤵
PID:5364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4944.5.200450469\326439229" -childID 4 -isForBrowser -prefsHandle 5188 -prefMapHandle 5192 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b1801ad-59e3-4599-9b48-fc9e60d2f609} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" 5176 214cd7e0958 tab
3⤵
PID:5372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4944.6.1427753765\816897696" -childID 5 -isForBrowser -prefsHandle 5372 -prefMapHandle 5376 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6e10ae3-3a77-4247-8076-585b8756d65a} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" 5364 214cd7e1258 tab
3⤵
PID:5380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4944.7.1072876756\1123052807" -childID 6 -isForBrowser -prefsHandle 5876 -prefMapHandle 5868 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1522ed7-783e-4fb8-a6b2-4b439937acb1} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" 5884 214cf60c558 tab
3⤵
PID:5992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4180,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:8
1⤵
PID:4980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmp
Filesize
23KB

MD5
a59d6452268d0bcbf2a26a8a7299c52b

SHA1
49c35f8b1e0fbd73350b3baf2fc4e4571c6adb06

SHA256
584ecb38fa76d10e0ea108fbcd1fd646364ff03b763ef6483e79270e7fe2e990

SHA512
b7bacef51324f81af05d558c94bf9c85e5d2b24740e3af92542060d1d25ebaaf6ed657861319ced7c6529d849554611667e0816f4723aeba47f82beb9a6f302c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\81D4B46E5F1C225F9056245AA4A09EA13A9F4FD3
Filesize
60KB

MD5
7afbae576d8f1167c8246f9e80514d15

SHA1
a098f20885761fa1cb97c29375047b4275d049ce

SHA256
7bccd78cf250763ff3b5b88540a72762cfd46dd5cd5617f2c46e129c266efd69

SHA512
8b392548b514579cfdbe4f4f994e81eae60cd5d8f1f282755803326903d48b84702c7d90b68853f84fa2630cb341ed9485f80a28b05b1ed98af809a1ca388f79

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649
Filesize
13KB

MD5
29a1477d977170baa1ec9c79f3f49204

SHA1
1801d07546b759637e020d76078346f0eedb6f72

SHA256
8016de5c2d96b2af654261c88b8400ea66f0740034a2ff44657f034eb6914aa5

SHA512
74b7207edbbfb594e4a3004a6406bac73fd6ec8f090601fc7318bb9f61a5450a840a81cf781662d0d909f42d419086a62e84d18fe7ff794e941d54fd3d32e6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\484DC54CD871FE118B0CA52A11891C4D\setup.dll
Filesize
5.1MB

MD5
7c0418acfb24086ede591a7e1d3df7ac

SHA1
9bee27188d04bf44fa2e95a8fcb575497396f2b0

SHA256
d7b6905661d364be51bdb7e8e2ef9832ed0c33f056c4f40368f9ae6c1b4e608a

SHA512
e2c45aad07d5db230c9758fde258ab5589160d81a8723a5d246fe3287fca1a192b162c33f35144a44d16dd655e4a86694acd55c9279a15b795777ede2b14f71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C45CD485-178D-11EF-B8C0-5AA21198C1D4\check_new_version.html
Filesize
1KB

MD5
b79ab8145423e4714f4d3623a7913eef

SHA1
0f17053bd76724cb244866c537de47ea6124331a

SHA256
59a439debcea1f039382e258a337031f9878450afbce19a2a52a37783009fafe

SHA512
239663617d89722d8c4187804901436c456444b92655ade83c1fbf04231467693869efdc689123724dcc58d63665efb5dbb2a835fe49144facbea361c8ae9151

Download Submit
C:\Users\Admin\AppData\Local\Temp\C64A5AB7-178D-11EF-B8C0-5AA21198C1D4\install_error_send_logs_page.html
Filesize
2KB

MD5
cb59c7593555ec7511f0ce6049c95cfa

SHA1
09044dd6baf785ce6484b4a861b741990629db45

SHA256
9da9c7cea5cc920c9bd110fd4e2ec0b02d91e7bebcc71a95f5efd3bac3d99468

SHA512
835b945b061188d95e8cddf91ea06109da2caffb79abca742cfa5aa5b84a83e5f82b2a624f7067caf026f56cd997c0c9ab9d1ac09c016ebd5301ace36f080ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C64A5AB7-178D-11EF-B8C0-5AA21198C1D4\jquery-1.12.4.min.js
Filesize
94KB

MD5
618538b4ab9639d444e962729a927f15

SHA1
dacc1f76630a9708add066819b1aabf8dce01056

SHA256
27d92130c0321dad5a03760fd5ac98a3d04ed4c94d88418fe6d50da1f7fc5cbe

SHA512
bcb6754ea246939a19a917cc0b810e1753c1b0f1a8b1b7e652128ef15dee4fc79111e4d88fe12f9188449a307e82240d0261af402d783428edfe5785c860372d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C64A5AB7-178D-11EF-B8C0-5AA21198C1D4\jquery.custom_select.min.js
Filesize
5KB

MD5
d2c620c462b75696eea1fb22fb23602a

SHA1
900f78eb8e1103be1535af5e76d1bed686cdcce3

SHA256
dd678d32073078552e0e2c35eed78f16cc8d6e8662d4734518561a1b183f775c

SHA512
40e1180b63b328c22cfacc40529cbda2409a54fbbbd5813fcc5f8dcdf95ad7fcd74ea96382e3a2d0bcfed9e68c208f7733b7c630edee7e2013c9a5459091c02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C64A5AB7-178D-11EF-B8C0-5AA21198C1D4\kis-print.css
Filesize
306B

MD5
1304724dd5001b2600fc5bd80c098f1e

SHA1
87ec458c25a35e3a45c2a6ede9ec16ec4d4c7093

SHA256
2481b34b48fd96b194405da621e8e5f19142dcb55744f9c9a93591705cb697fd

SHA512
4371fbd6ba7e84ae827ec73bec4c903275e4373c16063b6fe63ca157a4db346df5617a9db5c9e1fdcb661f220f6dcbc1f7e4003805dba9fa7a279fc882aebeeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C64A5AB7-178D-11EF-B8C0-5AA21198C1D4\kis-script.js
Filesize
306B

MD5
026425ccbf4417eefa444285707132ef

SHA1
a953b9f6781d4b6daa2eedc0c45d358f2a472370

SHA256
97e5f342227ea23c27c1b660f111847fcdd9d7b23c1d248c733a36f983fd7f04

SHA512
a266e2f9f10620347f0d05d081362086e81c67fb7c5f4a74c26cca54686f6afb2f2933b1f7afb6d9c96382ff4e4e3cf2f0f38cdd162175cdefccb5909b1aa6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\C64A5AB7-178D-11EF-B8C0-5AA21198C1D4\kis-style.css
Filesize
29KB

MD5
2b4bd0afd0e9dd5c90fb8c3bb4a5d619

SHA1
a4a1a61d43e8f897d36fef9e1927848de2d312cc

SHA256
f9963b403e053f6bfa7c87cad3c10dd55cf1f94fefe00c6380921440e28b48d2

SHA512
c0b284552502304f05dd10606e01b0d35210a27f982bba8a605f2939a2ac43890636175431eab99edc45cfc2825fe1b1cffabd8067d9eaa7ad59af466a052974

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
Filesize
9KB

MD5
4d2e9ad2bcb9d5bb43bf76358791f77b

SHA1
cd6a58f4853c8d6d93cdfb4ac51128ec376fc666

SHA256
29b85759d90b84fdd94fda14b59e9688fa91c52bedb718650062b2ae40daf05e

SHA512
a673b6831cd6ef07561a216823485c28a109d3d19c137694e4b56afca47c3388fd2440a603c0a31fd17adaf4417ff6506f142a6963888b62c8fd67f58602dc5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
Filesize
7KB

MD5
477bbbb9b29ed08f566aa34987e1d45c

SHA1
05bc8898fc3e01b38232de1899cfb7ce9cd76996

SHA256
f3340a74270681eab7d6f8c57c7b11bd2f9fb650c795f9a3497aa7118c536944

SHA512
1e7db62de560c87a5dc0e295339abd70f5cba9fcb6685541dbd992024848ef00785ff7a6cd5215c16e2bad30f827e4961d016d4b543d2f2151c484a32393884f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
d08689a0f7e004461d897611d1e6bb26

SHA1
800a1191f8e9b21060d096510e7ece4b5404305d

SHA256
2c689ce53283c533b15029e71df41ac5e60d4c1f5662122d4e811c2bbbebedfd

SHA512
42c896ef7b8cd1a6af4f65d6d9ed3290bb56cd113c9cd91c27422d5ea5c54e7b1bd142a0b2fa010c88c9ccaf588e3437a0e602ebfa880db75b0d7540bd4632de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
ad995ee1faf2ef72240d3bde13aacb30

SHA1
db9ae15a6bb31072735d7bf5586ff3217719cf96

SHA256
f70dea1c7f2537bb27efc028edb6cb60afcf089d7bdcbdabc0569af92a0e0f80

SHA512
62b03565634fd7b0584afd3c9c30193775f86984443fdb09b7854080be393d87cf6b557276719a18cf32c4f7952781ba9980dfeb47081fa6fdae2e1ba74c13d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
c3b9b658eda40367851a49ad239a38f6

SHA1
e58efd8686b771dbffe4f66f793a6486fcd11087

SHA256
fea4d198c102761666fb55ee162945c766073dd62b2fe01aebc02383526355d5

SHA512
537a17453241309ac3169abeae4a4f76af275460873b991ab62b12ce973c8fe164ce3996212232d921c7211dd24237c27561382c23c71dfb56ed3bcef31e6502

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
45b699c9bf734e930b6489b5d42ed99f

SHA1
0b0b6463e8030da2c3d2481bd574e02b24995c87

SHA256
b8671d0f096fb4baa74f39cde399b09bf68b8843f04604b81d4489d956e62829

SHA512
ee576c7c524f32913b123e8df3aaa0185e252c7234b30f319f2adb2b214fb2062564ac09160e6d99b3e67f58e026237e9d9fb83d6f7c9d4ef05345ae50cd6c03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
ea4ca803154e1a72f0cbc789368bbbd9

SHA1
98d47c9eb5d9ee33b0ef12f06463d2c320edf941

SHA256
06f7a5778d79ff537e5f1192c3f335ca36f3e56a1a8f6279806773c993e4b99b

SHA512
f7d25f3a0e1d6d5ec11c8721b7035c597749576af124bfeb1bbbed8684d643590003b3481423ccd6ad509b24e8710dbe57e134164bd7c12ba7c05cc603767204

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore.jsonlz4
Filesize
4KB

MD5
d1cb24ca388accc1a655b08af2fa61d3

SHA1
a3b09df8dc1bd8aff87a6c6c256ddcb158537347

SHA256
0b51f750149d2fb9b14a9a58fb4caa1c4698b635336b4548b3ba3990772bc68d

SHA512
f7611483f0f30dd2745dfbef5b089abfac5d61fb619e568f545e35f749752543bcb8b896875a0fbbc3ae2b2f7b8ac311d032a401133db77f65ded13855283c82

Download Submit
memory/212-1-0x0000000077BB0000-0x0000000077BC0000-memory.dmp

Filesize
64KB

Download
memory/212-3-0x0000000077A52000-0x0000000077A53000-memory.dmp

Filesize
4KB

Download
memory/212-0-0x0000000077BB0000-0x0000000077BC0000-memory.dmp

Filesize
64KB

Download
memory/212-2-0x0000000077BB0000-0x0000000077BC0000-memory.dmp

Filesize
64KB

Download
memory/2676-38-0x0000000077BB0000-0x0000000077BC0000-memory.dmp

Filesize
64KB

Download
memory/2676-39-0x0000000077BB0000-0x0000000077BC0000-memory.dmp

Filesize
64KB

Download
memory/2676-40-0x0000000077BB0000-0x0000000077BC0000-memory.dmp

Filesize
64KB

Download