Analysis

  • max time kernel
    1588s
  • max time network
    1592s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-05-2024 07:55

General

  • Target

    script.ps1

  • Size

    2KB

  • MD5

    374d630d3910e9e3d54e4771acfe96ed

  • SHA1

    acdc0ac1fe0554b48b1c092554c879d6277881cc

  • SHA256

    e8aa5ffdcfcc134e37b424cfe0e7996f5c5406f11a51b5c50b184b31d87fa864

  • SHA512

    770fde1cef4ec0e66f330e0c66aceb802befbb56a1621e7d14419f385a868eebb5fe904226696bf1d48d50a7d62b4a922b2104b4d27953612a1e146b818ba29c

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kavnnwqn\kavnnwqn.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA55.tmp" "c:\Users\Admin\AppData\Local\Temp\kavnnwqn\CSC94E1A5210F148918BDA587AA0C6FE48.TMP"
        3⤵
          PID:4480
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:788
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4212
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.0.1531404878\1516873490" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53d236aa-b251-4859-b0a8-e7d1a8bcabaf} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 1796 242e88d7658 gpu
          3⤵
            PID:4728
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.1.723626806\788106979" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a9e408f-dc40-4b5e-a826-ea00ea6325c6} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 2152 242e8430e58 socket
            3⤵
              PID:3060
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.2.1508242793\1790660608" -childID 1 -isForBrowser -prefsHandle 2648 -prefMapHandle 2764 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f28f9591-931b-42ee-9b6d-3460bda78702} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 3228 242eca9ea58 tab
              3⤵
                PID:4136
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.3.515803614\1282530669" -childID 2 -isForBrowser -prefsHandle 3524 -prefMapHandle 3520 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd69f2c1-8253-471d-9cf0-04a092b88c1a} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 3016 242eaff3d58 tab
                3⤵
                  PID:2376
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.4.1568985633\1427780914" -childID 3 -isForBrowser -prefsHandle 3676 -prefMapHandle 3684 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9d9b5c8-e2d4-486e-847a-527525d12cf3} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 3524 242e87faa58 tab
                  3⤵
                    PID:4332
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.5.202308204\769503109" -childID 4 -isForBrowser -prefsHandle 4740 -prefMapHandle 4724 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8b647e2-e255-43b2-a9a3-f9aba8c58f06} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 4692 242eb21ab58 tab
                    3⤵
                      PID:688
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.6.1402023674\246596844" -childID 5 -isForBrowser -prefsHandle 4832 -prefMapHandle 4836 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19845428-2cf2-4ba8-8f3d-0d6db554b23d} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 4824 242ed0c8b58 tab
                      3⤵
                        PID:3600
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.7.818393791\747471025" -childID 6 -isForBrowser -prefsHandle 5044 -prefMapHandle 5048 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d254256b-26a9-46e4-a45a-44a307bf8810} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 4812 242ee9a7958 tab
                        3⤵
                          PID:4756

                    Network

                    MITRE ATT&CK Matrix ATT&CK v13

                    Execution

                    Command and Scripting Interpreter

                    1
                    T1059

                    PowerShell

                    1
                    T1059.001

                    Discovery

                    Query Registry

                    2
                    T1012

                    System Information Discovery

                    1
                    T1082

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\doomed\12238
                      Filesize

                      11KB

                      MD5

                      729cde036cced45a65c9921d8cbca594

                      SHA1

                      3bf1699fef0d9a95f18b415626b2c693a74e578d

                      SHA256

                      866efa74a294caf98808e3ba586aff37fd99f11c93a96c43323bc2bd26858529

                      SHA512

                      86a15d4ef4a38e727a642ec16c9ed4a108f86f5701baaded3c310de4ed0d47df5553551e8077ff1cb5b74b155907ccbb99f4ff7f70a703fbbb4503c34c1ec818

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649
                      Filesize

                      13KB

                      MD5

                      40d7051336a689bf349ce19f6d55b850

                      SHA1

                      7c3c0a2228a85a70b0d840ea4fa7d8bc57b6e7a6

                      SHA256

                      a3247ee6df4431a33e3328d1de4f2596f32f6018f49b0f7e39e12ddbc2641564

                      SHA512

                      39fb118df5f6f8616258c7b9e90cdff37cf25b627ef616af2fec77e7a15676c78a880c41e977aa74a549633f0544914b13b44f6e2fd5a5440aa786f8ce1ac66d

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                      Filesize

                      7KB

                      MD5

                      c460716b62456449360b23cf5663f275

                      SHA1

                      06573a83d88286153066bae7062cc9300e567d92

                      SHA256

                      0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

                      SHA512

                      476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

                    • C:\Users\Admin\AppData\Local\Temp\RESCA55.tmp
                      Filesize

                      1KB

                      MD5

                      6abe509ded6f691a07e7229ece2d93b1

                      SHA1

                      bf50271539345eba34bb409c567a0781fef9ea61

                      SHA256

                      522dad01f533f54f6cf9f4ca450b3f39188a7e98f8a962872d1070e0d258c3ce

                      SHA512

                      30a62034af8d13c1a9701d520ad290b32aa2ce40081f92cf6be7dc82a5d9e5dec8cb8c88e867a79ec8c730d98d2bb7a443c0c4fdcae981a60c3f673aff8b519e

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gad1a3xf.4hl.ps1
                      Filesize

                      1B

                      MD5

                      c4ca4238a0b923820dcc509a6f75849b

                      SHA1

                      356a192b7913b04c54574d18c28d46e6395428ab

                      SHA256

                      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                      SHA512

                      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                    • C:\Users\Admin\AppData\Local\Temp\kavnnwqn\kavnnwqn.dll
                      Filesize

                      3KB

                      MD5

                      0ff1bf9fce04e5fabe04bd46ca964f14

                      SHA1

                      0b28764fa07d5e1944d6dc153b84ed661de30158

                      SHA256

                      a9b156050b53a9eecd2ef436fc1dc7596cbfc9c2583a9a00a630b14bab5710ac

                      SHA512

                      c856fc25ca63cd783dad0346e1547a1f7803a3577f191225d5f7f9e8a235dc9311f1d2fb3ba38b21d7575b09191b9c53612eb466b485258411e0474ad17ad1e4

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                      Filesize

                      442KB

                      MD5

                      85430baed3398695717b0263807cf97c

                      SHA1

                      fffbee923cea216f50fce5d54219a188a5100f41

                      SHA256

                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                      SHA512

                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                      Filesize

                      8.0MB

                      MD5

                      a01c5ecd6108350ae23d2cddf0e77c17

                      SHA1

                      c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                      SHA256

                      345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                      SHA512

                      b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
                      Filesize

                      5KB

                      MD5

                      49b8e9a4beead847e2f8aa550111e1c1

                      SHA1

                      4bea7f8438730ea1e5d078a2edc1a6846f8e0f07

                      SHA256

                      821027144246fcf766d2bb3c4d74df89185171cc88fe004eceee173fea372051

                      SHA512

                      3cc5022a86e11b23b46eb4b2a39e86eb59711d7e3ed158e37fc406c41ffdd6b6ccd9fe16b4a72a025c8cd26ef0aa36f4c78196ee80adbe04e373bb26a830919d

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\bookmarkbackups\bookmarks-2024-05-28_11_fHex2gcaYrcM3bB6rAfVHg==.jsonlz4
                      Filesize

                      941B

                      MD5

                      06d87d126355fd690e457ce18b4778f7

                      SHA1

                      3de1658c09f3729a9ef1e86d20a4379192b125b3

                      SHA256

                      d7f1acf55995a0c37cee175af46bd974fa2bb09f2905e9001aeaf604166b7294

                      SHA512

                      78ea844adc923e9d7383c4c2c2566aa99097542d69ad04655398dae6ae4e7b9b63037c5c5a7776e939f6337f216e5e906fac5f3faef5bdad8302b117ee653eb5

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\broadcast-listeners.json
                      Filesize

                      216B

                      MD5

                      5aaef3166c6e76fcd9902c008edd75d8

                      SHA1

                      f366588652f12c9b7eaf2f8b16ce044333a83683

                      SHA256

                      00974d52cb364d32124bf33b14a4fb4cc8461e854de04969afe50eb3e4d81861

                      SHA512

                      7683756e83b1b74183794b1d67270de31ad5e617afa04994b4b76bccb23c1b8e58aff8375960ea648bd9042ceb3025b0efa6261db0f7e2d397e1762ed2abaa74

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      d95e950005fef428e3953993272bff63

                      SHA1

                      73ba17a3b9f8a084118d392c8bedb45867e8afce

                      SHA256

                      e240c3aa8b4e763e29a76d1f6df18997249107f67b2e5c8faa12341c55cadf4a

                      SHA512

                      162cdf390c7b90fe1d9560874e3f4e219047b6f483f6d523a2d43a4e8d3a88363edb247a6581d2c9a42884a3c1320319227295f953bc6262cf982015ffbdf629

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\be7f8848-7a1f-4a66-bb31-d27927a8eb6b
                      Filesize

                      10KB

                      MD5

                      04688060dc4ca341a8ee0d9ac627fbf8

                      SHA1

                      6d7c35458f9070c1443becaeb15ec9a2129dfbe9

                      SHA256

                      cabefb942b9e88552cc8a0456e0fb972a603ccee1d8e4122f2e39c8c425eb965

                      SHA512

                      16e87a208284d952c0e1ad45c080882141b578e382f54b0fa1d8486b27a5b3fdc50e04b89309954383563992e9a2ec3949a6b43c88b431ff9c1cf5b60e68160a

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\e037fc4b-3430-4164-8b15-529becf05c3a
                      Filesize

                      746B

                      MD5

                      71a6baed65a1fa44ec9d0c1c728af94e

                      SHA1

                      1711f9a3ed5ba02740766a30c768214fdfa1725e

                      SHA256

                      682d2f64b09b60568ac28630406a27b4a9379e1d010ea1272ac4076e79d4462e

                      SHA512

                      290365ba36072baa6338d99c62ae2ddd28b689cbbc3b356f191d0f6f659c082d6285ea9c2b5bb45f7406656b07eb451d9ad5e68020928a09bfe2fa64fb30f0ca

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\extensions.json.tmp
                      Filesize

                      34KB

                      MD5

                      5ebd0622338bda931843fbee29c374d8

                      SHA1

                      04e73b6e8cdc0f56e5faa396ec1db543621f0d8b

                      SHA256

                      97a2a6dac05273711c0717e0cb8d04763691ac175c675760b5db81d332c31289

                      SHA512

                      213155fd8a53bc7b5c40940cf4f3cb400cdde4218893b4d31a8f8262ad8621af2fb738014402333c1c220b6692683c3f47e7dc56a13290adcbdd32c62f29cd52

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                      Filesize

                      997KB

                      MD5

                      fe3355639648c417e8307c6d051e3e37

                      SHA1

                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                      SHA256

                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                      SHA512

                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                      Filesize

                      116B

                      MD5

                      3d33cdc0b3d281e67dd52e14435dd04f

                      SHA1

                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                      SHA256

                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                      SHA512

                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                      Filesize

                      479B

                      MD5

                      49ddb419d96dceb9069018535fb2e2fc

                      SHA1

                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                      SHA256

                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                      SHA512

                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                      Filesize

                      372B

                      MD5

                      8be33af717bb1b67fbd61c3f4b807e9e

                      SHA1

                      7cf17656d174d951957ff36810e874a134dd49e0

                      SHA256

                      e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                      SHA512

                      6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                      Filesize

                      11.8MB

                      MD5

                      33bf7b0439480effb9fb212efce87b13

                      SHA1

                      cee50f2745edc6dc291887b6075ca64d716f495a

                      SHA256

                      8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                      SHA512

                      d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                      Filesize

                      1KB

                      MD5

                      688bed3676d2104e7f17ae1cd2c59404

                      SHA1

                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                      SHA256

                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                      SHA512

                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                      Filesize

                      1KB

                      MD5

                      937326fead5fd401f6cca9118bd9ade9

                      SHA1

                      4526a57d4ae14ed29b37632c72aef3c408189d91

                      SHA256

                      68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                      SHA512

                      b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js
                      Filesize

                      9KB

                      MD5

                      92e6c5852ccf70241a8a4c5f16303dad

                      SHA1

                      a474ff5a230ce0bd56cb3476fff73d249e919045

                      SHA256

                      5ffc7bbc4603ddbf2226fc054bdece3cc02516b01e6888fcbc1ddac2b63af5c6

                      SHA512

                      d9c78034d5cf6d91729520eaf864ae0c5a8c8468d9b6242bf06b24efb1e3e33a3c4b57e9e9624823122ac487150f64d44ae647757d8720bd4e9c0391c1219cfe

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js
                      Filesize

                      9KB

                      MD5

                      62ece33612c4f7c583740501398afc57

                      SHA1

                      8bb3a2c2b49a7f4003e4210afd21e75848e565b3

                      SHA256

                      4be52569d46718a468202c3d62021492e91d0011848d4878df4d8e38a902160a

                      SHA512

                      ce3b937ef075e57afebfd78d0798b72a1c785af56a73a861cbbac14fb6efd5d712a8f1e1fd0b0f441c845ed1a30110a26e89eac5abe3296a397936ca661c6953

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      dd1adb1d57eb7c8de52faa8fdab6ec47

                      SHA1

                      50acf859f7912bc36b2d3a109407ef00374b18e1

                      SHA256

                      ffefaa21960f3404f65f7712024f4ceae28e97fdf131bc5d720163842879e92d

                      SHA512

                      429ccbb09ee74b6ae9f4422f81640f45a84533f07784bd8d9a73709d9e7af0bfdfe79bfc0f6f9942b94f2d70e4ecffc3261e6cebb4cd91470c27586734605336

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      1c5794e6caa8eda35f9dbfb954b3d0de

                      SHA1

                      97656171e12b810a4561ed1b7b09bdf7d6516367

                      SHA256

                      a62c189d436cd02d582ea9c071d6bb0dfd6113480ab8172a91efdc4c60f53964

                      SHA512

                      af4352607299dbab8848cdb74481cb1f56393646bc4a6b9ab74dbd1cbbe7afa01717516bff2ae4e4eb794ec4dbb03b9b5b70f425d674e13f4652dd3cc22bf48c

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      b62a61750634cb68a8ba2e4683d47c36

                      SHA1

                      8715fcd837a899b936384087d75fbf14eff32c91

                      SHA256

                      13d2ad1f9dacff25158d846fa45914b69a475628cd0bbe3d3005eb7987a65f96

                      SHA512

                      e032313ce7e1e138a9b57c425c16d257784556076c55682bc57ffc322b610fbd84fa8f46d4b2682bd755f4c12585134cbf2aae2be5f7cf3007cf3d5afc48063d

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      25e557ae491d1d13ada8a1d4ea1f83b7

                      SHA1

                      87c9dfbe95dd11107ca4273db94727e2ebf92d80

                      SHA256

                      df902a42316eb0d88cf316830b249674b1836cddd44e2c4489079115e443c998

                      SHA512

                      7365500f4877445c7f785f4f55962755aeed5bcffb572c0c8d3594a81c54b24eae665169fe3287fb820a684ae662c82cc38fc3671db841194933442e7677c00b

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      7.9MB

                      MD5

                      906891215898da39c89a9cf5d8c77dcf

                      SHA1

                      5edb7114b286bd00b79efe149dc622d48a1b7ac9

                      SHA256

                      67fb461747e1161b45992c4653dfa82903de10b7f39f67426b89fcae01ad8940

                      SHA512

                      73fcb230ce5cf262d9a99c4b38b6ed48552ed538e842ef2cb25805fa513feded640f94cc20831c71e53f4b23659e30ad3669e2939d88849b18f0e9a270968240

                    • \??\c:\Users\Admin\AppData\Local\Temp\kavnnwqn\CSC94E1A5210F148918BDA587AA0C6FE48.TMP
                      Filesize

                      652B

                      MD5

                      2edf69de809a81e3506b92b21cf66b4e

                      SHA1

                      7c698e81207f14b2364d66b152cd89cb17d57cde

                      SHA256

                      266155af3a79ed830338e6edda019d2a80be0fa89542bed623a8372f9c413deb

                      SHA512

                      132e2c570eb738d1240b1197091e1ab00a7a350134cb07b35bf5b384e3253888b3f256a846ede863e6f438d8584e7672db8144d9eb02420a5f595ad8618c654f

                    • \??\c:\Users\Admin\AppData\Local\Temp\kavnnwqn\kavnnwqn.0.cs
                      Filesize

                      557B

                      MD5

                      7319070c34daa5f6f2ece2dfc07119ee

                      SHA1

                      f26a4a48518a5608e93c8b77368f588b0433973c

                      SHA256

                      b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

                      SHA512

                      34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

                    • \??\c:\Users\Admin\AppData\Local\Temp\kavnnwqn\kavnnwqn.cmdline
                      Filesize

                      369B

                      MD5

                      5993e1bf46f74999c2a6ed472b9412b6

                      SHA1

                      e92a9e212974028d619962b65334746696e9fe7a

                      SHA256

                      d274a31917a051b42465d9e64961f73b875a05f3cada0fc532e6c3d96afb0907

                      SHA512

                      dc964b05865ecefd2af326ca4f32b9d1ab64c8c6e4f51d2c631ee49ea03e1b8e9c8c529d44588f773214d2f44d221c93f2264c8bd6b5d31a5311ae065248fca6

                    • memory/628-45-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp
                      Filesize

                      9.9MB

                    • memory/628-46-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp
                      Filesize

                      9.9MB

                    • memory/628-37-0x000001FD59780000-0x000001FD59788000-memory.dmp
                      Filesize

                      32KB

                    • memory/628-2040-0x000001FD59920000-0x000001FD59921000-memory.dmp
                      Filesize

                      4KB

                    • memory/628-0-0x00007FFE18603000-0x00007FFE18604000-memory.dmp
                      Filesize

                      4KB

                    • memory/628-2043-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp
                      Filesize

                      9.9MB

                    • memory/628-10-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp
                      Filesize

                      9.9MB

                    • memory/628-8-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp
                      Filesize

                      9.9MB

                    • memory/628-2044-0x00007FFE18603000-0x00007FFE18604000-memory.dmp
                      Filesize

                      4KB

                    • memory/628-9-0x000001FD597A0000-0x000001FD59816000-memory.dmp
                      Filesize

                      472KB

                    • memory/628-5-0x000001FD594D0000-0x000001FD594F2000-memory.dmp
                      Filesize

                      136KB