emotet | 21355a5158e103290ef5046f3146a4d905d469b6285309ce08301c2129ed0e55

Resubmissions

20-11-2024 21:28

241120-1brttsyken 10

19-04-2024 21:35

240419-1fjn1sgb89 10

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exe
Size

768KB
MD5

7ee4feeded88cb104448141ef375be8c
SHA1

e25f916c0771699d29f84963c3a2f86021c12c1c
SHA256

a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71
SHA512

93e920ccb88230cc8342dbd3cad0fa8c2bdc8be5ffebbdc0f3a04d74bed8dce2cd8a7467791964f8f1e44d1d0b5ed1f90027618362c52929c71a736e052eea93
SSDEEP

12288:c26abQRZhqJWcWinrZiKwcZV7jljljq7XksXRHg:2abQR2oynr2cVNqTksX

Score

10^/10

emotet epoch1 banker dave discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

188.157.101.114:80

192.175.111.214:8080

95.85.33.23:8080

192.232.229.54:7080

181.30.61.163:443

186.70.127.199:8090

200.127.14.97:80

70.169.17.134:80

24.232.228.233:80

172.104.169.32:8080

50.28.51.143:8080

177.73.0.98:443

149.202.72.142:7080

37.187.161.206:8080

202.29.239.162:443

213.197.182.158:8080

202.134.4.210:7080

190.24.243.186:80

201.213.177.139:80

105.209.235.113:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

Emotet payload 5 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral1/memory/1980-4-0x0000000002320000-0x000000000233E000-memory.dmp	emotet
behavioral1/memory/1980-5-0x00000000022E0000-0x00000000022FC000-memory.dmp	emotet
behavioral1/memory/1980-0-0x0000000002300000-0x000000000231F000-memory.dmp	emotet
behavioral1/memory/1336-15-0x00000000021F0000-0x000000000220E000-memory.dmp	emotet
behavioral1/memory/1336-12-0x00000000021D0000-0x00000000021EF000-memory.dmp	emotet

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/1980-5-0x00000000022E0000-0x00000000022FC000-memory.dmp	dave

Executes dropped EXE 1 IoCs

Processes:

KBDNTL.exe

pid	Process
1336	KBDNTL.exe

Drops file in System32 directory 1 IoCs

Processes:

a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcp140_2\KBDNTL.exe	a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exeKBDNTL.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KBDNTL.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133766118529962748"	chrome.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

KBDNTL.exetaskmgr.exechrome.exe

pid	Process
1336	KBDNTL.exe
1336	KBDNTL.exe
1336	KBDNTL.exe
1336	KBDNTL.exe
1336	KBDNTL.exe
1336	KBDNTL.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
1336	KBDNTL.exe
1336	KBDNTL.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
1336	KBDNTL.exe
1336	KBDNTL.exe
5796	taskmgr.exe
5796	taskmgr.exe
1336	KBDNTL.exe
1336	KBDNTL.exe
1404	chrome.exe
1404	chrome.exe
1336	KBDNTL.exe
1336	KBDNTL.exe
1336	KBDNTL.exe
1336	KBDNTL.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid	Process
1404	chrome.exe
1404	chrome.exe
1404	chrome.exe
1404	chrome.exe
1404	chrome.exe
1404	chrome.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exe

pid	Process
1980	a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

firefox.exetaskmgr.exechrome.exe

description	pid	Process
Token: SeDebugPrivilege	2084	firefox.exe
Token: SeDebugPrivilege	2084	firefox.exe
Token: SeDebugPrivilege	5796	taskmgr.exe
Token: SeSystemProfilePrivilege	5796	taskmgr.exe
Token: SeCreateGlobalPrivilege	5796	taskmgr.exe
Token: 33	5796	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5796	taskmgr.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe
Token: SeShutdownPrivilege	1404	chrome.exe
Token: SeCreatePagefilePrivilege	1404	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exetaskmgr.exe

pid	Process
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exetaskmgr.exe

pid	Process
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe
5796	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exeKBDNTL.exefirefox.exe

pid	Process
1980	a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exe
1336	KBDNTL.exe
2084	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exefirefox.exefirefox.exe

description	pid	Process	procid_target
PID 1980 wrote to memory of 1336	1980	a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exe	82
PID 1980 wrote to memory of 1336	1980	a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exe	82
PID 1980 wrote to memory of 1336	1980	a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exe	82
PID 2468 wrote to memory of 2084	2468	firefox.exe	97
PID 2468 wrote to memory of 2084	2468	firefox.exe	97
PID 2468 wrote to memory of 2084	2468	firefox.exe	97
PID 2468 wrote to memory of 2084	2468	firefox.exe	97
PID 2468 wrote to memory of 2084	2468	firefox.exe	97
PID 2468 wrote to memory of 2084	2468	firefox.exe	97
PID 2468 wrote to memory of 2084	2468	firefox.exe	97
PID 2468 wrote to memory of 2084	2468	firefox.exe	97
PID 2468 wrote to memory of 2084	2468	firefox.exe	97
PID 2468 wrote to memory of 2084	2468	firefox.exe	97
PID 2468 wrote to memory of 2084	2468	firefox.exe	97
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 3988	2084	firefox.exe	98
PID 2084 wrote to memory of 4284	2084	firefox.exe	99
PID 2084 wrote to memory of 4284	2084	firefox.exe	99
PID 2084 wrote to memory of 4284	2084	firefox.exe	99
PID 2084 wrote to memory of 4284	2084	firefox.exe	99
PID 2084 wrote to memory of 4284	2084	firefox.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exe
"C:\Users\Admin\AppData\Local\Temp\a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\msvcp140_2\KBDNTL.exe
  "C:\Windows\SysWOW64\msvcp140_2\KBDNTL.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2867fb16-73e9-45ca-9059-314e25511082} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" gpu
    3⤵
    PID:3988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbbfaba4-2d90-4b5c-a978-56a973a770df} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" socket
    3⤵
    - Checks processor information in registry
    PID:4284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3112 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87dac891-dd5e-484f-b1cc-be50d9995c27} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" tab
    3⤵
    PID:4144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -childID 2 -isForBrowser -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89762411-e09b-4721-974d-85565883e1aa} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" tab
    3⤵
    PID:2144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4976 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2773b5cb-0996-4fb8-84a0-1cdac837ac63} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" utility
    3⤵
    - Checks processor information in registry
    PID:5492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 3 -isForBrowser -prefsHandle 5388 -prefMapHandle 5380 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f308e197-37d8-4071-a61f-9f6c39b55308} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" tab
    3⤵
    PID:5892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5532 -prefMapHandle 5536 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67c2ed2e-0919-40b5-bf33-19edcbf0c69d} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" tab
    3⤵
    PID:5904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 5 -isForBrowser -prefsHandle 5724 -prefMapHandle 5728 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c714be8-b5ea-4563-b149-90b5cc6b9c23} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" tab
    3⤵
    PID:5916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6104 -childID 6 -isForBrowser -prefsHandle 6088 -prefMapHandle 6116 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {122a7562-9988-440c-8446-69050fd137ef} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" tab
    3⤵
    PID:4388

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa8b3ecc40,0x7ffa8b3ecc4c,0x7ffa8b3ecc58
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,16981864292799195351,10261479675986477020,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,16981864292799195351,10261479675986477020,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,16981864292799195351,10261479675986477020,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,16981864292799195351,10261479675986477020,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,16981864292799195351,10261479675986477020,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,16981864292799195351,10261479675986477020,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,16981864292799195351,10261479675986477020,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,16981864292799195351,10261479675986477020,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5012,i,16981864292799195351,10261479675986477020,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3316,i,16981864292799195351,10261479675986477020,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:5608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5272,i,16981864292799195351,10261479675986477020,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:5632

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\37be471d-c064-4b43-8adc-bf9e926a15a1.tmp

Filesize
233KB

MD5
6eb2ef0c8dc20fd9089b7201a9b3b681

SHA1
2af1c32460b4a15b250915d47b312a188907abc7

SHA256
88380d79ca8d20343d4abb69d225b6c884a304e482532353eb9f0d3d1e903f8d

SHA512
e62a4ec7a244cdee445f8b5e53d2a2ce14d6fd1a9b81db7ba525a5fa77d056084b9cffd7a055134398a06726b73132854abd5c717c35816348c2f1490a906653

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
16725fd144267f9a5c2127b716d46be6

SHA1
50c8606972a5c9da58aaccfc3c91ead4fe5d3176

SHA256
663c2e25c161ea7d261939c77ef952f1a8c3d85c78fe3d095f85e1221e9a8951

SHA512
922c146607a2bee7fc6b89c6be605442631eaedb78bd23c506d93fa89e923fa9932e1280e3841ed985e3f250ed323f5befdb175a34b90af1f0dc6d87719fc624

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
2cd2adcb7b829e00735d894c97428f5d

SHA1
533a025a438a4f0b6c9a773c435ec010f85f3237

SHA256
b4f9bf5d8d1b661bcd88412927e229527cdcfdde7de7313d9018c7095ef0c9da

SHA512
5225880eee10117f17d2da0a5de9a0d5658798dc8d8124052ea538a044536a6cfda2b24a1192f75e085837c52b7f78d0a3081c98ff1bd39d888f1f67a7d457ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9c2f6ad3495662f0efbca3e3cd026c64

SHA1
3651eee8e82bd2aabae7d236f0450d4ec6568123

SHA256
bc111a446fc4954d33ce16fa3e39908fddb7a7e1af512cc7cf96379348140657

SHA512
f3a8969c1c423db664b42ed0b3943813256d935efa6e71e69a2901ea59991d8aa0040cca0a8c6160fb6fe47cb630aea1c298b3a22c7413c412c7a0b79a83cd3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7d17b786002a5927995884bbfd4c80ae

SHA1
53f503de986f070642f57f30b6441d0ae4a46c78

SHA256
455e6294d3126f504f08154a04d7753d8a8fbd0b435fd0cc4653dc1df38c92bc

SHA512
5ee439e6d5cc0e37c7e1e12e7dd94c474066d4b4cba5d0a507f5b82a2f8827fec9b22745bb1a45cbd35df38fe739024841c502e7cb93d68c594403289162595e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b55d0915131c079bafa2a3d05bd13544

SHA1
8707cd4cc317dc81df2ad6bd8c3ab394d1835509

SHA256
64ef43e99eb1fd4c078d5f3bd67ac85da8a16881ee225dc6e562fb09b8efd0f3

SHA512
d0d5cea16b8e5d61cd9417da9f9343fed1471390b2f41adc964e4647465e103c7fe46cbf75352645c2815472427bcf3f572991f7ddbde305f4673e876d3e3996

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2ce995d41c8e73e8e8e5f4c7f1bff632

SHA1
8eabd93e799410cc8c848748bb62a5470f0f0bbb

SHA256
2ebb8f7e7917a15eb8e704a2c14cb914239edad6198dba2c839070f356649df8

SHA512
d561927b27aedc4538c01d3b842ebd463586bec76edf40f3ab559b6c7586afc31883c883328dff263aee60c6faa763ddff4973caa8e298bb0249938cf55f8f2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
79caec53f5781f03a9d738dec8308af6

SHA1
b3006b030d568f0e8777c45f614e0911cbf96f5b

SHA256
7fd7fce4ea1070b445c4c70d2b3bcb384191677319a8d94935f5a38db41276e5

SHA512
ffdcafdbb78105d28d97ba978218cd4c9105b7f0358180f6e869330193f88720e853ac472543bddb3936b7db63fdbd520fc946db73406e81a3fd6b30bb4186c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d4a13de927cf534681097c03dd237ad8

SHA1
961558ac2379f73f9fb6a5c06285220c05c3ac70

SHA256
44a2e687d28c669a60c4117c062f04cfc6fb79c09e5dc3c7f52f42999e9c84f8

SHA512
1b05b8684972b5e63690564b45c9824ab4ba61e358b38ff0eb0b885c0d95785722df34e45bdcf261748c1036865a8b74e690d3a6759f7a2ccacc6eeee392d4a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
360a9f412ee90e1c948528d8841acda7

SHA1
f33daf60ae47848b49d0307a277964f7de5394c7

SHA256
a9a59ef18696526fb5c5d6e01413759356ee560dbb381ac98574e96c73c4697a

SHA512
89ba1d51e3acd773918cbf192b58d652ffb83b045eaed2dad5df1f9e534a4820f8be871c8766976385853eba287a01c47032ea911f73601db8e803d533c222d1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
76cd5f85539d7f4d366132749ca5efa7

SHA1
e5869c2ec4f38b0a9f6cd53e7b679a1ed2438c77

SHA256
2bec82ee9b81d6334f69851f8372facffbb98d1adbd0352ad00a36bb374469d8

SHA512
ffde84369ea0a7189bae078b8060304e6449c545c13bb4ef37d94cb518f4372c731e63dc5ec9b77b30f6ed94749fc55196ad3807f22f1be394dbb87d71656e09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
6KB

MD5
0ffa71a13324e8103b973d89cfcf9aee

SHA1
dd226624c4e158dd5f6399e31a64c88d53427e05

SHA256
998047762889f0e6f24126493c14a9023bf5cf9b481a478593bb1ce7917f2f5a

SHA512
bde0d7def6d8f9a179486522f091e163f8a287498e500f4d121cc64b58f1df61aad8fe00e60fabaf3f092c7c4fde19a45cc13a50d1579bee749499a6b11778c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
6KB

MD5
e02479898bda40b6c416bc5440266b56

SHA1
c32405a540ef25d09ce13be9ea0c8023877f9052

SHA256
284d88c9d0a831bfae47a30e57d2053c3413b750180610209ee5dcc60985f8e2

SHA512
097ac04ff9c36f77f2a74fb42541e1e0bedc7490182621cf3d73f5acab42113b168f64e6001e43f149ef76d22ba13ac170a6a12e1aed5a054a4b58c0ffdb34ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0d3633f48ca874df84dd4669696cf63e

SHA1
df699d4c52bb826b4632c5363a2ff61611f2d4ab

SHA256
c6e20a5bab82796ed7b3c8d6bb978556f38800b3acfdb85a6d8a071b5fdb47c0

SHA512
ddc86565d46633fb60bc85bfa994f46cc156c36991b6046f2688f845525c93b2044c9567a3535b1e5b8cd5a8076e3818725e05583afba2a7813cdcad22b7c7f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a66557fd3d6bb3607882c245057845d1

SHA1
5774ecb1fee7f2e3bf0e0428b2e41b58232facf9

SHA256
191d8ee00caa83559bcd3415c18db42048d0e0c0850c753924c64b6750d600cb

SHA512
35b9948585e4f772c7abbf455b12095a0cf002e500711830a9deac4013ebb838e34203bc13c82232cc310493b647e4d3ef0f0f20f46ff057de33782441f98dfd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
04f32c6c153fe6269a8b7f91eb302086

SHA1
f14c5823040592167ae81f2a517f70c33a946969

SHA256
d69b006a997c2a0f511b4e95f6cbeabc407454ae5e79dd4c35b9c67ad8d2f5d0

SHA512
050b85b8714c8f6f5261a216ffd5b7e72ee830ba98fb4b0379e789e37100c011fb6d47dcd221a60ceb333a332123e77bad49ddd01d60a79b60c009e48ac68580

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\312c593e-ce7c-4a4a-87a1-8f7c73c007c3

Filesize
671B

MD5
9b4d0c68dddc33b566edb3ac7c426057

SHA1
5f589a76e4320582b05826986d2a7024c38472d7

SHA256
abff86b48f631639bdb7702dee2a903adbf5b94f20c314260c61786acbf1ac4e

SHA512
88c1b3ff1d13dc9e19ea33c64c6bda3ce4707d36899cce035c64cfdccb20f70271941a2daeac2cabdc7cfa2b719f5a6cc2546500b664382602582b542e9f278d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\bc34e4d6-c6a3-40fa-9291-6eb3078b613c

Filesize
5KB

MD5
a24b1deb9869c13737febb3c4ada3167

SHA1
4fac2c107cde7221ec60619e261977db0da0529a

SHA256
4ffc3f5493dc54d6c0b52fdfa391baf3064d19dfab4eaf32bf01a7ba3c7ebddd

SHA512
3b3512b13c6dfc99ca293e08e6c597b13f7334cec9ea6abaac1d92b125b7e296324ee33310dbaaae1ca6c91d1c112720058c79bd3bfa39415d696b7d568de4c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\dab69015-54d2-4c09-8878-d3a4e8e2964c

Filesize
982B

MD5
0dea771f2a17b4e7524424a71f8b5152

SHA1
3b2d4b25989c30c276debaa24f64759c4f80f9e5

SHA256
7647b53572f635e3d6868fd9417d20bf590e877be7c76857eb57f81a9fc6cab2

SHA512
0ccfe3c87b5817ee33e38b307c6b84c00a84d578e642b7be4570c539a8a4e1a85907244709159b5cafaa81c92c7fa2ed2bb3c999e66773752bdb219a22b17aac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\ee29dd2a-b218-4eac-9e5e-ab38f84fc78c

Filesize
28KB

MD5
6d3355402f973079b73dbdffac8ce61e

SHA1
56ae102b0b37dfc5e032b6f866c4f723e8712837

SHA256
bdef797c38e405f13c04054c29dfec41e9c613501f13bb35e2da453a297f50f1

SHA512
593b4a5209641bd9faf33e4bf7da8dd072741751d55584ccac8d26bd0db4c183172928a3526284cc072dbab8f96a9f520f599440747588ddd5c80fd08286af3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
10KB

MD5
3d3ca937e949c57019bc588a5889e861

SHA1
f21e59a9a456d50fbaa48a1e17e9614cba40cd15

SHA256
71b75bd023ba2b361afc1e01c93024fb4151243464650525f234db3b557023a7

SHA512
97a04052fcc691860c6da2ea064b9c0d8ea8b69ad903d071192e834a6962f8113a742209ec313f565168763385da3c87abb54d65cd76c053a14cd31a1575c880

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js

Filesize
10KB

MD5
dcdf92621c0b4d0d068285a18767f5f7

SHA1
8ab4a12f95be7a49dedb7519e41cc9522a9459ca

SHA256
004b9e79fc40cd20893d1b2f27978b2131d1d4afbdd93383aee6e0b30de3445d

SHA512
8094451b065824299b1b6679f94f80a36f231809be8dcdb06dde2e229cfc62f2f7c58669d97987338ef248cc76f613c7bdd296a1e0bd9b3f4fa9ab1bbde3d6b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
368KB

MD5
30d5149fc2bd8a3f885dc92af509f046

SHA1
0674b231fa13f330915c50c567e018cf11a804cc

SHA256
99df754b6d415d8f0a88bc0d5db45e8a6e930d56b531d0a0f4deb5657300929d

SHA512
599726c761a424a33371b5d31e6d9a715c597bab37e145e64f89bcbd43f5245f28c2417e854568d5f01dc3af0bcfceafc5093bfebf422ed2b4f200d561545c89

Download Submit
C:\Windows\SysWOW64\msvcp140_2\KBDNTL.exe

Filesize
768KB

MD5
7ee4feeded88cb104448141ef375be8c

SHA1
e25f916c0771699d29f84963c3a2f86021c12c1c

SHA256
a4048f7d23b2860f1a26171bf257872cfb03e68100f560a109cffc1ea989fb71

SHA512
93e920ccb88230cc8342dbd3cad0fa8c2bdc8be5ffebbdc0f3a04d74bed8dce2cd8a7467791964f8f1e44d1d0b5ed1f90027618362c52929c71a736e052eea93

Download Submit
\??\pipe\crashpad_1404_ZVWAYQAWOPHCBKIE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1336-12-0x00000000021D0000-0x00000000021EF000-memory.dmp

Filesize
124KB

Download
memory/1336-15-0x00000000021F0000-0x000000000220E000-memory.dmp

Filesize
120KB

Download
memory/1980-5-0x00000000022E0000-0x00000000022FC000-memory.dmp

Filesize
112KB

Download
memory/1980-0-0x0000000002300000-0x000000000231F000-memory.dmp

Filesize
124KB

Download
memory/1980-4-0x0000000002320000-0x000000000233E000-memory.dmp

Filesize
120KB

Download
memory/1980-10-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/5796-478-0x000002AA1E370000-0x000002AA1E371000-memory.dmp

Filesize
4KB

Download
memory/5796-481-0x000002AA1E370000-0x000002AA1E371000-memory.dmp

Filesize
4KB

Download
memory/5796-469-0x000002AA1E370000-0x000002AA1E371000-memory.dmp

Filesize
4KB

Download
memory/5796-470-0x000002AA1E370000-0x000002AA1E371000-memory.dmp

Filesize
4KB

Download
memory/5796-471-0x000002AA1E370000-0x000002AA1E371000-memory.dmp

Filesize
4KB

Download
memory/5796-480-0x000002AA1E370000-0x000002AA1E371000-memory.dmp

Filesize
4KB

Download
memory/5796-479-0x000002AA1E370000-0x000002AA1E371000-memory.dmp

Filesize
4KB

Download
memory/5796-477-0x000002AA1E370000-0x000002AA1E371000-memory.dmp

Filesize
4KB

Download
memory/5796-475-0x000002AA1E370000-0x000002AA1E371000-memory.dmp

Filesize
4KB

Download
memory/5796-476-0x000002AA1E370000-0x000002AA1E371000-memory.dmp

Filesize
4KB

Download