hxxps://www[.]mediafire[.]com/file/o0bphm5gfjon6cn/Z6jTK6Nibk[.]exe/file

Analysis

max time kernel
89s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/o0bphm5gfjon6cn/Z6jTK6Nibk.exe/file

Score

5^/10

persistence privilege_escalation

Malware Config

Signatures

Drops file in System32 directory 5 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUtmp.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631802004666497"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

chrome.exemsedge.exemsedge.exeidentity_helper.exesdiagnhost.exesvchost.exe

pid	process
1464	chrome.exe
1464	chrome.exe
6640	msedge.exe
6640	msedge.exe
6404	msedge.exe
6404	msedge.exe
1496	identity_helper.exe
1496	identity_helper.exe
3700	sdiagnhost.exe
3700	sdiagnhost.exe
6892	svchost.exe
6892	svchost.exe

Suspicious behavior: LoadsDriver 14 IoCs

Processes:

pid

4
4
4
4
4
660
4
4
4
4
4
4
4
4

pid
4
4
4
4
4
660
4
4
4
4
4
4
4
4

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

chrome.exemsedge.exe

pid	process
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
1464	chrome.exe
6404	msedge.exe
1464	chrome.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2580	firefox.exe
Token: SeDebugPrivilege	2580	firefox.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe
Token: SeShutdownPrivilege	1464	chrome.exe
Token: SeCreatePagefilePrivilege	1464	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exechrome.exemsedge.exe

pid	process
2580	firefox.exe
2580	firefox.exe
2580	firefox.exe
2580	firefox.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
1464	chrome.exe

Suspicious use of SendNotifyMessage 59 IoCs

Processes:

firefox.exechrome.exemsedge.exe

pid	process
2580	firefox.exe
2580	firefox.exe
2580	firefox.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe
6404	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

firefox.exeLogonUI.exe

pid process

2580 firefox.exe
940 LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4020 wrote to memory of 2580	4020	firefox.exe	firefox.exe
PID 4020 wrote to memory of 2580	4020	firefox.exe	firefox.exe
PID 4020 wrote to memory of 2580	4020	firefox.exe	firefox.exe
PID 4020 wrote to memory of 2580	4020	firefox.exe	firefox.exe
PID 4020 wrote to memory of 2580	4020	firefox.exe	firefox.exe
PID 4020 wrote to memory of 2580	4020	firefox.exe	firefox.exe
PID 4020 wrote to memory of 2580	4020	firefox.exe	firefox.exe
PID 4020 wrote to memory of 2580	4020	firefox.exe	firefox.exe
PID 4020 wrote to memory of 2580	4020	firefox.exe	firefox.exe
PID 4020 wrote to memory of 2580	4020	firefox.exe	firefox.exe
PID 4020 wrote to memory of 2580	4020	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 4244	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 684	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 684	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 684	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 684	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 684	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 684	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 684	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 684	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 684	2580	firefox.exe	firefox.exe
PID 2580 wrote to memory of 684	2580	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.mediafire.com/file/o0bphm5gfjon6cn/Z6jTK6Nibk.exe/file"
1⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.mediafire.com/file/o0bphm5gfjon6cn/Z6jTK6Nibk.exe/file
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2580.0.1519122016\1627769110" -parentBuildID 20230214051806 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccca9ae2-4273-4a4d-a256-82ba8f8d3b79} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" 1828 2b75420da58 gpu
3⤵
PID:4244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2580.1.2069439472\2113736007" -parentBuildID 20230214051806 -prefsHandle 2436 -prefMapHandle 2424 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd0882fc-363f-4878-8fd7-cadb8ccae96a} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" 2464 2b73fe89958 socket
3⤵
- Checks processor information in registry
PID:684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2580.2.1131464087\538720824" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2972 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5b7e0b3-8b3f-49d2-bcda-220f6d938470} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" 2988 2b75703ec58 tab
3⤵
PID:392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2580.3.921722360\192149118" -childID 2 -isForBrowser -prefsHandle 3656 -prefMapHandle 3652 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43e07fc0-d2a4-470c-837b-b792a7f6da41} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" 3668 2b73fe7a558 tab
3⤵
PID:1196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2580.4.1458892310\1062032787" -childID 3 -isForBrowser -prefsHandle 5056 -prefMapHandle 5052 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de093476-374d-4080-a1e1-750b48258a99} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" 5016 2b75a5c8858 tab
3⤵
PID:3712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2580.5.733957402\1681580298" -childID 4 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ede0c9f-90a1-4f86-9fcc-ed3ad53572f8} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" 5156 2b75a5cbb58 tab
3⤵
PID:4364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2580.6.520142917\2063703592" -childID 5 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {260ce25f-3fd3-4061-b292-1aabe3d72a56} 2580 "\\.\pipe\gecko-crash-server-pipe.2580" 5348 2b75a5cb258 tab
3⤵
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc3ee7ab58,0x7ffc3ee7ab68,0x7ffc3ee7ab78
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1920,i,16865411795330216644,18187716252412740456,131072 /prefetch:2
2⤵
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1920,i,16865411795330216644,18187716252412740456,131072 /prefetch:8
2⤵
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1920,i,16865411795330216644,18187716252412740456,131072 /prefetch:8
2⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1920,i,16865411795330216644,18187716252412740456,131072 /prefetch:1
2⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1920,i,16865411795330216644,18187716252412740456,131072 /prefetch:1
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4324 --field-trial-handle=1920,i,16865411795330216644,18187716252412740456,131072 /prefetch:1
2⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4868 --field-trial-handle=1920,i,16865411795330216644,18187716252412740456,131072 /prefetch:1
2⤵
PID:6176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1920,i,16865411795330216644,18187716252412740456,131072 /prefetch:8
2⤵
PID:6252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1920,i,16865411795330216644,18187716252412740456,131072 /prefetch:8
2⤵
PID:6260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1920,i,16865411795330216644,18187716252412740456,131072 /prefetch:8
2⤵
PID:6492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1920,i,16865411795330216644,18187716252412740456,131072 /prefetch:8
2⤵
PID:6876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4900 --field-trial-handle=1920,i,16865411795330216644,18187716252412740456,131072 /prefetch:1
2⤵
PID:5748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4512 --field-trial-handle=1920,i,16865411795330216644,18187716252412740456,131072 /prefetch:1
2⤵
PID:3436

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7f30eae48,0x7ff7f30eae58,0x7ff7f30eae68
3⤵
PID:2528

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc3ab046f8,0x7ffc3ab04708,0x7ffc3ab04718
2⤵
PID:6420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4121452578421250714,14335009145032975430,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
2⤵
PID:6620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,4121452578421250714,14335009145032975430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,4121452578421250714,14335009145032975430,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
2⤵
PID:6752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4121452578421250714,14335009145032975430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:6892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4121452578421250714,14335009145032975430,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
2⤵
PID:6900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4121452578421250714,14335009145032975430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
2⤵
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4121452578421250714,14335009145032975430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
2⤵
PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4121452578421250714,14335009145032975430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4121452578421250714,14335009145032975430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4436 /prefetch:1
2⤵
PID:6504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4121452578421250714,14335009145032975430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
2⤵
PID:6372

C:\Windows\system32\msdt.exe
-modal "262748" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF1F4B.tmp" -ep "NetworkDiagnosticsWeb"
2⤵
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4121452578421250714,14335009145032975430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
2⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4121452578421250714,14335009145032975430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
2⤵
PID:6180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7056

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3700

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3464

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
PID:6888

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
2⤵
PID:4544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:6872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ae055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061810.000\NetworkDiagnostics.debugreport.xml
Filesize
73KB

MD5
6128d92e35f64792316578b384154699

SHA1
36260a225a59e5a05b6f85794b0b3b8819edd03f

SHA256
ac4255796fea74f554f0892301437cc863b72965ada84a394510055c6044f85c

SHA512
ebd21fd365082df85ce138f1345ded8cf4c85f09aa8a568fb0d576dd8b27fda9f25644b4e7cb81a341c1a259c5b844547f1e4a7aa8b468bedb9b15554028a221

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061810.000\ResultReport.xml
Filesize
36KB

MD5
74b058129a0b5bf5716c9e1591a25a10

SHA1
3dddc35d4f7d99fcbb23e4ac53dbdf004fc0a437

SHA256
feba23dbd3eec74f005f0b751b29fa74415adf551ef23422f34caa9baa678715

SHA512
f7c965398965d0d36b0f221b771468586decf8eaa1357fd2ecefdf832d5ae922f3355c53da545858ede05ba04ed54ef207d9ac5df78368a9dc7e9be5d266836a

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061810.000\results.xsl
Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
811B

MD5
f82d9f02cca5b4d0b983ed66514c5b5a

SHA1
8e76899847622ad00117fd286c5e23e961635883

SHA256
8130d95f171b79f079a8b4ae96e26aa924652e3e9d72782c219da3c40252bcb5

SHA512
7023184b457a4d89d2677643dd2f327724a8321593123b16c6d66166fabc1ee126b2dcbb73542622d24476dfbe032aa958b3736f26d43353b19ddbe9475d968d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
0f671b1b93bcfcf1d972d151464e3744

SHA1
93eb158a1f932d9d1f986d9fdf8ac1e7e0702a01

SHA256
801687d89ff63cb89d2103d30819ff9aa05b31832ddd7d3f9202af19b14ac861

SHA512
b9a4f3b06d3a1e8b36cacb40486bfd0a40d37e82ebd751ba9088c967acb914a19ecad4c60ee728b648dc940e65b5432ef47baed82f0398890cdb1632629a1557

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
0a6d9d4140717dce32fc8127b069c485

SHA1
dc7ea0a36927ee615c544eb054d7cd96379b0e51

SHA256
5066d0182fd2d92b00a0142a26278ed0b30a4297afb9393b7c8a4975373d60d5

SHA512
d8e0a1d12fe58a7e573b635bf1ebfc4a833856ca9b064c7da14b36794cf18dee20eb185d30320ded137b793d826af226b93464e4f1a65a5cf71c89cd359122b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
823c984055b07f0540fa6da3e2fdb72e

SHA1
a87ce421fed271359216fb3b0c91f91714356732

SHA256
b81327f1d7e4126025590eb8a4331e5aca0679bad336b85195adc7a31479ba95

SHA512
44cd1501d67f163b1d9c51afce7cdc5f494edd2de60ca48fe6d7013cf042c2ce0eb69c60e56f4d7b65fd992d3497e859b30b2faa03fcd32f0fcd85eee96b0c5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
30464a505a5b5d50400df0b42eb9abcb

SHA1
a1ad72153e0745366e23c7d8ef3dd764e943ff3f

SHA256
7008af058c266ebf03377642c822ba3c816f09c14327260a2f7c448f6f3b83b3

SHA512
b384b89fd2d423e852bc2bb6b585fad09d490cec96d055f2a412dd0a517dfc71c431ed7b63187db4ea2903035cc93fb8cc4fb36333c56facca05854ca15acf88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
e222edee17394544d6ec84b0cb0f1816

SHA1
eb0a32a60e6d4d3078146756bfba963b9a91d7c8

SHA256
ff42c1af693355948482ff1eb087d468cb03a4531ead3791b5be6b5bbc9939ed

SHA512
92dd8141007075180c00d4d00f4825336dac2a20863d0667b6a5b9dea65e82666da94fe9b3db49841f2830766986e18f6546ac765a26068d97caa5c9855086a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
eeb1948df96945cf234a7e8f66a9bdcb

SHA1
006346a5edc66faaafb67bc998d88072be9cfebe

SHA256
a91e7b8d0b72c46cfb399e53ceedf11fc3e55e3303057fee3ca410ba8a53b666

SHA512
4addaebbb00d0a3133b5eae68875076668809a15746c92ac24611a80367c4c14e382d70a05097de13f31857c024326b4cde57e84dede01ea1f78298f26d2d3a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a9175396ecf29a69a08df96845a99182

SHA1
e5c182061cb7a8e974a4cbba4183e245d2c1056f

SHA256
231f9c51b9ebb655fa208e52a6f6d96b4909129cbaea508f88fac5fd1d5a0b92

SHA512
bbbb7bbd653c751da4fd19252a3b116db18b097993103702c0e465ca68e1c07562b1a777ffad50327586ea201f3980cadcfd6e7cc5e62b2aff6749d4bd8136ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2a84fb0bf6f01424c6081376fcb11c41

SHA1
0fd4a38943bf2a08426a76c9bead215d1c5061f3

SHA256
f669c6d0d76353fb8a54dc6472a3215b7c96b3dde2cd6dd91528e8b7d6b9b264

SHA512
2c2af6a2b366bb15b59a83658fc8decf746a8b42749a2d03390afd6461aecd558e8d7b31373cd68fc1c8d696c6dea725a825f3a3b7e0c9e469daaca7b03b6333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e1afae71978733d0dcdbbae5daddb039

SHA1
0cb7a7e59e20acabbfe449c3539ccc9e53631e14

SHA256
15331ae19c84e4ec786700030fd745ea93d4a2a5b08e80d0b9da79efc3380aad

SHA512
cfee37105ba1372352e892c7beb7743fb36fe848aae7968693294d491a6dfee81216f39ac132f7cdee954ce2e0a33f74d88558c5b25d4f8c22a931815364ad4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
e5071d29f8ffff2473224afdf4346c56

SHA1
54f6aaf5deaf47c811a2ad3baa1238b6feb1b548

SHA256
68ebd4cde05b99e77e9fc6b29edc7e196249b5cf7b33b256d6ef3182dad00cec

SHA512
18305b590e0ea057f78689699aceb9551bd4e142d7c9d6cde34f57410344e4b01e2154b0e95745541d63650e9f13a1d43d8bd67e378a5d721d2681745574c9bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
048ffed3ce00ea511d6eac8e5d1a646e

SHA1
f1f6d175e4f367e71b242593d932c2efc24b68a1

SHA256
5a57268443faac80a53ec0f4c6b01da48f916c323da351d9cfaa8ebc8e83220b

SHA512
21ef06d019a597639f8a5f60d7929590d03d9df69e0ce1da5b94bfc75b1111e623c2288cad333012e91ca1d4b96af94b4865a412516eb8486e860f3f0d9cba95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
5ae96a2157da6e50b306d136ac1c46b7

SHA1
0fbfa40068dea21d7ec4c983979b99413b2bdd24

SHA256
6d653d10a76be83478616d53bb99d356415fc4f1b7a6b4675774e8b02ea86147

SHA512
74e5df88861e65138cd5baf07697f936173b9297d8040bac66c64ef1e25aa6c04d2eb3dd797ad981998f2014e48dbefa323672d946b3e908631b0ee1a8ad9732

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp
Filesize
23KB

MD5
7ceef9a3c7142f23fe38755539f93653

SHA1
57a4fcf3fb72285f5ad26b7d1084cb4f0a291b76

SHA256
7ad486435457a7df0c90724b0663ddeabcc0616f4375cd5a07b23dd1af257ed4

SHA512
d2d0dc172b021fe3b7f007d56c4b048a341742b12dbfe928ad3a804fa3b2e731b6878e1d0ab2c498a16e65a13f65fd87d1fadd970928bc302c5e1841cf14e8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF1F4B.tmp
Filesize
3KB

MD5
b6dd26ced2824a0708086d79b5da1874

SHA1
125263415bf1519b9b762518e873b61951895064

SHA256
029e5a8a36d39f4971add209634447ed043f1d5e22ac48724bd52b7c2bad8a64

SHA512
fb36d5fe4a6b09c2a3f8e2652720cd9307188245460ba936327f4944e119fcc4ec95ed2a5284e8651e08d91fc9ca307e91a995414c7c797c722ce153f2c47fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j10hl000.rvw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
Filesize
7KB

MD5
40e8cc28efe5a7f12154587a88fa7a5c

SHA1
fb43fd2687082ee9a57f401e3555f030ce55a1ca

SHA256
6468a36b2b1eded813b399b5e6845b642ead2c71ea6298ff38625587ff764b21

SHA512
5cd11b605cbe652475427a5722c15b31f25817dfb2ce03e7e0eb9d3be2769a478ee3465a07d23d490eb41b785ad88aea03daaa481d62ae42540dfd41ffc24727

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
Filesize
7KB

MD5
605302f22747537fe08a03e107786a68

SHA1
5a3652bfa514c932ad60e5a4ce5ea6d6b3c8ba84

SHA256
3e4b022842e852d7c47559a82dcaa19b60164d1e25ef2cc92bb4abe4d66bc36f

SHA512
1aa9a9da707bba4e6e4c9f94503b171164b7ac1f3f2908cb3c545d9de9d9db6cced423fad197197958c9d2e4056f1f19a0b15aa93b4ea4dad2f90bc79931c718

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs.js
Filesize
6KB

MD5
d7b41af96fecb56a15717fcafea78118

SHA1
771b305de327bd2a18a4a61420b0ebe110ff3e6d

SHA256
bf081693c1633b980a02a45a7ffcc175e866890a9b7924af3f3595798e4cb5cf

SHA512
2042b4f1a1e53e6112da6030d9843ced2da500c5026732b9a100d69235d0eeb40e8895ea8f46f1ad95826a6c0f6b3421b59c81fcc0c33eae500ac93a00693884

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionCheckpoints.json.tmp
Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1017B

MD5
a1e81369ad497e74b654467d500b8105

SHA1
e7ae97c01234a3651d8019c013c2a3ec6993462f

SHA256
35fe65ae41f335904cb27f8e81218539ce4bdaa9dfcbcc99494ce84861afb766

SHA512
011c8bfa00b684889ecb9c0673dcaeb6e90293faa49e362f1d96f9c4bd069c09ec5458b580bd367b28dd4af288a9f47fde96f8bc422a2e2dc55b063a9f4a586e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore.jsonlz4
Filesize
876B

MD5
8a185f5a40a46d2ad72c71defa13f4bb

SHA1
36939657087f6bdd981432396587b09fb2f2140c

SHA256
61bb1463a4ccf997f065b0b5993b357c3295bcac492cc1fecc211a13d3bca1f4

SHA512
6d1adb633cb14a46cdb53f73831277be3ac0fa191c9ff614d19e2b2b23fe51068746457fb8d0bc82620403e982a8ffea55948e2b3a017751d11dc1c7417bd14f

Download Submit
C:\Windows\TEMP\SDIAG_ffeed7b9-e621-47d0-a934-0cddea2d4b90\NetworkDiagnosticsTroubleshoot.ps1
Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_ffeed7b9-e621-47d0-a934-0cddea2d4b90\StartDPSService.ps1
Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_ffeed7b9-e621-47d0-a934-0cddea2d4b90\UtilityFunctions.ps1
Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_ffeed7b9-e621-47d0-a934-0cddea2d4b90\UtilitySetConstants.ps1
Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_ffeed7b9-e621-47d0-a934-0cddea2d4b90\en-US\LocalizationData.psd1
Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_ffeed7b9-e621-47d0-a934-0cddea2d4b90\DiagPackage.dll
Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_ffeed7b9-e621-47d0-a934-0cddea2d4b90\en-US\DiagPackage.dll.mui
Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
\??\pipe\crashpad_1464_DDPFAKRSURRWQFHE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3700-739-0x0000015FE05D0000-0x0000015FE05F2000-memory.dmp

Filesize
136KB

Download
memory/6892-916-0x00000227EBF50000-0x00000227EBF51000-memory.dmp

Filesize
4KB

Download
memory/6892-758-0x00000227EBB60000-0x00000227EBB70000-memory.dmp

Filesize
64KB

Download
memory/6892-762-0x00000227EBBA0000-0x00000227EBBB0000-memory.dmp

Filesize
64KB

Download
memory/6892-766-0x00000227F1660000-0x00000227F1661000-memory.dmp

Filesize
4KB

Download
memory/6892-917-0x00000227EBF50000-0x00000227EBF51000-memory.dmp

Filesize
4KB

Download
memory/6892-918-0x00000227EBFC0000-0x00000227EBFC1000-memory.dmp

Filesize
4KB

Download
memory/6892-919-0x00000227EBE40000-0x00000227EBE41000-memory.dmp

Filesize
4KB

Download
memory/6892-921-0x00000227EB3D0000-0x00000227EB3D1000-memory.dmp

Filesize
4KB

Download
memory/6892-924-0x00000227EB3C0000-0x00000227EB3C1000-memory.dmp

Filesize
4KB

Download
memory/6892-923-0x00000227EB3D0000-0x00000227EB3D1000-memory.dmp

Filesize
4KB

Download
memory/6892-926-0x00000227EB3C0000-0x00000227EB3C1000-memory.dmp

Filesize
4KB

Download
memory/6892-929-0x00000227F15B0000-0x00000227F15B1000-memory.dmp

Filesize
4KB

Download