babuk | 3491a946bea7d927d02ae2a28b1001f40a3058f9ec98266f3dc34d472b746a17

Analysis

max time kernel
127s
max time network
125s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24-07-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
Size

31KB
MD5

dd7f88a68a76acc0be9eb0515d54a82a
SHA1

ca205a28b8dbd74c60fdeaf522804d5a2a45dd0b
SHA256

30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8
SHA512

8e99c1d3291dacaf13c7aff75549d50484b593022bdb82cb3ecffd58f0bbf1dd1ae4deeb09f072d4c3f1b8918a0bc785a397143863466975dad950e115db5af6
SSDEEP

768:73QN4DGrqBLP977YowZe478mR26fgjVyBm8Je7tFv/7iJFzMWe:7gdoT93DaRXf5B+tFcJe

Score

10^/10

babuk credential_access defense_evasion discovery execution impact ransomware stealer

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\da-DK\How To Restore Your Files.txt

Ransom Note

----------- [ Hello, WIGGINS-AIR ] -------------> ****BY BABUK LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. What information compromised? ---------------------------------------------- We copied more than 10 gb from your internal network, here are some proofs, for additional confirmations, please chat with us In cases of ignoring us, the information will be released to the public. https://i.imgur.com/RzYzVnY.png https://i.imgur.com/kJzIOqn.png https://i.imgur.com/bFdNbyO.png How to contact us? ---------------------------------------------- Using TOR Browser ( https://www.torproject.org/download/ ): Char url: http://babukq4e2p4wu4iq.onion/login.php?id=0KflFXBAmSHtJrtKWtOPzxZmhJATon !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!

URLs

https://i.imgur.com/RzYzVnY.png

https://i.imgur.com/kJzIOqn.png

https://i.imgur.com/bFdNbyO.png

http://babukq4e2p4wu4iq.onion/login.php?id=0KflFXBAmSHtJrtKWtOPzxZmhJATon

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (1405) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

Processes:

30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Restore Your Files.txt	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe

description	ioc	Process
File opened (read-only)	\??\K:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\X:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\V:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\W:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\U:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\A:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\H:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\J:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\E:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\Y:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\L:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\N:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\M:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\I:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\O:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\S:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\Z:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\B:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\Q:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\R:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\T:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\P:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
File opened (read-only)	\??\G:	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exevssadmin.exe

pid	Process
4524	vssadmin.exe
1604	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe

pid	Process
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
4740	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

vssvc.exetaskmgr.exefirefox.exe

description	pid	Process
Token: SeBackupPrivilege	2692	vssvc.exe
Token: SeRestorePrivilege	2692	vssvc.exe
Token: SeAuditPrivilege	2692	vssvc.exe
Token: SeDebugPrivilege	4740	taskmgr.exe
Token: SeSystemProfilePrivilege	4740	taskmgr.exe
Token: SeCreateGlobalPrivilege	4740	taskmgr.exe
Token: SeDebugPrivilege	4400	firefox.exe
Token: SeDebugPrivilege	4400	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	Process
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	Process
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

firefox.exe

pid	Process
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.execmd.execmd.exefirefox.exefirefox.exe

description	pid	Process	procid_target
PID 3516 wrote to memory of 168	3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe	73
PID 3516 wrote to memory of 168	3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe	73
PID 168 wrote to memory of 4524	168	cmd.exe	75
PID 168 wrote to memory of 4524	168	cmd.exe	75
PID 3516 wrote to memory of 700	3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe	84
PID 3516 wrote to memory of 700	3516	30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe	84
PID 700 wrote to memory of 1604	700	cmd.exe	86
PID 700 wrote to memory of 1604	700	cmd.exe	86
PID 3360 wrote to memory of 4400	3360	firefox.exe	90
PID 3360 wrote to memory of 4400	3360	firefox.exe	90
PID 3360 wrote to memory of 4400	3360	firefox.exe	90
PID 3360 wrote to memory of 4400	3360	firefox.exe	90
PID 3360 wrote to memory of 4400	3360	firefox.exe	90
PID 3360 wrote to memory of 4400	3360	firefox.exe	90
PID 3360 wrote to memory of 4400	3360	firefox.exe	90
PID 3360 wrote to memory of 4400	3360	firefox.exe	90
PID 3360 wrote to memory of 4400	3360	firefox.exe	90
PID 3360 wrote to memory of 4400	3360	firefox.exe	90
PID 3360 wrote to memory of 4400	3360	firefox.exe	90
PID 4400 wrote to memory of 1384	4400	firefox.exe	91
PID 4400 wrote to memory of 1384	4400	firefox.exe	91
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92
PID 4400 wrote to memory of 3924	4400	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
"C:\Users\Admin\AppData\Local\Temp\30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:168
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4740

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\How To Restore Your Files.txt
1⤵
PID:3680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.0.746049787\1362833406" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1688 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6913119f-8fee-4f37-b294-97fde1192115} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 1812 20d7f6b2e58 gpu
    3⤵
    PID:1384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.1.470758210\1972521684" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {229436f0-0054-457f-bc57-d73d5c29306c} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 2168 20d7c06fb58 socket
    3⤵
    - Checks processor information in registry
    PID:3924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.2.321195702\1101448515" -childID 1 -isForBrowser -prefsHandle 2752 -prefMapHandle 2852 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e60e16db-8b81-411c-a8fd-d2f3fdfdb096} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 2856 20d0b3a0458 tab
    3⤵
    PID:1900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.3.1039188971\253746285" -childID 2 -isForBrowser -prefsHandle 3448 -prefMapHandle 3440 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8379c91-3d98-4f32-81f6-c606a2707018} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 3468 20d0b93bd58 tab
    3⤵
    PID:3848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.4.13290909\1983670767" -childID 3 -isForBrowser -prefsHandle 4336 -prefMapHandle 4332 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97baed6f-c943-465f-b152-cf47268d1023} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 4348 20d0d0da958 tab
    3⤵
    PID:3684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.5.168808167\2008343560" -childID 4 -isForBrowser -prefsHandle 4820 -prefMapHandle 4772 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76c074db-b19a-4ee9-96c7-c0c5ec5f3733} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 4828 20d0b99a158 tab
    3⤵
    PID:984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.6.328168418\1123393117" -childID 5 -isForBrowser -prefsHandle 4964 -prefMapHandle 4968 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0d60b87-e0a7-4212-8596-1ab24bff1384} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 4956 20d0d3c4358 tab
    3⤵
    PID:2052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.7.378015120\1058533004" -childID 6 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94b16aa5-c116-4614-ba49-d4f4749c0264} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 5156 20d0dc24e58 tab
    3⤵
    PID:4944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.8.1977145651\673241553" -childID 7 -isForBrowser -prefsHandle 5384 -prefMapHandle 5888 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e0ab4c2-f3ef-4b7d-a93c-6c7520b24446} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 5884 20d0f336e58 tab
    3⤵
    PID:3812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.9.1523088412\622392267" -childID 8 -isForBrowser -prefsHandle 5272 -prefMapHandle 5288 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c5964d7-c77e-42e0-9fff-c0e9bf9c3900} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 5296 20d0e79da58 tab
    3⤵
    PID:5716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.10.421249330\1093752379" -childID 9 -isForBrowser -prefsHandle 9896 -prefMapHandle 4632 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f77b4256-213a-4229-b594-86510cbb324c} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9884 20d10bdb858 tab
    3⤵
    PID:5724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.11.1932056691\951760072" -childID 10 -isForBrowser -prefsHandle 4416 -prefMapHandle 5776 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ce29438-9dce-4d7f-b2df-6f864cffa395} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 5784 20d7c062558 tab
    3⤵
    PID:6104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.12.728997056\457899186" -childID 11 -isForBrowser -prefsHandle 9564 -prefMapHandle 9560 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4df3ae03-25c7-45b5-b4c3-5398dd7134be} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9576 20d10c2fc58 tab
    3⤵
    PID:5276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.13.929297014\993567499" -childID 12 -isForBrowser -prefsHandle 4388 -prefMapHandle 9340 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc8526ae-3fb9-4bc9-97dc-973f80704493} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9312 20d10f98e58 tab
    3⤵
    PID:5336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.14.493062398\2044271331" -childID 13 -isForBrowser -prefsHandle 9324 -prefMapHandle 9328 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6376409-ec9f-4cfd-a943-508b6d580c1b} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9296 20d10fef358 tab
    3⤵
    PID:5344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.15.1627707274\1278103546" -childID 14 -isForBrowser -prefsHandle 8996 -prefMapHandle 9000 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0b7e4ed-e5b6-4c83-b3a7-c06441f95e60} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 8988 20d0b742a58 tab
    3⤵
    PID:5352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.16.1553801851\1252827736" -childID 15 -isForBrowser -prefsHandle 9092 -prefMapHandle 9088 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06ae4fd9-29de-4249-aa2d-456235fff8c6} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 8644 20d10fef658 tab
    3⤵
    PID:5492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.17.1470311865\123982049" -childID 16 -isForBrowser -prefsHandle 9012 -prefMapHandle 9068 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbd4cd43-dc56-4397-9ab3-abfba21044da} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9020 20d10fef058 tab
    3⤵
    PID:5656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.18.1141554141\759878182" -childID 17 -isForBrowser -prefsHandle 9028 -prefMapHandle 8856 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {743ac45e-e6dd-4662-9a5c-def23a6318d2} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 8636 20d1148ce58 tab
    3⤵
    PID:5360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.19.995468229\164578148" -childID 18 -isForBrowser -prefsHandle 8404 -prefMapHandle 8556 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a4fcdfd-e232-4512-9197-9bca26b3139f} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 8296 20d1149c258 tab
    3⤵
    PID:6284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.20.778922031\411912964" -childID 19 -isForBrowser -prefsHandle 8184 -prefMapHandle 8196 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {243c491e-3a42-4e34-b886-fede453262a9} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 8312 20d1149d758 tab
    3⤵
    PID:6292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.21.1684777640\2020994768" -childID 20 -isForBrowser -prefsHandle 7980 -prefMapHandle 7976 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28b3d9ba-f13b-4b36-840e-89440b879453} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 7892 20d1149f858 tab
    3⤵
    PID:6300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.22.695935626\970446063" -childID 21 -isForBrowser -prefsHandle 9372 -prefMapHandle 8880 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25ffa24d-2890-4a0c-bee8-42bc721fdb24} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9176 20d0f7be958 tab
    3⤵
    PID:6612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.23.773161249\43175486" -childID 22 -isForBrowser -prefsHandle 9460 -prefMapHandle 9184 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eda9f85-be61-4684-bbba-6480349aa6fa} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9372 20d0f58b158 tab
    3⤵
    PID:2388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.24.284800433\16922380" -childID 23 -isForBrowser -prefsHandle 9592 -prefMapHandle 9452 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bab43c4-35b5-438b-8730-0affa931e26e} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 8700 20d0fa69658 tab
    3⤵
    PID:6708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.25.406231177\80777064" -childID 24 -isForBrowser -prefsHandle 9524 -prefMapHandle 9520 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {081beadc-21a2-4768-a978-e85842929d04} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 4304 20d0faa8558 tab
    3⤵
    PID:6756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.26.119588457\2133096430" -childID 25 -isForBrowser -prefsHandle 5432 -prefMapHandle 4956 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43745e75-629f-4831-9e59-99632f958439} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9436 20d0f6fc958 tab
    3⤵
    PID:6768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.27.607438663\859102994" -childID 26 -isForBrowser -prefsHandle 2592 -prefMapHandle 9520 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0faf045-137c-47c4-9b40-76882f126ff5} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9608 20d1022c758 tab
    3⤵
    PID:3740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.28.119478810\785610649" -childID 27 -isForBrowser -prefsHandle 8380 -prefMapHandle 9928 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6023c9f6-1e0d-4840-a73c-cb2b1ee80cfe} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 4592 20d101f7658 tab
    3⤵
    PID:7116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.29.1831281102\1352074595" -childID 28 -isForBrowser -prefsHandle 9232 -prefMapHandle 9228 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efad909d-d297-4647-bc73-02ce8d1de101} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9220 20d10e93658 tab
    3⤵
    PID:5176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.30.1294271351\645372597" -childID 29 -isForBrowser -prefsHandle 9284 -prefMapHandle 9536 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2a69c03-0aa7-47fa-b355-b91a8094992d} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 8724 20d10e92a58 tab
    3⤵
    PID:5184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.31.948133073\1736276968" -childID 30 -isForBrowser -prefsHandle 9972 -prefMapHandle 4532 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab1724b9-eda3-4106-a70d-1deb90b80b2d} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 4720 20d116b8b58 tab
    3⤵
    PID:5160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.32.2034756476\476240221" -childID 31 -isForBrowser -prefsHandle 9204 -prefMapHandle 5080 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {440a33db-0c4e-42a9-847c-b54bd18af419} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9508 20d0f285358 tab
    3⤵
    PID:4176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.33.1020936806\373662259" -childID 32 -isForBrowser -prefsHandle 5304 -prefMapHandle 9196 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b0713fc-45d3-4c0c-a11a-e999fd06ea00} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9828 20d0f283258 tab
    3⤵
    PID:5368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.34.1303976817\1073931949" -childID 33 -isForBrowser -prefsHandle 8760 -prefMapHandle 8416 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7820996f-9974-45eb-9c3f-880ac09fe140} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 5152 20d0f285958 tab
    3⤵
    PID:5392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4400.35.558523549\1017417595" -childID 34 -isForBrowser -prefsHandle 9812 -prefMapHandle 9828 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03c0f53e-a1b1-4a32-a888-abdff1e7f10f} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" 9796 20d1149f858 tab
    3⤵
    PID:5840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri

Filesize
2KB

MD5
b8da5aac926bbaec818b15f56bb5d7f6

SHA1
2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

SHA256
5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

SHA512
c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\10612

Filesize
25KB

MD5
42f57b7e441426cf629a51cdef5b0a7b

SHA1
8d9d10749a9a5eeda2b3db284389092c170628f1

SHA256
d919db20b99d56effc597c583ff467cbb602552f47742a05c3c38050bba71f82

SHA512
202cd80f454bb86d3640733ea5006e8987cc6ced7053c1fe3b8d793e42b72938793a3de60b80bf9f115f451cec2bcfe8a71dc255188f99bbadd9136bb9372b5a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\11317

Filesize
10KB

MD5
e259d2e88f996062185b0ad735f11d5f

SHA1
56f4663e9e49dfb4a2aae54ae676eeaabf6d1ef7

SHA256
b58fcd559fee187cf840289b7e1e69a14b8dbbea28f379bce044974962faadc5

SHA512
1392fc42060a780b69da82e77c9c8e6750e0c8889822e84365bbba3fb56dfe28487291189014eea37b5e00b3bf2bc0a87fea32435e49530e28236f2ce1a47709

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\15696

Filesize
21KB

MD5
eef34b60ba1796f3bddbebd3442e7937

SHA1
7c52d07a2178222fdabd88d27c63a00402f4a61c

SHA256
f5171b541f83bb037dbb513d82b95a067132f6ada8aac8cd3ba944f63a7360d5

SHA512
f2d067499fac80f16166445008257ef98f97f175426d6abea571301456c07048414a35b2d596d9bcf2c4d94c7d3bf7f5f15871c358de0db9c771a598b83f15b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\23292

Filesize
8KB

MD5
4106a2efc88828163d937d41db8f26a2

SHA1
7dc441e4a960147e1ff9997d13701b3dde6df69e

SHA256
baeacbb5d6d2e03bf7aeae7a98d7fd307825934c80d226e93fd799523a5c0829

SHA512
650663116faad7cc8391982a077bf087ff999b619c44f83fd394abc39d73e0671d41e8a72a5e78f38615b49c083c28c694f01cc5e79b737d4ed8d4754fc22275

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\25366

Filesize
9KB

MD5
c766e82ca6a741dddae7036269959bcb

SHA1
ae79bdc29144c280d44e265c4476c2b3bff51c24

SHA256
c76533c791cc44e7420d00db03ecbb5648b9bfc3d737d2c5fff5efd1b7fef070

SHA512
004cf34b6ab612fe07f427bfb46f9712abcff0402e85dff24f3286ed8782b5ecbe0dc7d46591548dd2cbebb70ab4777bc9a723b078b32444cf66451a1b416c47

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\26108

Filesize
9KB

MD5
75262b6579485247a30445dcce579bbd

SHA1
1303a8811aeb910013b1ae2c0f57e862876b60b8

SHA256
20e403a15a071c6919d78d57b6bdbd7b88c7f1c19fdf5492552637e6e3740894

SHA512
98b2eab166f89534aebe6b423340e3243cbd492654fe285b3502a7ea9a1585d869f0031b3e5213b1f1cf893bd8e73efae93e2a67a2276b8fc4aec29d2cdb3d51

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\2642

Filesize
6KB

MD5
60806d9ea9e1490111de1f144a3b2fb1

SHA1
0c181858b7bc439f46d9a2ce8d167e357741ff27

SHA256
df7307c412bd55854d160e9141aa8e59e1d2a3aab237ade7e64b0cc7dacd98fb

SHA512
4338ca9d47873074cf96a549679322631b4320742cd7f69fc73cb9eda2ad2e116802c0886e30bdc92823d1257f13b9f2e2ee555e3c477e14c1c16c0a59e29bf9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\27130

Filesize
10KB

MD5
72eefdda7c9233322e51489d31759b26

SHA1
bce4644ee383459aa5a5da608292461796bc859d

SHA256
4b85951e91f7d69b07c632a946e1a05c03fce0bfdd076dd84f1b75e4b226f218

SHA512
7ccb8dd4f9aceed6721cacc11366739c2e1b2e0affef891c9be4e31669547609f8421eac9d7ad0f4dfc977882d1a8570b5e229cbdc9ebb87c7604fe8d49a699c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\27366

Filesize
8KB

MD5
112c44c3677d107a59e908fcd007198e

SHA1
1ac78c3bac332da7f663798ab1a3b26073ce0d82

SHA256
07069325d9ade1be11de3b529e531d0989c650fba3fa23868890898c7ec15a66

SHA512
d7459d08f32468e6f3f31737d6c66551bc5246bba894dc1747e2caf100a441072859413dd12b9d18fb0e42ceb107d523b64f17f48436edc9a70ea960384ba54d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\3017

Filesize
8KB

MD5
a087092c904fd8f507c6687cc5b02164

SHA1
2220594302d7f9acbe7aa7a0b17bfe50f7cb8638

SHA256
a9899b376fe8a266eb8a0e7b1942822f2297b49135fe498b729f0aac96bc908a

SHA512
1e9b3414c61e1412e4089d8e414e56375e5054f82d02405751c36be2bbbaa917f92ca53de290d3b836c0b661ad9f9dbae124b559655b64998cc336a460fbe5b1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\3710

Filesize
8KB

MD5
bdd7f26c60dc56e75d68d3d17997fe4e

SHA1
c719fe0e2861851456f1d8676ff9a1b321432f1d

SHA256
71fbd7059f8b195e1e3e36bf5897642d8872f2ca902ad2f95cc0f248db8df4b9

SHA512
9d374bc0b386dd192bbbc27baeb0518524b1b2b3ea3a2135dd309ae5fde94670b06c6ec5b046b87e18f5c91462a0bb28aa7f8c0d225daa6195e29b3d05016c69

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\7749

Filesize
21KB

MD5
547360255733db3e39ba01f77686d602

SHA1
faca65743841d299d6e9092433470e1de6dfd9cf

SHA256
1ae8c82e645e5849eb9418651de8b36c3bc4de9930a12d485529ad59b2c6e28d

SHA512
4af5f5512798b898eb91eec1833d1441cc94994bacdb0e0e10492136570a930b52cfe44832b45acbc62db165e485c6c70e7275c3684f0487b26713140cb477c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\8983

Filesize
8KB

MD5
34043dfd1a7a043bad32f824450eb2d5

SHA1
b66594b7421cb1c7a3b1a55ddd07b94ccd9b1e67

SHA256
b3eb306083025360dd3c56475d41ada50a5f70987ddac8b1656474fcc622d31b

SHA512
c4cd39383b6992b66622d2529eb00c4e5c83d74e85e5bf6f1246d4d61fbf5055baa5a115369de6db9786035f0727161707b397dcdd9bdcf1733cfc027378bd6e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\227BA0E44A82E8EE64366FA896C3668C8A08804B

Filesize
1.0MB

MD5
5069186b10b1ed54152ca42d20727be4

SHA1
b89b7e8b676401ac92d65d9fdff79f2c42b10b17

SHA256
7d81d6829b11fe70433969e4f8e0e6354c80663117766bd51529c346b9fc99d9

SHA512
37a2573c070d6ce604488b5024fa08fc723e6b5dc25e02c9dcece1a27cff49cc3bbd64144912c8c1960f49fc282b51e97975ba54ea2e339221cf6e27ccff7953

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\28E2DB8CAB39CFF3369B764B632A7AB6BED3B48A

Filesize
56KB

MD5
8b77ea8599ee8990aaa959821d61b7ec

SHA1
2930d9382d86f8c123577818de7faf8b192cc0be

SHA256
91bcd7c42d5af7d8be678d90ccb563ab767e3faa49de36acc5452e46d4da989d

SHA512
45f85c44451e3109ea747e249aba81b3d7c73ba3e588da2618a03bae0b6bb8b973412eb0054deb6bfdfdaa0d451b4b2ce27dca04a5c1bf0e72d80bbabfcaf38c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\51940E684772D37040AE9FEB9F8B55CF19A74512

Filesize
41KB

MD5
3372ccd358fd5895c30146c78868e95b

SHA1
d4b6d1069c058ae7afc9c0bdfad70fa1d39a862e

SHA256
3e58073fd0a91d0681323a6e134e2df67cb5e4517c3051828e80b70a1a63c876

SHA512
cc3c16abc3d7d491d7ac2d11aac31e4232700de1a91ed2e4591bfa1fcff6e820fb620fd60da04682247532ec66b4f009bae5c052d6ca312932024283fadbf0a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\592E8EB9DE42B95465ED97DE22293436BB0EF5D4

Filesize
33KB

MD5
e69c0e1d7455953f00ebb8a766950d90

SHA1
9bde3f9da59ca0f146a0ff08f59882f39784fe4e

SHA256
b481f0f1cc0b7302e596a190f9363f227413ac39bbaba2a224cdbf22097d919a

SHA512
ef337a90af754aea62d8365d9b19e9cfc351553e83c416086827f2c103b8b41b66da8e4e024198228f851bb6f609e3630417ee014dac02420721e9d1d130c10b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\DFC53E7C94AE5A235CA013AE98D7B970BAE8AE83

Filesize
17KB

MD5
f044e3af8ac95ca16e01ba1afe22311d

SHA1
c9bb1d1a4d3e40a7d4b9c68d70b1660c915c8848

SHA256
20c88efa6673f0d4116e691adffa8de477fd82162d2ba57d1a7ba48882e55f80

SHA512
2494ef988b52e91c46f570980be931d2a3d7a22793ee9856501917e8c2ba86db9a708cfedf59c3fd7948f2d2487a68930165f87875bb8a4281a99c68a552f2dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
e31a969ce4ee4d6a1a0074f1b3c71e08

SHA1
685bc4d734c448a6441cc70af1eaa8d14e9688d1

SHA256
647ca20a5e846521697ce5ba34883b0311fee2008b8cc8362800c1e662334b5a

SHA512
eb1095de67fd543912beb7408a4093b4236b385a64ffac6ec25bdae25d7a5b5d903d7a32f106c0e9ec3d4cb7a953191b882bc4cee78436f151f8717f9633ea95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\3fdd84d4-10da-476d-8120-3e45246158fc

Filesize
10KB

MD5
86fc2f91592b8599f10832bf83a0b5df

SHA1
9615c4f6c9a83d065b3625bf5341b25fe0fc8d02

SHA256
02fa30e289ad913af08393ce01a528eb58b1e936df7105b5600f74af5579b758

SHA512
337eccbff0b9aa1ca14a803a90e2067809a6163b4259dc9610e9c81d5f25bfd234ab599a79f97848679e6f00549e1da719fd0d77da3e99d9a3d8ad6a1dae6d99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\b36c6b8f-d371-4dd2-9af9-df9f205323ec

Filesize
746B

MD5
025ca7ea17ba65659c3522091ea2c088

SHA1
d2c7cee2b6afdcf25960b52fb803efadd83da315

SHA256
7ea27703ead16444511cb2abd5d90acf5267bb027c6607bc27747e1c7927bc8a

SHA512
ba0018ac62c697cc2e9ffd2f513a444ebb742ec7d9ebb9b89cd7e1f737c627824401aba799e53b7fd9a9fb2d7de54b8088127dfe107f182fa12a660d490eddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

Filesize
6KB

MD5
88efa99ee5127e6519688f81b8a475a2

SHA1
6b18f3d4c5f4b47eea836b808ee6434e4b86e029

SHA256
1f3fec0981458afca1e911dac17697525cc67ee4701db1e0a1300db659deef1c

SHA512
7c8e52be2542562ba9152b31719e7579b98ca1ff29b72eaf4802d0e23b1f9d1defc7ee47a8566fb095a94cc26c27adeb7b871aaa426420712c7cfe6e0b29ecb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js

Filesize
6KB

MD5
d36dd95191ed0fc50ec5124db7460588

SHA1
ae80052282f8598f6d53e63ffc7673198a70ccee

SHA256
57c4dcfdfd173858252d8d22279a30f42b9f7d37d6ed4bf30020c5caca59ebba

SHA512
b37423cfca856fa3f24a8e368caa27aedea2e3c8a5525c9a0ed80a6dad6bfaa9e4f9805c79be7d4b92d94d40ed6693bc1488cbf7480edc22c77a4eedb0c32583

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js

Filesize
6KB

MD5
2d392cdfcd0cf1f62883d393a79f8b60

SHA1
10731794dd4fcd531c786258d9b1c56795c37388

SHA256
56f3d24f0d4a6f891d794456ce194da396a31f70c65cbf5ca0c426960cfbaf8f

SHA512
e14aded4031479c36430c3affdb83855e46d7d5d9833e39b07614f424087003ae00e565b98d6ec2976676570625bd640673c7c2680ff83fcfa099484dee20d3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
dac5ee4cca19e866e4b4f5e27c584980

SHA1
58d1660339ed2ef369402adbcd531f7fe6b65b75

SHA256
50c1a92b2a90fd15765e9ec942542f9e0199192d50a497780882f92e82066b95

SHA512
7ccffe3d05c894dda7c337e1c769a62ff84987ba8c05989ecd6c5f8366980a09f0e6948530f856089e4d11d9f6567cd17b918b08b208f45b1f46ff51bb9e0747

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
d491a693c52b9c1de5099cdfeb45d65c

SHA1
4dccde5157aa757a3d877a442cc9e4e726fd32f6

SHA256
8937a33f202691e22fcbfcb7f6be9e64343fee56e1f24567595b4ee097778de8

SHA512
6b6acd39e38cc46be4b128e49e4d153e08e3abd2b4552798ee49280ffdde7fafd113d448ba1b5da6e61f699b1cfb534e61dac980acdd4951c5f47cda42bda016

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
c58c4e82df5c130e0587eeda05daa1a2

SHA1
97be645ea78aa31e167b66a8f2bd5c9e1856a84a

SHA256
368e158b70dfc0d5a80da682d36df4a2b51de0fc9b2244356ca86d403953accd

SHA512
b87fa6badc33fcea28d4c82383ff32096f0e262a0ad80d1c7b258cf3d402667b18ef7dfdcbbf380785a1e3cf43141274c35d186d5d372b59c6e38e805f811b4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
772e3a4355d270fc9f8adb3611c6f157

SHA1
f9eb1e64c3f85104d5a1a3abf117b824f0cc6f94

SHA256
d939e55353ac581a03352e7dfd56caae2db33ad2b67d9bec90211d7ea6f891b7

SHA512
27da97246c379c8df1dd11ee5d79b7d10debdcef7ea3ace1d1ad743082e7f15b96ec6441ca3154b107aa115d7a86902e2cded52636f018b4ede37d2d99303e55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4

Filesize
3KB

MD5
c324339ce0db082d0098767800fe7330

SHA1
986f33ec33647b7f73463ba9f24fe558b6702ab4

SHA256
678f41bd4b5d5e5ef32d9b72c6e5561c6bed150a3e756ae766afc0fcb1b79f5c

SHA512
7619fce2dfa8f208d41255afa28ae9c38fe268b429b4f8e495bb5ad6b99461cbf1588f2370d170580b6c09ede275215cd37857857159465f99e88aa78dfda8e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\default\https+++imgur.com\idb\2926346687feisraebbaatsaed--hte.sqlite

Filesize
48KB

MD5
6000796965b6657d7880bf15d1cf73e5

SHA1
a119f457828d4140028671612ce8db3e59920fed

SHA256
35da9425f197bf5e71c931269cbe244832e5e29a6ee9f7d251acab5d44618eb1

SHA512
5ef55de84fe9514044cfe390fb746e077da82bba39d051d85edb424e98fdcf17c26b71ade4d272cb468cfd99b5f8821a93047a11a21f4d8325a416dcf037268a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
731c0e733fe1e3123d366af7c8e578ae

SHA1
9756304ea773dd9cd96e5996dc79de2ed6a9ae9c

SHA256
8f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359

SHA512
d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427

Download Submit
\Device\HarddiskVolume1\Boot\da-DK\How To Restore Your Files.txt

Filesize
1KB

MD5
4696310ca321ce5a34e879b4e8b0611a

SHA1
89082071a1e6d3379a923ef6a39903cc05dfe495

SHA256
1f366b81cfa615b53eb24345d09abee973b2b82778f5f21f8ee31fbe13e7d92a

SHA512
94bfbe6b23e73435a30c6f1bb94970bf9eaa1d9cea0e38d654e23be28ff3802dbabb3984087784a3a99b12f6517389378f1d4c3016b15b6b05a498293480c7d5

Download Submit