hxxps://www[.]upload[.]ee/files/15871162/clumsy[.]zip[.]html

Analysis

max time kernel
459s
max time network
575s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/files/15871162/clumsy.zip.html

Score

8^/10

discovery evasion

Malware Config

Signatures

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	vmaware64.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vmaware64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vmaware64.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Defender_Update_Setup_778795.tmp

Executes dropped EXE 9 IoCs

pid	Process
1924	Defender_Update_Setup_778795.exe
664	Defender_Update_Setup_778795.tmp
3444	Defender_Update_Setup_778795.exe
3448	Defender_Update_Setup_778795.tmp
4216	vmaware64.exe
2212	setacl.exe
652	setacl.exe
5044	setacl.exe
1600	setacl.exe

Loads dropped DLL 4 IoCs

pid	Process
664	Defender_Update_Setup_778795.tmp
664	Defender_Update_Setup_778795.tmp
3448	Defender_Update_Setup_778795.tmp
3448	Defender_Update_Setup_778795.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 7 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\FriendlyName	vmaware64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Disk\Enum	vmaware64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\Disk\Enum	vmaware64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	vmaware64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	vmaware64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	vmaware64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\DeviceDesc	vmaware64.exe

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	vmaware64.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\shlwapi_p.dll	Defender_Update_Setup_778795.tmp

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	vmaware64.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Defender Security Update\unins000.dat	Defender_Update_Setup_778795.tmp
File created	C:\Program Files\Google\Chrome\Application\Extensions\cworld.crx	Defender_Update_Setup_778795.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\dlls\dlls.manifest	Defender_Update_Setup_778795.tmp
File created	C:\Program Files\Defender Security Update\unins000.dat	Defender_Update_Setup_778795.tmp
File created	C:\Program Files\Defender Security Update\is-C8T4S.tmp	Defender_Update_Setup_778795.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\cworld.crx	Defender_Update_Setup_778795.tmp
File created	C:\Program Files\scoped_dir2836_85016776\extension.zip	chrome.exe
File created	C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest	Defender_Update_Setup_778795.tmp
File created	C:\Program Files\Google\Chrome\Application\Extensions\updates.xml	Defender_Update_Setup_778795.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.manifest	Defender_Update_Setup_778795.tmp
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.manifest	Defender_Update_Setup_778795.tmp
File opened for modification	C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest	Defender_Update_Setup_778795.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\dlls\Shlwapi.dll	Defender_Update_Setup_778795.tmp
File created	C:\Program Files\Google\Chrome\Application\dlls\Shlwapi.dll	Defender_Update_Setup_778795.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\updates.xml	Defender_Update_Setup_778795.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defender_Update_Setup_778795.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defender_Update_Setup_778795.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defender_Update_Setup_778795.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defender_Update_Setup_778795.tmp

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	vmaware64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	vmaware64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	vmaware64.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
64	taskkill.exe
1580	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133712013743309670"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0 = 8200310000000000335990341000444546454e447e3100006a0009000400efbe33599034335990342e00000093340200000009000000000000000000000000000000519d030044006500660065006e006400650072005f005500700064006100740065005f00530065007400750070005f00370037003800370039003500000018000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\NodeSlot = "5"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e8005398e082303024b98265d99428e115f0000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	firefox.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	170	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4884	chrome.exe
4884	chrome.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe
4216	vmaware64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3292	firefox.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: 33	2280	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2280	AUDIODG.EXE
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeRestorePrivilege	652	7zG.exe
Token: 35	652	7zG.exe
Token: SeSecurityPrivilege	652	7zG.exe
Token: SeSecurityPrivilege	652	7zG.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
652	7zG.exe
3448	Defender_Update_Setup_778795.tmp
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3292	firefox.exe
3292	firefox.exe
3292	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 4664	4884	chrome.exe	82
PID 4884 wrote to memory of 4664	4884	chrome.exe	82
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3716	4884	chrome.exe	83
PID 4884 wrote to memory of 3696	4884	chrome.exe	84
PID 4884 wrote to memory of 3696	4884	chrome.exe	84
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85
PID 4884 wrote to memory of 3972	4884	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.upload.ee/files/15871162/clumsy.zip.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcb966cc40,0x7ffcb966cc4c,0x7ffcb966cc58
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1748,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1764 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4716,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4828,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3736,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4992,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3240,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4580,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3248,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3804,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4016,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4824,i,10421564223424584428,10226190783193217176,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:1740

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4660

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2652

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Defender_Update_Setup_778795\" -spe -an -ai#7zMap25367:118:7zEvent29864
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:652

C:\Users\Admin\Downloads\Defender_Update_Setup_778795\Defender_Update_Setup_778795.exe
"C:\Users\Admin\Downloads\Defender_Update_Setup_778795\Defender_Update_Setup_778795.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924
- C:\Users\Admin\AppData\Local\Temp\is-8AGHM.tmp\Defender_Update_Setup_778795.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8AGHM.tmp\Defender_Update_Setup_778795.tmp" /SL5="$501E6,3764700,857088,C:\Users\Admin\Downloads\Defender_Update_Setup_778795\Defender_Update_Setup_778795.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:664
- - C:\Users\Admin\Downloads\Defender_Update_Setup_778795\Defender_Update_Setup_778795.exe
    "C:\Users\Admin\Downloads\Defender_Update_Setup_778795\Defender_Update_Setup_778795.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\is-BAMNF.tmp\Defender_Update_Setup_778795.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BAMNF.tmp\Defender_Update_Setup_778795.tmp" /SL5="$601E6,3764700,857088,C:\Users\Admin\Downloads\Defender_Update_Setup_778795\Defender_Update_Setup_778795.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:3448
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp/vmaware64.exe" --spoofable -d > "C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\~execwithresult.txt""
        5⤵
        
        PID:1600
      - C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\vmaware64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp/vmaware64.exe" --spoofable -d
        6⤵
        Looks for VMWare Tools registry key
        Checks BIOS information in registry
        Executes dropped EXE
        Maps connected drives based on registry
        Checks system information in the registry
        Checks for VirtualBox DLLs, possible anti-VM trick
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4216
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\aodirz > "C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\~execwithresult.txt""
        5⤵
        
        PID:652
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\aodirz
        6⤵
        Drops file in Program Files directory
        
        PID:2836
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffcb966cc40,0x7ffcb966cc4c,0x7ffcb966cc58
        7⤵
        
        PID:4216
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""openssl.exe" rsa -in .\aodirz.pem -pubout -outform DER > "C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\~execwithresult.txt""
        5⤵
        
        PID:4328
    - - C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\setacl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp/setacl.exe" -silent -on "C:\Program Files\Google\Chrome\Application" -ot file -actn ace -ace "n:S-1-5-32-544;p:write;m:deny"
        5⤵
        Executes dropped EXE
        
        PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\setacl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp/setacl.exe" -silent -on "HKLM\SOFTWARE\Policies\Google\Chrome" -ot reg -actn ace -ace "n:S-1-5-32-544;p:set_val,delete;m:deny"
        5⤵
        Executes dropped EXE
        
        PID:652
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\bspcrz > "C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\~execwithresult.txt""
        5⤵
        
        PID:5032
    - - C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\setacl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp/setacl.exe" -silent -on "C:\Program Files (x86)\Microsoft\Edge\Application" -ot file -actn ace -ace "n:S-1-5-32-544;p:write;m:deny"
        5⤵
        Executes dropped EXE
        
        PID:5044
    - - C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\setacl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp/setacl.exe" -silent -on "HKLM\SOFTWARE\Policies\Google\Chrome" -ot reg -actn ace -ace "n:S-1-5-32-544;p:set_val,delete;m:deny"
        5⤵
        Executes dropped EXE
        
        PID:1600
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        "taskkill.exe" /f /im "msedge.exe"
        5⤵
        Kills process with taskkill
        
        PID:64
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        "taskkill.exe" /f /im "chrome.exe"
        5⤵
        Kills process with taskkill
        
        PID:1580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3268
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1928 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eab56c74-6547-48a4-aeb7-5a3c823e6f3d} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" gpu
    3⤵
    PID:2924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97834005-60df-4764-8a0a-c2acfb9f7db7} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" socket
    3⤵
    PID:4260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2772 -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 3032 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d94dd69-0a53-42c4-ba8e-a6b97f0450f9} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:3708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4032 -childID 2 -isForBrowser -prefsHandle 4024 -prefMapHandle 3988 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ed936d1-88e0-4ad6-8082-9e336e2351a4} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:1092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1656 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4848 -prefMapHandle 4844 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41b3c4c9-6192-4f85-a766-fe55af448d62} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" utility
    3⤵
    - Checks processor information in registry
    PID:5160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 3 -isForBrowser -prefsHandle 5320 -prefMapHandle 5332 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b1513ed-c6af-48fb-bd19-9d0850367b0f} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:5860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 5528 -prefMapHandle 5532 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98429a19-be86-4eff-a15c-c1a90ec1a0a1} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:5872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5700 -childID 5 -isForBrowser -prefsHandle 5708 -prefMapHandle 5712 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4573580-ca85-45a4-9641-154c90765046} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:5884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6184 -childID 6 -isForBrowser -prefsHandle 6196 -prefMapHandle 6192 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbdc1ef4-ec4e-44a3-96fa-df73278e9daf} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:4844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6856 -childID 7 -isForBrowser -prefsHandle 7180 -prefMapHandle 7376 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7904c9e4-4a09-4f13-92fa-7e11515efa47} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:1496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5228 -childID 8 -isForBrowser -prefsHandle 3536 -prefMapHandle 5184 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {891dd22a-35cf-44a5-a8f6-8517c6ef4692} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:5288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3912 -childID 9 -isForBrowser -prefsHandle 7140 -prefMapHandle 5332 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7f3243f-9296-44d5-8029-cdb093056310} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:1116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7148 -childID 10 -isForBrowser -prefsHandle 8184 -prefMapHandle 7500 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9882f972-8764-4216-b3d3-72dc492cefd0} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:5956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6768 -childID 11 -isForBrowser -prefsHandle 6204 -prefMapHandle 7528 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92d61fd2-74c8-420f-abbd-2f9e86b41f38} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:1340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6300 -childID 12 -isForBrowser -prefsHandle 7348 -prefMapHandle 6760 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b09ad62e-d739-445f-8467-dd94c9a1425e} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:5256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7420 -childID 13 -isForBrowser -prefsHandle 7064 -prefMapHandle 1436 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ba938b8-3326-4662-b20d-1691e36aed83} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:5736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1512 -childID 14 -isForBrowser -prefsHandle 7060 -prefMapHandle 6788 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d153ea60-0982-4c9c-9847-ae9f269dc03a} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:2224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -parentBuildID 20240401114208 -prefsHandle 8176 -prefMapHandle 7004 -prefsLen 30532 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dff17415-cafd-4a03-b20d-f78eb3c6d944} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" rdd
    3⤵
    PID:2452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 7596 -prefMapHandle 1512 -prefsLen 30532 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {081cf80b-5674-4fe2-ac12-9759dc037b82} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" utility
    3⤵
    - Checks processor information in registry
    PID:2496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8176 -childID 15 -isForBrowser -prefsHandle 5712 -prefMapHandle 4268 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3840f18-3cfd-43ca-b750-8536ddfa3342} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" tab
    3⤵
    PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\cworld.crx

Filesize
45KB

MD5
832f6d14be19d5fc23731952302c04b5

SHA1
c94a255f61586ac5d284c68769abdb24abba8c5b

SHA256
186e7f2d37f0381cbbaf1a798cc3989c31ca23ca04c2121454690f2a6c7c8b11

SHA512
8fead2bc1d9c1eaecae0445612b792d906f3989d5f279f56c70f6a5517ca1255bd68857c55e8489d438871df634a58e00117da638961ef8f6ae5635db730f14b

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\updates.xml

Filesize
311B

MD5
d9361edd344d3864f45d8e45b317ca34

SHA1
44be84e9a988c5bc4a462ff47586848f11bb6e14

SHA256
843ee221b445bb3493cc2fb3f57266bb61228ddcca67a41284e4826b6d7ced44

SHA512
755ab3ca8c721a292ec1ae8dc651e8446a26c1a33373625d8b3dae1ea776a7b505c74c2a4b3d39fb79c4e41c1a6fbd6f70e9da608bc926b1f612cc4386eb7a5b

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.manifest

Filesize
1KB

MD5
664c49d86157e6fb55f069b266f4e2c4

SHA1
b43f11f509c9dd5e9f83c04d2dc88e11d91e780e

SHA256
8f4694c4349377bf149b3d4acd643d4327ea254789312e2c6751a5d1d9c1e9e5

SHA512
0012ea0e41bd9634b1ed5ffc695e9718e82cce9729c2b6dfaa67888ba4d1bbebe75036bd867ef51bb251980a86b8491ae6eea1da69a0cbbf4eeebf40e95895c2

Download Submit
C:\Program Files\Google\Chrome\Application\Extensions\cworld.crx

Filesize
42KB

MD5
58603e7d809af776f9117b1563970061

SHA1
5acae7fcde748f7f3ac0ffebbd48c36064b1c8d4

SHA256
f41c3c79cacb8f8d039a476041926581c2c07f48d1ffa4ebc34d9cfa3bf56b21

SHA512
e2840a6935e96082703666082a0865d04fd1c63f112cd0eeaa7db14d4bbe397c9090ecc7679fe2eac1ced001d86d01f188d57293ad5ce218e2291a92800c9897

Download Submit
C:\Program Files\Google\Chrome\Application\Extensions\updates.xml

Filesize
304B

MD5
16a5b7dbb0709c4d057f34dacaf954ad

SHA1
6a0949645da6d3d5511ac390c7d72847253d611e

SHA256
9889e8674674814775c463e4beebc618d0713585d40ed84e8d767dc19a707ed9

SHA512
e787e1b4d214f1b0424f509f4738b4ac7f1f63324cec70579bf9cc3630b055a42f20f9cadb419e7a1c18e66b5a220ef24bce819fff2b8f7794cfde682167003f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe.manifest

Filesize
1KB

MD5
1bf07e16d4344d7685218f88dea83c50

SHA1
b6fec595215a0264e082da9b95c96b096f2a4c3a

SHA256
e9957e6004de0591e90bb7a664d837c9ce8547698ff2dc31319857162298221f

SHA512
60e5d2b3183f6ba17d0c3e072e772a984a5147277d2706b98691940a330216071dc2bafdf8894e606d93deacccdf5cf77dd62458bb1a52fb6c3e44e686d7a3a2

Download Submit
C:\Program Files\Google\Chrome\Application\dlls\Shlwapi.dll

Filesize
48KB

MD5
4cac70c3fdb075424b58b220b4835c09

SHA1
651e43187c41994fd8f58f11d8011c4064388c89

SHA256
4094f54853d9eea9fb628e2207cd95042bae089711908d1c8ed189fad9448e2b

SHA512
810e97be3d47c67449a6049b52578f4f8dd829b62d015dde39c2a2381c481625540f945e06224b9c74e0deac089f6cd352f53343170138778c1f9e62e7518963

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
89f10307a4e87f78ad0b6081cd8e23f6

SHA1
a26e92f89231b60cbd742d0a259d63eebe2388d0

SHA256
dcf169dc4a6449c4cc490dbdb448505ec91dd219619f32496100649c259388b9

SHA512
5845e6b34d0effafa10ba9c5eded904c13af64128ce3a152a3c2cad9c6fa38b7358916a0948eb6288c9c9ead23bd5195e16c77c49971fb53d6ceabc1e276f0f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
753c523884a10ac72975b57395ba81f4

SHA1
51aa3d13f003bbe24169560062368776f6fe109a

SHA256
133c8f5e682d60833283793a9c5b5decfa32c6506a486b4e59723b125562fb3a

SHA512
ac110ce6dcc24bef47402c61700b6e53d1796f0ec906fffcbc7d7736fccc4d086f1c6d212db0eba814e8de3ca039aed4860934a2ad5f853fdc6256d19f36e62f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
53KB

MD5
4129c16dafd504dfcd7b4204d5c2b9f6

SHA1
d62575c1f26e92ed4241ed69c4f6fe7429a66066

SHA256
cf385451a4cfa17b901c5faa381ce112d471ddb1b15b21f4062b185738fcf726

SHA512
fe7e515df8aaaed651210a63a09e13e6212cc08eeb39fec31f4c631e42de4107d6f0ca9f0bfe020961d059f01a091e858d185ec405288be3b3021a90754b28e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
c01d5e2354a6f91b0190aeca1e33a3b0

SHA1
3ed37b166f7333d03a67d18dc99349d2761e5d24

SHA256
f98670269044df04c0694506cf18bb997045998b2554e88ee9f2f9172a0155fe

SHA512
7c142777b668e9ca6fb6aa0cebaa3fd2ded0707e13b91b1b8d0d6f399353a2f5f4317d1d1dcfa5e969cd80fd068ae2bd0535cbd236d51205c664748c3ed8fa20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d5aec0a3ca4c14e60d66a58a0928e434

SHA1
4bc0d9cb66c9a068f4424bba3edf6f8ec2aed95c

SHA256
9843635feb2871043129f3c2f2557944caf623bf4ec696d6f9e6c2646108f50b

SHA512
6c8ab992a50a3e1af316701abc5a3e9a9cc999e508b59693970f6791bcf6ca770d139bfc8ae43722751f32a84dbaa445f32945b05263dc737b8cbce309cad354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8403ad52e44655395526aa408d624655

SHA1
7731fc118791ad786359d9ea5172915a18eb4c65

SHA256
0aeb17f202dcfe54d7b65ad692c4bcd9c2fe557b9eb583c99c0b76958eba318a

SHA512
9f8e8a53ca1054c5f2d0da3b122d123ebdbe78d9260c7d4948d1fb83fa091ad4f19ba2113d97c0e34ab43d59e3dcfbef805def0daeaff19c03ebfb3419fb8000

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
57181421a7b5b15f47267ce7e0fc5250

SHA1
998fbe9ce8a23b77b7d24b0d67f4283fe5d0f4cd

SHA256
387fbf380b5646aeee3fd34def63a8ef587f2c1c42c3f62b177320fd24a5c360

SHA512
e865274da7c4fa91e91ff9be360a261cf75520e918f06d5fa7d88b3eed15f3bb31c9be2fc3bd9336590fb56fd4682769721b1209115a41f2f51e2ca14f1945d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
916b266f466e236078c6177b181d0131

SHA1
70f42fbfacc4dc29d95911a7f612374ab6f8bc55

SHA256
417e29b3c0f66c162fd33d3b0d2b228f86b6171b99884d59ef95ebf2af15c0ae

SHA512
fbc7a6e4de4eeea8e33e74b263989db46b82c4e4d74d847b07641988043bd258e933ba26f68387a0fc6b85ba73b3ffe466f3ce372d15e7c87005ad2500e9f83e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\aa82d68f-378a-4473-8ff0-ae2b8796ab8b.tmp

Filesize
99KB

MD5
9b97f96d6bc77d9bf4098cb5d4edcb5d

SHA1
d7afab974358192e6b611abc0615aac8395243d0

SHA256
c72456c0aefec0e8e29aa964a39df22f57a1b7f9a6056fc21e071fcbde82a540

SHA512
a231c3e44bbf136670a7e175c253c83a9ec958434999c580e962fbd3cfc490e7d955d2e0f6db795847b2174f49959ce897b1f9cfde1764eea8048a58e5a1f5c2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
c23a1c51e2f502d15ff673c17933521c

SHA1
1ca1d7322dc8c532b42f39ed19cdc8d446077e06

SHA256
31c6cccdea7df7e619da0f1ba96799b31732a48779a31dccbf33cfc854437401

SHA512
a156ff1954ea58388f86209b44228330574c218a372cb4643274018b832dbe720bbd15b351b4272d29882179dfc1fc27b881c810d5ea7b46e39bf7a8606a5ec6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\0A73C6E23F02820E5C7F05AD9890531BF91D87DB

Filesize
112KB

MD5
557bd0a8842c69b6451e7d7980c47df4

SHA1
46815955c49ca06869e37be5bc41062b1e1f9ed2

SHA256
824daf5a80825d03b87e104cbee4b2bd2e3f230dd77d49024c417bbf526aa616

SHA512
925250c954323b2f999ecf01ea5e89e41d9bb6d0ba5e27c9424b8064f7e86c3ab470512648308e0557296e57e22d9d08aa505df6b30296ca1e3070d322064bc7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\40334A58275C948544A1751121660CC63D4B824C

Filesize
104KB

MD5
eab4be020845d41b3ba52ae7114b695d

SHA1
6b11182dcf838d343916a8cb9b53ba080a834560

SHA256
71ad79264883850782548378b00ad0540219da31188a31ff2c3e59dca4d0ff30

SHA512
ec9e797aa17639864bc1d205a05f6ee957e4a90e97cb3bd2f57db783d104879087cb7ba7f780bb421f1a918256a60f3736bbcb24607c8d6eff3f7135622dc9a7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\46C625DB4964C00323A8EF4C60828B52A454EBB4

Filesize
1.1MB

MD5
580595134e41ae3e8531d16e29d66613

SHA1
b9130ac79937be455e68f18814a1e3d8056dc614

SHA256
b56f05a578215154f615617990b2478811c19b68f1ddbf0b681d2f22e410eba8

SHA512
a390f0aa325188c64d5a433c3430ca0029f6e989350d373831ad5e510340d923585dd24a802bc5e5ce9768cf90d630e2728ab2aa986655467b723459b5335abb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\53C8C46F04350B64D691DB4860BD34DEDDBDBB16

Filesize
97KB

MD5
84cff0245ebb76242bcff7f688b6ac9a

SHA1
e4212ea33182122879787927953bf7ecdb403c36

SHA256
5a93e894157c670219f03b9984ece54571baf39bfd01390b979c3a7e8b611f7a

SHA512
f34fc854929ee1836e2d704de48d8ccb7dbe9405d0238316612ecccd7d22a818a5a79c3e920a073b85229cbf46b20d866690455c302675944a63d55cf9741cfd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\971254C7341460E85C93D0821B91E9985A0B32D6

Filesize
2.0MB

MD5
7d1c2197d9ab5c93a92db2295aab368d

SHA1
0c50961aef681a06e1e3b12594c8b3f9f85c904f

SHA256
f61ce404679dc3b29b62579c5c493ccf669504396c0b0f57d67d669fb81a59ce

SHA512
635936425f3f6837b0fd3ae04d3a009b272222a0bfbc9b7151010b67c50412f3b56a66030021497fd127b5b96097563172e126de2814ef026602fd9bcab44ecd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\98AF737DD946CA3B37F8CD63EC1E1756F57F2E19

Filesize
70KB

MD5
9cc5305354f20176499b810288871699

SHA1
396b0d1101e5de0b031442d59f4ca2a6c65ee0f1

SHA256
2cb1246e6304c98f0166ccfb38fb1153389aac7da4b011d71f4ec3db0bc8726a

SHA512
24d4bbe5a9113e1240424aff8a93060f8fc6b4d742ad57a5bc493dc0a4008721689394c9e3675435fed4d2631c4071db627d6251ce43a9408e3ada42cc909a36

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\9E153E43FBA49EDB7D2FF3F00D771FC734829899

Filesize
61KB

MD5
fe5a4f0cb1a38b8975d37c1d87fab75e

SHA1
59502ff95f8a84b1e556aa4e0c9bda9d1deb3e41

SHA256
2f9e42f4e08a0bf700b4ee5fda24f53b326340efebc357c6ada165720085b9d7

SHA512
f055d701692ae3f59df19c103e4ac96bdcd95bd5862fa3f7cdc36853277026ae11199ca02f6a4c465483430fbcf4383afb5bad8450b02739ef3dc177cc31df71

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\ABD634484EBC6043D0302B090BB04F2A504AE1E6

Filesize
76KB

MD5
d4bc16e7444a49c274dc01f828091cd1

SHA1
1325c8e379a40fbbba585adec1b782a2094fe856

SHA256
7d25d7fa3a211291818310caa082c5d774fc72c797ff7cbdb28eeac8d738883b

SHA512
3fd927f42466f935a12d84087536a63c7b7fb78261d75902ff2acc1c1fd4579468809d5307ca147ae8e5a69cbddfa66960e5bb1328a6f7f537f91345d5095273

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\DFD33CE8CCD4D114CC1ECA54B4C03A3BD6BF9914

Filesize
362KB

MD5
2ecbce073e5315fbb9739728cb0df4ed

SHA1
ec9271f21d4089089cb9a282dddced5441de0401

SHA256
d1dca83414aced9f04a5c450307b82749e3f23d00c5d61ce37a5d15ffdfdede1

SHA512
d8523434ef8f0c9249d95164335f6055b0e0dafe7ac2a7afbef9ded7fab4eb35ab30208b45c7bf269478771cb5a80d07ec96d3818380ad2b831cee61e54f7eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8AGHM.tmp\Defender_Update_Setup_778795.tmp

Filesize
3.2MB

MD5
9cf66b9ba3daaccb510ce72604db4203

SHA1
c1a5b9aa6b0c61857000e4f5e519f40eae4f1ba8

SHA256
10fa4f46acd467ff5ecf3c19acb0663f275fec8334259c8236a325c8124ea6ad

SHA512
7c7bc0be1fa7d08862c4f83e2200111f6209052886e511fe41ae7f60b0e4557cc72e79c6b82aa50ba714366d9ef2ef981b5e4478bbadb2e308cc49839d63a6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PNO5V.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\aodirz.crx

Filesize
42KB

MD5
d260b5ae532f84e4a9269188db79ceef

SHA1
00ded6b9ce42c41d9e10e6215a83a88ada554da2

SHA256
87deba904d142ed507ae60030dc3df58224503babc465f6fe99802e0c29a7405

SHA512
7badab3200e501d22b0d0429261df9fb4d626342ff7b32a2d730017cd22fba8bb2222eb5629519c28acb1432258218fd33f8776f503c03a5c46d8270640905a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\aodirz.pem

Filesize
1KB

MD5
cb795497c0b6ae50dea354c451804580

SHA1
e1b4d9196184a547a3435e6cd621c34a60d5fb9a

SHA256
28ef0f20346cb5e0fba088fb265a2a73e0c377cfcf761fa39e8b76d99f94983e

SHA512
d400083eb05831a2a82c9af338a32c2ef978c08cf06bf99eebb55d071a2a81d3ae63057b719e42edb50c3f5788c3c2cc25996118fad0810b440a533529303335

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\aodirz\icons\icon-128.png

Filesize
7KB

MD5
d18be6a16fb91c4a1123b3182e13025f

SHA1
56943a2508007a484fe1be1bac84b04976372bde

SHA256
86526283f553e3ad0df338d3eac5ed770417a6b9533a29ea2187f7a0ab407172

SHA512
d8385596edc68082aecf5f12b36a5adb00c90e133727643c4a43d986992b4539f3f724051c4b7134dde5db3638498f4b95c1be29823b8196efe0f42abf091a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\aodirz\icons\icon-16.png

Filesize
748B

MD5
09e2ce68c7fee9073a804e73feeade08

SHA1
6abad9ea54f8b20b1ba316b85c9b72fae15ef0e9

SHA256
a7dd6d22f0141ffb7c6c112ac9f5bb9f686839b2329dbcd16aed48777a3cbea7

SHA512
2219220ed3d3168731cd936716375572fa606db4075579efc18a2b9fad4773a0e81086a835a3def21fd588bb60d6708c3f032ad0008160652dd6d66850392ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\aodirz\icons\icon-32.png

Filesize
1KB

MD5
7c7d79b56ccf0a57aa80bca656ad4639

SHA1
c72a6ffe84ed6a3e11c67e8a8682b331c1e372c4

SHA256
e09fb969e79655d9a0e84c606d15a3323eef78707dc7a36105b93d72a199d9cb

SHA512
3edd4564564f70ae9011296d741fa3a50af697d37f948004b9f01c26702e6fc87815ac2cd2b465b117db3c3be0c6e81289d483ef3f749994fb3a76473edf08a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\aodirz\icons\icon-48.png

Filesize
2KB

MD5
a9cae0e26cb6a2ddefe36537ecaeb4bb

SHA1
927ab3869a64b37df47ee2581a94de8e1b272210

SHA256
210d30e5738af52ab7e50c983eb8820da6ac8ab5bbe32942fabe7aeed5c56e0d

SHA512
765e6f06e04b5894af4c62f37a1c72858e3ad67b1f4485168a4e3e82ca3d4c76581b1eff3977975a4af243b7f4c73ea6f8a97ddb4e9c524b8d663b9beea9632d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\aodirz\icons\icon-64.png

Filesize
3KB

MD5
c3519e47ffcc1ad2391a14be62e08beb

SHA1
f2d417157a11cdc48bddc4d76708964b0ceec91c

SHA256
0b520f0068f9057545f9bcb0655790a476ab517757b19d51298bd4515a3db517

SHA512
0fa4ad137f400fcb840596d914fe58ffe33ccb75c66c0ff7ec6986f279a24edb970eb196ddd2949644d8772b2acf493df6748f73c0f3c642acb523cd4be838dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\aodirz\js\background.js

Filesize
69KB

MD5
2c94032e10f8ac1c551b11cd047d6688

SHA1
8e72c31d41115576bc6ea482448f34a420c93d30

SHA256
ffb7ad2cd0d108ae92fb6fcd7ee2316d9b9cbbe00930976886e5be4cbc8041e1

SHA512
d37eb9a8a313c13e6301c311bca64d20166680ad679e1594815e424cc9a54074f045986c7d2058ed14eab388380c66e1db87e2021a7f5bb625b56c1879e72363

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\aodirz\manifest.json

Filesize
599B

MD5
3b2cc210c7b698a1954a057a0d228a67

SHA1
81735afcc6335ffe103797b5a5361ce6bab0544d

SHA256
d7d0333cc7cbcf66bd8e74153af7ff84a85fdcef735688880d09a5a2b7daef53

SHA512
68ae59facfe02c9849dd75c8fd1d6e8db09359f40ae1e2047e854c2b5007390a0d2a0f8f3b5e17ce3e7682f20e4b48a0255dae5e697e545791addcfd8d736462

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\chrome.zip

Filesize
41KB

MD5
525bc1a1f65c322174befff20e0606bc

SHA1
113e54ac45c845b15f15c5dc4a5e1ca5aaf9d0e3

SHA256
5c8544708639aacd5131b908514a1ac9b903fd590d68e6d5571282841f1ef849

SHA512
f69d34934ab4c213d3c624ef24748f83a7e61f49dcbb9dcd030e17052194f3dae1bd29d96a44ffbfb68fa00737595e94891afc8bc8fd2f19baafdcae0112b80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\dlls.manifest

Filesize
208B

MD5
963fb7657217be957d7d4732d892e55c

SHA1
593578a69d1044a896eb8ec2da856e94d359ef6b

SHA256
1d4a8c5e18d7a189036f1074ffae7927b0450864f5c8622a44205e04ef13ce12

SHA512
f875fa56bcda6299681d2ca2852d5ae04504b1df8d8824170215d4c136a568fc2548ada88ea75178ce23b4649f1713a863926c4d02125cb29475251bf5781fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\edge.zip

Filesize
44KB

MD5
7d88eb252cd1d46cf5184b02b72cd15a

SHA1
862a3ddce657536baed8723e77b1b3f5b976b62f

SHA256
7fe3ae9c4b1d8d917c1aff2a5f9fceca3889fe88a8de466a0f52f6e3ee97297a

SHA512
7826244885a6e93a11d54ed098f711f32a1fdeee99dd797e8f2b9dbd92868c5296e405eee3eb392b9640251bf517ca6af63bf39c2b834fd3c2366d392177ebfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\setacl.exe

Filesize
601KB

MD5
1fb64ff73938f4a04e97e5e7bf3d618c

SHA1
aa0f7db484d0c580533dec0e9964a59588c3632b

SHA256
4efc87b7e585fcbe4eaed656d3dbadaec88beca7f92ca7f0089583b428a6b221

SHA512
da6007847ffe724bd0b0abe000b0dd5596e2146f4c52c8fe541a2bf5f5f2f5893dccd53ef315206f46a9285ddbd766010b226873038ccac7981192d8c9937ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\vmaware64.exe

Filesize
314KB

MD5
4adc348cf014d5c2eacca085fc6bd8b1

SHA1
dec45001e19130a25e0f15091b8291c8e560388b

SHA256
3d3e48e16326f5ab718e63bff2a4bb109b3c1942147f14e103467e2ec42a1401

SHA512
49334197fe250876360fa52ded719c0c6eeb5367ffe589cf3ee963ad91808ca10788161e8c69f25cabe2aa16c4b0f701af5e52cc29414b81ea38305e65ca5e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S9L4I.tmp\~execwithresult.txt

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G6W8A4R7VZNFX5BV9DSL.temp

Filesize
21KB

MD5
cd87f6180cdb54324dc5e73454c8bdbd

SHA1
994fae214b34a8508107536f6e7b81409e8b0325

SHA256
9e4e85f3de7ba3eb138e0340ea450c1ff53ef67e86d58556a934e83a7d9bdce9

SHA512
dbe598b83da0a1638c01adbf249deb44318492d8bfaf4fbf6a80a1c728f544f701633d8c7cb3d38d82b7286c92ae29d7d855fb1e2402579d3901e84b9a47b427

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
18KB

MD5
e6ec27f3f859f0e4a8431c0de0bcecc9

SHA1
91c071f60f3908cd3fd9e34edfda6ae59cb233e8

SHA256
f76d97179819230369c799b6701b3096c69fbe1759ccfe8aa57a29c9e68de5b9

SHA512
ae96e02f2cfcaba7e88016d7af07555ba2fe6d45c8c52df72389ac917ad6e4f6c71c808addba61e542a997747a464d8f5342850ac773d97df23ef43d5be522f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
8KB

MD5
44acf472cdd231e9df70edf25674150b

SHA1
b7daed32a99997343d4c4a6a5e28f86203df9700

SHA256
44d25678a671e20e142e9ac7efc3e57272ed5354bef304df7dbe175249a31a3f

SHA512
07993eb38528504475defec51c86b36280c836d66cc705c10c4ce34d7ae791b5ab5804bdf65a57d1c395cb1cf78c023800db9999aeb7acd0039dfdbe6babc344

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\bookmarkbackups\bookmarks-2024-09-19_11_jyN-CCheJLByANf-HV17Aw==.jsonlz4

Filesize
1005B

MD5
24f802fc7eaf8653f27388b1f8e607a0

SHA1
03874de4f4ed11042c5abcd3dcf90719585b8e3e

SHA256
167d35e5c231bf6e83c10bb04c917bde8f5d901a3da24a3dfe332b7f299f84c9

SHA512
4ff82fc76322773fe239005e1d095708f469edcbd30379e79fbcf91f55caf4e9b2886aa463f2ae3e3c1f40669f4875c71c8470f43ccf5ed639bfb845c54d7532

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
209ac181280c2c17f71bb954749f0c78

SHA1
34e7c2312a978475cc114c4de4383b31e16fe948

SHA256
eb5d20f1fbe7f2588862b90f518266d61d1fa50a9cfa255717db2dbfd7e248e4

SHA512
ea8316627997557da14b1af84b6a3617f6d98036453c104cb1cb011f468c1c62b18a025e6d36f8c70ea927fabae12aedc7745bedc71f5f62b6f589f154651e68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
7397d6e51328651faa26dca0f760d41c

SHA1
b0d69165f4d8e764aba8ee38fab5f50a42f85375

SHA256
3a3b4f48b028fca7b16b212fae629932462a4602dea916447f96ce40b5f686ce

SHA512
059420ba2c890be21099be8bf829afb83038b03cfe6be5483c27ccdbdd342f3cc0665ca4f537555bf5431a78fb737d093b6e255c57cd2512e967f490711e822e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
74KB

MD5
761a6e72a7a17dd2e751a8cbaa461d8b

SHA1
2dc5938d49537ee9387b7b24667f6e39b856bf39

SHA256
a4203ec7aa146d6e8599fead16d251d8403a496f3c0a4673f8a881bbc27fc437

SHA512
af405e35e3840db28384f28b152ee2290540fd4b5dc1f458eaa2e0816a0da70f79986853c35500eb12c044bfbf668a9878bf0a9124bb6679e19ccd325265dc7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
dffaedb177a26c649f7a95c76ee6df1f

SHA1
63aa4da5e43d612205ff6d38f3b0cd65d0859dda

SHA256
d7a51a48b16de0b850d3c3467da62e68a5915e5b97dae35d870a49c2208ded78

SHA512
33f710b68d5910f503ec7b0c072da049657e90758a5f3cf118e6d95bdf348d083e8449665d2390ec1652cc6a255ce3292909276ef57dd6d3c6d30a1d24562004

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\89ee4fec-7af7-45b8-99cb-45b4c1db9b6e

Filesize
671B

MD5
e24af260a3b4d65d74d5fde5256d7b50

SHA1
98315e70e49380be5b4ed3e123f1dd5905b0096b

SHA256
ad7be2ab8916f5ba32552a46f898594696ca5ce29fd3b952b716fb5c22d6703f

SHA512
c54e1abfd0f305dbea477bdba3d5464fe211516c58f2d601a43124fad3e4b94179f53bfce188af4f879c59a6ae16f8d9bc0c84fee146d69115b435f8213e42ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\e6518785-86e8-49ac-a2f9-177f7062df9a

Filesize
26KB

MD5
428b752061b1f4042d888d54dd852bb1

SHA1
6679914ae0fa071484a72d09f9cc585b04a02afe

SHA256
f3022395a77cc237dadff7f27c56e7a199e57df6be59634ccb9345814bdcfb58

SHA512
bce78cb7236c2f5222f2e981c3e68f89232001b82b47679b6232f6f86a1de932b4e5869d2795427059f5eb2bea06be4dae1f224dcfc1df8b4da67da495c56809

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\e768a183-7d87-41cc-ab62-8e08ec4d832b

Filesize
982B

MD5
60d268afe443bc2d0569ebafaf421d6c

SHA1
31d6d9fa473f01066360a73292ddce246b210589

SHA256
7a47a2268da0bd17e1bb2a4093a029c86aeba05d8fc9c44693f79751bdde3a8e

SHA512
416a36a422b761c7f6b81d632dbe55efba83986595b7f9651212c924ad23209c67019d2537e792324ac6b9f0575f81c4766ca4abf959dea167205f4b3732b59a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
11KB

MD5
c3df6b46eaf666b431fc8c2cc65b44d7

SHA1
b049e076c4ea11aa860fb70c10bf5b3c1aa6e43d

SHA256
21f8775a8e50c35f5d8a0e41e66136f17de58c28dfcad0df6c30d214ec6f1d82

SHA512
3e42cfde3ee078255bd1dac23a76f618ce54ef10916d6a8f126000db023226b881807844ea83ced2900b9b9372b6a2589feaf9b0568015aa24b907e05fff5bcc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
11KB

MD5
540afad8e6b9b924123fdfce2e185dc0

SHA1
c91fb4477b02dd70ff910f2ccf98827d1c5ec8ff

SHA256
28efdd16345f430830084a88e446cc66715620fec47583d96b3632a601eacf88

SHA512
850019c0d95c38d30664bfdc211c11d0a7f37973e99ea1eb384b6583b38261c536528017e61c63d5764658fb730d186fda9c018bda172d05044e0f286c7b9088

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
12KB

MD5
a620ee236420cbfb54f7359f4565c33d

SHA1
9124314ff408c231eb63f34a3dab23574b5ad079

SHA256
65f0e0d57327cde3ea1a55908291c61d6a6c1fc1104eda89963c52cf13647ff7

SHA512
f090bf2f92cca72e858f78f44b1a23a6779994f0437b0233b9ec7840da20f1d2153d7484880a962b24e505d103233ea1329a3754e01456b05b689cffecd3868d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

Filesize
11KB

MD5
74994c73cfe2ed8080cd62a27cf048f8

SHA1
e5d6d8fcecada48b4a27818a13fa8562341e2c85

SHA256
af6059da35b6cf6ab61f21854405fc5b0ca107e99bccb5ae0b69f4cbb2cdc63c

SHA512
08a2a6be621d323685a77960917f263b44c1aa0892eca38297db674459dd46d92719ee2cbd693686bac31628d7e8b20eec765c699fc21bbcae8aee592831f787

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
53KB

MD5
834d8534dd29cc1df263fdab5f18432c

SHA1
1d22c649064a06e9cafe44e835b4cb2072d6cfc9

SHA256
081fbadb7e10901f98542e56f24ab8991f638cbe45098bc6353a162bb93573d3

SHA512
b49d42da42a0427e7c2cc19234f298e2ec09a4e6e8053373ba2de4f18828b35036475d3e6c4ad2f7de21d6ecf84fa2f6c616f524988d5509975de38e173db8e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
f0625c2a990c8da1d3c0a0b5638a5a63

SHA1
6cd93019e6b5c6458d465bcc78310c8f7cf83e08

SHA256
8931a222fe877a67406dfbd554f75c1bad31d9aea15b4a637823075989d9a31b

SHA512
899e875577364595d87e85099f5be656aea5511e927e494d68aab21ecd8c1f27b6700f787150dfe42e62c7b812340644953606775f40883ec84b37c556b3be2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
46d38475ac6161e01d46c85d813c1851

SHA1
42160ad44063dde6ddaec79f022661091afba5b8

SHA256
13f5217d1e9b63308bdb3782a857d556e5406a7fce261857725b5066181a5ea4

SHA512
fbeb4dd1dc75fee8e10a956191a4ffda956ba9e6fc3548eef7023a51f7062bcc753d8bc0bdac81fcf15598b389b6084a26afc0dc4fc778b67445cc11f26248df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
53KB

MD5
e38c8247cc40c5978cb79eb1d8742374

SHA1
74a2d4743be94f4199c090e04dae9119541c8a6d

SHA256
3c365be6405a18c4a2b67e736ec90cf9825c533d3c5acc14fa0b2096027563ae

SHA512
61261011180b57076fc18028e0e4a77cfa50c600aad9558054f3b9be24721933b3bb655963c99df5d04aad527e1ee87c74989917ab8d1ebb83c1079c0eb35a02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
3448586c4abf44fff4f0f8acf3968897

SHA1
2b9dbc9d3f79956bb67ba0dc5ab13878f4266098

SHA256
bdb703606c6a60c136bff5c2dbf8f68c8436ab74b5491e46ff4fe826edfdfc4f

SHA512
33bc0965b2595d99de55e7d9aee647b6e5c27d62f3d56fef13af0d22bbd021e5618bdf7102aad4647e5c825b757f97d55fda7430e2b933c093dbc9645bc9905b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
50KB

MD5
3927fa7a6cad8399c66adc0f4e5cb32c

SHA1
36ec8b6ebdb02a140dbf12da9b43426dc8d0447c

SHA256
f0393d1a7863f44d0918e2b00510e00b26fa2f575b9b9157068553846cbaf8fd

SHA512
9a22420e3d8eafa1e277580ded7be4fae5bc263e4ba0eb4652ca7fcf98d49da219530c1af613c7304d53e35397a3de4ceb19b6a8a8018c696ea9bf81e117d01f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
584KB

MD5
5fe09b26184f3e77cf394060cd3373ff

SHA1
47dff47223cf9e8485b70863e21f1c3eb801fe04

SHA256
24be145c3d7d8fe1531c800275bab507892563b9291fed5f35a86e217a9ffd7b

SHA512
ad2554e3f5ce2f697895a96cdc5ce640063f0c823c0c7c6462e79fa5fee0e2bd3bcfa86cb16ff54c3704bfc3dce665cbfec26a13464901987949bf73bf2956e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
3e82010059e72a23d3dbd3256645ba97

SHA1
8d828495cba2bbbaea53c0cb60cf36d2a4332734

SHA256
15b0de8369a2381ac007adfe7c9973162149557277cf196aeb4051fd29d0d012

SHA512
408c356828af117e80756ad17723757f81b42b47542615417ce1cc8ee5fa320cd1880c138a8e5a556d7de406099d0c67de097f1b67bb3e0914821d529891b483

Download Submit
C:\Users\Admin\Downloads\Defender_Update_Setup_778795.zip

Filesize
4.0MB

MD5
218797665edbfdd9c048863f8a248f37

SHA1
77b4be7c9f7be57ef7f2075dadb8e510da73d51f

SHA256
bde57814bb17e9f95a55b82b3803e2308ffe69c9035360252c077b9ee33489d9

SHA512
603d9e0d26e765c2a96d3728302cbccfe826c12d47e4ebd0199b2a2ceb4646d79b20a86e21b2d06c8ab8232e915d661827a5bf017f0cf2973212845a43051037

Download Submit
C:\Users\Admin\Downloads\Defender_Update_Setup_778795\Defender_Update_Setup_778795.exe

Filesize
4.5MB

MD5
c9baa2a4a6391e1da55f0183ea74e7a4

SHA1
d1515aa4508d7eaf99ff868dabbee2aa20d9ba5a

SHA256
3be2acb935f988318b4743621a6bea99d55d51497a0834ceef484901382916b6

SHA512
b004bf343636f7fc313ee8c0f204002fc0dbcee61ddc46263275e4076c0c766d4a1cd4867cc7043c7c595023e56bf539b6648c83609ab1cb111f0d5fdf51cec9

Download Submit
memory/664-158-0x0000000000A20000-0x0000000000D66000-memory.dmp

Filesize
3.3MB

Download
memory/1924-135-0x0000000000A30000-0x0000000000B0F000-memory.dmp

Filesize
892KB

Download
memory/1924-159-0x0000000000A30000-0x0000000000B0F000-memory.dmp

Filesize
892KB

Download
memory/3444-156-0x0000000000A30000-0x0000000000B0F000-memory.dmp

Filesize
892KB

Download
memory/3444-584-0x0000000000A30000-0x0000000000B0F000-memory.dmp

Filesize
892KB

Download
memory/3448-583-0x0000000000720000-0x0000000000A66000-memory.dmp

Filesize
3.3MB

Download