Analysis
-
max time kernel
1048s -
max time network
1050s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
23/11/2024, 16:25
Static task
static1
Behavioral task
behavioral1
Sample
Venom V5.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Venom V5.exe
-
Size
289KB
-
MD5
121a7190a24ba74a4c49c951dd56ad72
-
SHA1
fb5b1adf74cda03d5a77096b866942a6fbd5aa89
-
SHA256
049e3ab43c29a82fc17b415fb88df0b0c238efea6be76a25da1f2bb88ee22a6b
-
SHA512
b1a983027932897e97c4e3ac9865e6fe987c3b772c5847db3f3cc5b8e2b4c845e7040bf8a7e7d546b77c3f78e39c32eaeb7321f1c6f99dd28554c80fec603bb3
-
SSDEEP
6144:6/E7c5W+sPgJJUuCm2pad2AO51SLPml16S6M6supNDdPstxChZ:UEeggJauClpjL5sar6M6supXPstw
Malware Config
Extracted
njrat
v4.0
Victim
audio-ham.gl.at.ply.gg:52424
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3944 netsh.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation Venom V5.exe Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation paylod.exe Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation Payload.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk paylod.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Executes dropped EXE 9 IoCs
pid Process 4440 paylod.exe 4296 main.exe 2364 Payload.exe 764 Install.exe 4908 winvnc.exe 1100 winvnc.exe 4656 winvnc.exe 432 ngrok.exe 4772 ngrok.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" paylod.exe -
resource yara_rule behavioral1/files/0x0002000000040d9b-817.dat upx behavioral1/memory/764-824-0x0000000000400000-0x000000000063C000-memory.dmp upx behavioral1/memory/764-929-0x0000000000400000-0x000000000063C000-memory.dmp upx -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\vnc\Install.bat cmd.exe File created C:\Windows\vnc\UltraVNC.ini cmd.exe File opened for modification C:\Windows\vnc\UltraVNC.ini cmd.exe File created C:\Windows\vnc\vnchooks.dll cmd.exe File opened for modification C:\Windows\vnc\vnchooks.dll cmd.exe File created C:\Windows\vnc\winvnc.exe cmd.exe File opened for modification C:\Windows\vnc\winvnc.exe cmd.exe File created C:\Windows\vnc\Install.bat cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Venom V5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language paylod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winvnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngrok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winvnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winvnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngrok.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 ngrok.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 ngrok.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 ngrok.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1100 winvnc.exe 1100 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2364 Payload.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: SeDebugPrivilege 2460 firefox.exe Token: SeDebugPrivilege 2460 firefox.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: SeTcbPrivilege 1100 winvnc.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe Token: 33 2364 Payload.exe Token: SeIncBasePriorityPrivilege 2364 Payload.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 2460 firefox.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe 4656 winvnc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2460 firefox.exe 4376 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3788 wrote to memory of 4440 3788 Venom V5.exe 82 PID 3788 wrote to memory of 4440 3788 Venom V5.exe 82 PID 3788 wrote to memory of 4440 3788 Venom V5.exe 82 PID 3788 wrote to memory of 4296 3788 Venom V5.exe 83 PID 3788 wrote to memory of 4296 3788 Venom V5.exe 83 PID 4296 wrote to memory of 960 4296 main.exe 85 PID 4296 wrote to memory of 960 4296 main.exe 85 PID 960 wrote to memory of 1508 960 cmd.exe 86 PID 960 wrote to memory of 1508 960 cmd.exe 86 PID 4440 wrote to memory of 2364 4440 paylod.exe 92 PID 4440 wrote to memory of 2364 4440 paylod.exe 92 PID 4440 wrote to memory of 2364 4440 paylod.exe 92 PID 4440 wrote to memory of 2412 4440 paylod.exe 93 PID 4440 wrote to memory of 2412 4440 paylod.exe 93 PID 4440 wrote to memory of 2412 4440 paylod.exe 93 PID 2364 wrote to memory of 3160 2364 Payload.exe 98 PID 2364 wrote to memory of 3160 2364 Payload.exe 98 PID 2364 wrote to memory of 3160 2364 Payload.exe 98 PID 2364 wrote to memory of 880 2364 Payload.exe 99 PID 2364 wrote to memory of 880 2364 Payload.exe 99 PID 2364 wrote to memory of 880 2364 Payload.exe 99 PID 2764 wrote to memory of 2460 2764 firefox.exe 105 PID 2764 wrote to memory of 2460 2764 firefox.exe 105 PID 2764 wrote to memory of 2460 2764 firefox.exe 105 PID 2764 wrote to memory of 2460 2764 firefox.exe 105 PID 2764 wrote to memory of 2460 2764 firefox.exe 105 PID 2764 wrote to memory of 2460 2764 firefox.exe 105 PID 2764 wrote to memory of 2460 2764 firefox.exe 105 PID 2764 wrote to memory of 2460 2764 firefox.exe 105 PID 2764 wrote to memory of 2460 2764 firefox.exe 105 PID 2764 wrote to memory of 2460 2764 firefox.exe 105 PID 2764 wrote to memory of 2460 2764 firefox.exe 105 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 PID 2460 wrote to memory of 4768 2460 firefox.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2412 attrib.exe 3160 attrib.exe 880 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Venom V5.exe"C:\Users\Admin\AppData\Local\Temp\Venom V5.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\paylod.exe"C:\Users\Admin\AppData\Local\Temp\paylod.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3160
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:880
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ShellExperienceRemotVNC\Install.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ShellExperienceRemotVNC\Install.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BA1F.tmp\Install.bat" C:\Users\Admin\AppData\Local\Temp\"5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\vnc\winvnc.exeC:\Windows\vnc\winvnc -install6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4908 -
C:\Windows\SysWOW64\net.exenet start "uvnc_service"7⤵
- System Location Discovery: System Language Discovery
PID:3384 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "uvnc_service"8⤵
- System Location Discovery: System Language Discovery
PID:2812
-
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=vnc action=allow dir=in protocol=tcp localport=59016⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3944
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vnc.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\ngrok.exeC:\Users\Admin\AppData\Local\Temp\ngrok.exe authtoken5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:432
-
-
C:\Users\Admin\AppData\Local\Temp\ngrok.exeC:\Users\Admin\AppData\Local\Temp\ngrok.exe tcp 59005⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:4772
-
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2412
-
-
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7CD1.tmp\7CD2.tmp\7CD3.bat C:\Users\Admin\AppData\Local\Temp\main.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1508
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b4c0b80-985e-4e97-96b0-a0efd48fd673} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" gpu3⤵PID:4768
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef8d565e-b6bb-4d2b-8bfe-e5784d8b0fd0} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" socket3⤵
- Checks processor information in registry
PID:4940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3388 -childID 1 -isForBrowser -prefsHandle 3340 -prefMapHandle 3208 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {544ba015-7532-4329-b03b-264d60db94c4} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" tab3⤵PID:1168
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3740 -childID 2 -isForBrowser -prefsHandle 3736 -prefMapHandle 2740 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53903539-3167-4c19-9305-43ee961ad69a} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" tab3⤵PID:2004
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4340 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4320 -prefMapHandle 4300 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ef9b389-a850-482c-9a86-63d37be3c570} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" utility3⤵
- Checks processor information in registry
PID:2408
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 3 -isForBrowser -prefsHandle 5524 -prefMapHandle 5520 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e32b765-c360-45f9-968c-4928c8d29180} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" tab3⤵PID:3528
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 4 -isForBrowser -prefsHandle 5536 -prefMapHandle 5532 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcff56be-f18f-4fc1-a4d6-492cc5d0b329} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" tab3⤵PID:4616
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 5 -isForBrowser -prefsHandle 5220 -prefMapHandle 5440 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0805b95-98a9-4dc3-bf34-982d71dabcfc} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" tab3⤵PID:2360
-
-
-
C:\Windows\vnc\winvnc.exe"C:\Windows\vnc\winvnc.exe" -service1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\vnc\winvnc.exeC:\Windows\vnc\winvnc.exe -service_run2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4656
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
PID:4608
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:3176
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4376 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 27679 -prefMapSize 245250 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce902263-4061-4ce5-a744-81b67491931c} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" gpu3⤵PID:1736
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20240401114208 -prefsHandle 2292 -prefMapHandle 2280 -prefsLen 27679 -prefMapSize 245250 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2eecaa57-a12c-4ad9-a1af-978ae9c7a0cd} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" socket3⤵
- Checks processor information in registry
PID:1124
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2940 -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 3004 -prefsLen 28178 -prefMapSize 245250 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f075cd28-9e03-4315-8601-17a41b771170} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" tab3⤵PID:4400
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4132 -childID 2 -isForBrowser -prefsHandle 4124 -prefMapHandle 4120 -prefsLen 33411 -prefMapSize 245250 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a28c44e0-41b4-4860-a3f7-7e629ba427c7} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" tab3⤵PID:4560
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4748 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4692 -prefMapHandle 4688 -prefsLen 33411 -prefMapSize 245250 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1c84be1-b6fb-46b7-a18f-e98fb8c48fb3} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" utility3⤵
- Checks processor information in registry
PID:3296
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5272 -childID 3 -isForBrowser -prefsHandle 5140 -prefMapHandle 4956 -prefsLen 30461 -prefMapSize 245250 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f43cec3-3cbf-4700-9bbc-0682ccef57b8} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" tab3⤵PID:4340
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5456 -prefsLen 30461 -prefMapSize 245250 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0755649-cfe5-4bc6-82c9-c2bfdfca56f8} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" tab3⤵PID:4372
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 30461 -prefMapSize 245250 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bc72701-9395-4a44-b27c-f29b62bc4cec} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" tab3⤵PID:2124
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\activity-stream.discovery_stream.json
Filesize25KB
MD5cd258d77ff30645a3ef9033cf002ee28
SHA119af1eb6bdb7f91a42eead992d8a6d3c54a799c6
SHA256ee7f1e7646fbb6ac5893f8565ef349c0e615e649fa6a4c0e2506c7e0f75d3a6a
SHA5129df916ce714713227431b255373951d63266912b90a690ba4ca9b0d7e8d9492ecb4ae3caec0a11e956c224dee10fb13b3e1e288eecc7b87c5cac6103495e3b2b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244
Filesize480KB
MD5e2c64508770704c98cbfc9316f844b56
SHA1ff2a68cb9f14af7039c8ec7d949720588e917e61
SHA256b49ab046f2b28c17dc087bc64a5f98405a50ccd641b1a0a417055c9d6c4f4c30
SHA5128b73729aff4c536e30913808b0e97e4f3fd99cd8152aa7b99f0202b9112dded04b3239081f40ad45a7d14d14008436b32ca4e07df7935a18a6ae7a93df9c3d8f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495
Filesize9KB
MD5af0e60d61ecc8efc870490debea2d0c4
SHA1e96a89d68eedfe91198b6d03def9e23e697995ec
SHA256a94ddee810b41cecddfd86d778c4b40eee4bd69bd37efc7267250e1c62770ba9
SHA512bfdadfc6a3d28ef43232a9ff0489cf9b7253e80a6860186794ede9f8c733fac9860090d5dd7a55a2dfab24b3fa016d77a77048657bd882dd3990053345ff9085
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD5e910a5f37db996be6445252c9b6b97c7
SHA1d3602d3265ad7d74759e95d64e478013ca5c0075
SHA2566846d85d12fbfecd1b16d3358c3f6a169e591f0afb6e188a8a106bfd2ba161fc
SHA5125412131487c805342f56483b7a9ede77c738da64e5a751d4bd486192c7f1b423ab798657d5a784a2c42565d6c9361e7952836be89222ebbcef043e132a100f71
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD5a028a88e7939edb36623a078b1986cd1
SHA1cc65bf857ccd7e5eb8c9d663fb8c327ac07a25c1
SHA256c038c94b6a11eda8ce21efbbc4c821cddf6b1dc2bff8a78a5b65f85b27c9210e
SHA5122b07154f1a6163ea11a39e8e5e4503dd092bac1e402aa9e54d6488ac512f86ac98f796b36d4428f94c8b32c22eddf77d6b49633206a9dad2c389ffe43f133fad
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize14KB
MD5594042a15f2680420141079daf0d305e
SHA130ff983f6b06085d3911bedc0a45c761f1c58fc2
SHA256ae120e890d74dccf17c19215b2d644e7603650be85c95a79f3279097922d1fe9
SHA512817ea56f529a28b00971e4573503feac82ccb543b2e6f8f1c89becdf6e0cfd13f4be48465668227838dd528563243b59be8d9955f5f19f544b36539c9d9fd57b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize14KB
MD542d6742ce929fbbae1b05160b4845614
SHA1e7816d4619b6286815c9bfaf53bb257c24be4ee2
SHA25608a7f92e520ef68f3ac6ae79f05d630f1ef648122f8773df7a4b4c7226efe6f8
SHA5127ed63650cc707d87d3271e06bf3dc43879ee836f53407dd83ef004b0b0ca664cb25db7a138b3332bc7d06f35ff7667211fa8530f3a528a6f1cbcc7e0af232b68
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F
Filesize136KB
MD54bc388cbc1fca3fa888c196704976029
SHA1deefda35c575e76b974e21fe949b25190447cdd8
SHA2563860aef41d9bef873decf95f7ce6136d8620da7cb2ca4aee569fabe16b469077
SHA51241051df748480caccb1c1014db307b7107a1890d2194b722b00baa1ffb26d2615e39a57726a22fa0c858e7b62378e7db170ce79af51f477f05d5e8979fc3e774
-
Filesize
54KB
MD5f99899071fb25e252dc2dbcc47e76b6b
SHA18deab8e77a22a3a8842952a7bf5f2df2906b5eef
SHA25604ae47dc7a4e5a5968cd0668a14870ee8c3c813d408d1d72488ed8a37f1a8bac
SHA512798a241275c51753dce33b92b114241a29db6b3a96c90606297720aca09dd105e4269dde7715bd663eda2cef4c0724aeb45a91c970304eaa38ccaf6d160c5e91
-
Filesize
16KB
MD59417a3dbaa2c5a3bac6ca06a9cbfb2a6
SHA13646fa481dd17dbce4d61720daf97656c955032b
SHA256e026e0df8c593d1765e29636187e0828c60d1ef14b8d2216200f69c7538131e8
SHA512ef6c8cc3c2c4daa3ddbbbf15317a344211befab0d597a5a853d833035203a9f4aab6e89387ae0606c45dc37420355a5b038b29e673a5b5bbd6a1362d572efca9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\startupCache\scriptCache.bin
Filesize8.6MB
MD551e2b60b435eb60f5ffd1134e4066e6f
SHA1a289984f92fa293f5f8ea3dd6137390469055dd0
SHA2568c5bbf7ab0d3abbc7b3eb7856e887450aa8c966cc03c986a1b015fc6e68f6320
SHA512ae88ba80ec0f78f74790597a2e7db2b2efedc9fa238be8e655599de1adf90fe40f11aafe80a83f26387295fd078e72eb400c64d998441569122944cf9afc8bf8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\startupCache\urlCache.bin
Filesize3KB
MD52bb3cc3d2e289a54c2caae0fe324bf6e
SHA1f94aba241d17b8560b7a9d9e9dfe3f10b7a60218
SHA256d7a1b54856a1675ea5e22ce63231ead2fa0fab67f8bedfccff8f6af86ec65b65
SHA512e1279766c64b9ce6ca24db3a4a8d93d8f490a263b96dc3e8f9de11c04653393f76d1e570a4513c87e49f1881263c61dafd9bdf374e7289f3f48ff784130e2e03
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\startupCache\webext.sc.lz4
Filesize107KB
MD53880d283d4d12f218a96acc96397ae96
SHA19ef4db6356135e22fa020b15bf42c254c0fb4faf
SHA256df8ff7934d91fd318c9772339bae5bf7f1ce72bcbb1b3371d5b49b9a328ac9c7
SHA512068b9d55f4967bbc9e5f7e21e892ecb063d623ae103715ce437db0d6fe6efb0caa826f112ab7777da4d08ec31283ec572363a94e3cedb169f47d43713f09fe68
-
Filesize
3KB
MD5ed10dc8c536ee4a022b94514936658e1
SHA1006378f2c2837b196ecd17db6f1d6db862b8454e
SHA2566851924794377b148813fd77ffe990aeb8abd363e9086b73bf76db117feedc59
SHA512245a2bef61c75090b9108a5c5b81a77d1091b5a4abe8f561d5658e9c708907fe2ada359a9931dfa6decf0a06e5a0fdb08dab6ed7165a78f559512cbedf37634f
-
Filesize
182B
MD5c9280e704c9ce932310ef90dbd50ea07
SHA1008a5a09212208ab104bffc95ddb5bfa9ce746b0
SHA256d716335bf2d70d602bb2823e266eb4b2da101306a1d21a11a2aca15f87aa2dba
SHA512f348dcedebb9ca4e00779711fe0111a18b987c4a58e67df36de5e3d05b94594714b6e0d62e9e54bffe57e961c9991f2b43198e78ff13c86f6d3a4d6f73becf2d
-
Filesize
1KB
MD5741de7cfb77c0d2b06e4294cb849a41b
SHA16756cf9428e25bd5c295d7d59b14885a61eaf39d
SHA256f4097fa9ef3432212e066d69a54c43d211c4cc08e1b2ab0b3bbe6e3af66f6ecc
SHA512da12ae35860168d6691d8c2e977486605a493942b2c23fee05d8d6c4d61309e68c51d6e50522c6a8d9f5bc3cc8c22a9c2f73409cfa393cda1966d561de87e00d
-
Filesize
52KB
MD5e12e07ee3f1088632635731d4cc61fe4
SHA11a6d7e6df5164f4433d9794ac9b7852b4b4a099a
SHA256c8164ccc0cf04df0f111d56d7fb717e6110f8dee77cfc3ef37507f18485af04d
SHA5123f4b7d2d79fa7abdb1627a0978d2a57dbf7fb6f28e8fbae20e2453da8ae6a10f95265f2e0b3b2a76665ea864ffad51cde33eda41693ebbef979b7d46b6612ded
-
Filesize
2.1MB
MD592035b71d115335360749bc8b5755750
SHA10ab85b6492fa4c0b891413deddaf4f4974ca408b
SHA2565ace41b53aff2a334c6c4972c77e6d54be9c7aa8dfef7c63632c594d36bd95e3
SHA5129015fffd82bb8e16f0fac41bd0d750b0386e9e2d0221318e4c9c85bf5d1a4ef98feaf1fedebac10a6fcc40303c1ce896cd48298431cb080e65ac73efd6d52fc7
-
Filesize
126KB
MD5fb32165caff9614efbc6311fe75da2f2
SHA1674e7a93ed4b9cb097d846463a249bd68c4ab7a6
SHA25641018b0dcfb3adf0ddcda481a276d98cbcee94698ac9c7dbd3644a86687e76e8
SHA51265356ddd14df07f2153e740a8ac9f4d722e604a85663254f5e444850cbb66c15c35e7cedc6fece72df63677ffbbeb094122b05c11e01bf0cded917c3c4608a6d
-
Filesize
10.8MB
MD5dcf9700c43af9e588bef407729d34161
SHA1258b313531fc59545911b653c4aa6d82a2fedd21
SHA25699d6917a4a78829b494c50b59088f74dc9f5e1bb8d78a92f0e27b5be7cfc429b
SHA5120c7952646788e411c1acfc5c26c084bde45f308e7778f55ae9ff2562454f9a57a271932966d17b3fab2f279568b442e22b2ed57e368016d80a74d7365f216e2e
-
Filesize
26KB
MD51f5545281784c48b113dde61778a4697
SHA146aee2f749bbee1fb7e4f5d8609b798bd5077673
SHA256e31e3e11ce40c048eed1a0f68b0e47a15369b9289b30dcce9fe70b7f7ea26c20
SHA512e262e58f15bbbee488a8423cbd5f03b2e9ab12b7af267d3278b48cb86373ff180b992d126694d3e224a8b97bff5edbaeb9c0d3493528b0d6b49e236339a1ab37
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
151B
MD5e5d07d56ec0f669b477bb7c598c6fd10
SHA10145d8e87c5ca32654879fce086dfd4db8682fa9
SHA256f395de87ef433b77793019a4b2a6e54646f5c5e50d04dc3c4bf0e9e31ebf3150
SHA512183a7d22ae6f7ca28026940638e210dba63b14a8d16cb6903c969c716adf225e587b46e02a14810265c06ef950618c36f28815378816546c381a6ccce58292d7
-
Filesize
1KB
MD545553c9f5b5be8590f4cf6b9807141db
SHA1d830703c83753d9d34554939b500989c6094d0d5
SHA256b82108c64f7acea33e9273d191f76deb9eab7c59471380c91874527c6b8788a5
SHA5128b662ddaf4e8886b7224fbe59f164a44398dcd3d70dccc5cbec5c8ea4009a617fb577297427fd663086f68cb5295c5d4cef66d6c0f874476207c8a9dccb8d7df
-
Filesize
648KB
MD523e3963e5323c50dc93f51b7e0f01a93
SHA12de308b5131d78fae37cd42125f681464bd9a564
SHA256c77bce9c430ee51023438e8b46cd4ddf54835e6a8953f80b923f9c888f7dc39b
SHA512e4fe0b563f901e2557559ecf85e6bccd6c51517913fcc70bb07ad55048311ddff7ebf1d24441d190e082c3d4ca6b7fb57ab79d0fe4eccb49234a83be5915246b
-
Filesize
1KB
MD521eaf37b395f05f15f3e138ecf593548
SHA11da480a35399a2d377b0fd2f0a6a09d619fcf15c
SHA256341a111b2a2b7b3e69a1bf867476d222ef423a3128afaaadfa1bbe091196c524
SHA512ac34ab428d5971afe19aca423df8c361350ee1a455f2c1a4760a65a0f08566b2a166c3f3f72c194cdd19e572dd7ffa2a6314d31c3946973e055e63672f9dbf63
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\AlternateServices.bin
Filesize8KB
MD5605ebf7eed86ea8b51af15f3b9c3df9d
SHA134c4c9d1f11a8e02b0360d66deb8270fa8315646
SHA2560aab8f6b1f6f6586469c018c2ad349652d8c3b83fabea71f4b80bc44cf0dadcf
SHA51260bf7f532340627a845e20676cf056f161a82e0b1f351c2effd36a5bd2dd2b0fc7a35fe46ba28337f0730e90a7accb6241f7087c89a8648f30bdcd5391515ab5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\AlternateServices.bin
Filesize8KB
MD59b64b831850d5da1565e15534700ec76
SHA1e95516f2e7fa0b9415c1994e16a8e87020061357
SHA25676805aa208620ed91bd470ba33cd59c6ca7418ac83fcb1989a7da545ff0c555c
SHA5123361210bb81b2971f5dc8a6a26c3416d47f29d50d5a4d4157d1963094b36668104bbeeae329b279b7b06cd34870cb79ff10ab5834562255c0d8f42a67709a75a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\SiteSecurityServiceState.bin
Filesize1KB
MD586b06a70620a11852d065eafe408073f
SHA1bc36723c21e5c9b8146bea497125eb6f8b535bee
SHA25683455ffe3f3e915ad1a6fa5e0a97a8aebd77093eea672373b22a65bf8269a011
SHA512ded97de97360dc74e0076e100be9c18e411639efb9cf62bd6bded341449e083efd2f5588ff3c11083ef262f439bec93197ae805eb445cffe1dce1af54fb87a37
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\broadcast-listeners.json
Filesize221B
MD570010e502eb4c232f138f3bea29bffcb
SHA1bc70dfaf8d57d2cc87b4a37fcde52b88c0b53bd6
SHA2561e2736149d0356bdf2e0efb09133782b685c9808b4890dc39f8fad6110e302cb
SHA512e3fde36c4979e8e58edf3983786cfd7effbc7a49bfbae29c5c4d5cc587a3a481698fb07f90603feeb9f63fdb0527d0595b6016aace564544bda48de074c52ea0
-
Filesize
224KB
MD5333862fd43314eab0921c3ea2e727706
SHA1e9d18e9efb518784ab167a91f43161eb84c20589
SHA25602fff87c5b7f9bf940ae5f3918c12fb8451673fef85dfa39ac30824cea3c06b2
SHA512c5a1168a499885be48167fee167052ef008af8fe2471983b5a5f726ab8c6079f52a9905aadfe49dbfce3d4f9cea15ad9d79bff74c3bf6088120ce115c48dd3f5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\content-prefs.sqlite
Filesize256KB
MD5b41ed219e2c8dac47f2701562d092621
SHA190d507eae3ec943a121dbe5a080412e40470b54f
SHA256cfed019635a1e14f74ae78f2c03fb96b40ac3da37b67489bd98c144afc200f1f
SHA5125c6027ec701055efb3b6c055727af5ed261e8f1d5ba954e64e8a34e5c791679b1e4a6ef49896ab8089ec151fd758ba41efc7333611af42b851606a0544a9b947
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD52db068fa2fb2f4afd99e779b54888f4f
SHA136c88f2b53f63b20ef0684e300e8f4eb75caf8fd
SHA2567644183f3472f8dea114aa55d74781bb12f26be6e90b47d506b3149b11bf4105
SHA51204e914eb920a012bab42603969a3799e6212c12973e7a0e055a69d839207cca06edb5b869069ead3639060dbfe295eb738f94cbbb248563f3f8f3830e823031e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp
Filesize27KB
MD5657aa3338963ebff6913dec692130aeb
SHA19189db85edcb3c15992b99046ec933f934bd1b5f
SHA256388145ec759364ee875ea3e1b66fe5efe151dd05e78352f24131a7c2645fb32d
SHA5123d5284a958471a93421e96621140aa263bf551899ddfba24ba87bc81a5784eb59e9ba46b885ff161912ce481118faad49203174442921008e5d8f567935d8d18
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp
Filesize27KB
MD515e1409642f41c8442226c4fe2055c70
SHA1b05dbe889fc67ce40e20d3cc76f8bf420b96b3fd
SHA256d0d90a005e6999a2fca59eabf2fcb49aa182ea9b27db752141e3d2ccad76d960
SHA512d771bd1f6cea3f6a3e0f7613d0b2d2ad33404e03504922c0a7b3099534e87af5bbcb8d6b021f3528bd93a85285869de3e6d11bf0680f715d0053647627d96431
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp
Filesize26KB
MD597abba90aacb051ba305ab7e2f71e37d
SHA1dcc60f86652475ab76572746cfc849e76d6d2c05
SHA256771852c4adc209cb522f2bd869cac5abc3637caf3c028c1fa079f533fe7b9af8
SHA512160a510f5e756213bfc8e4c8d1cdd396cd69caedabfe596910e0ebe61951f7ada5f86f6663db45ef6601bd8f7e204be23dfdaa58bfd15e5ae1e3b600a82ee632
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5f93ffa61e1c1b0dd18a8e3248a84887e
SHA18143fdeaaa54a56ed2e096a317aa05c909747db1
SHA2564d03bff6461216cd27883164e4a99afcfe42fb78c462f50d8909c61fdc70910c
SHA5125d99d545350c552339006b0bc850d87629fd14380a6152dcb6d439dabb385b7ae7e27471bbedfdfd786bbb3d05370124944e6c4a7c8773ffb74537060bd3d8f2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp
Filesize26KB
MD5b3a74f93ba8b2382a8c87acf2fc12b0e
SHA17949fac11b248245f790f1df4f15988194f3cad3
SHA256864b8bd3c936386e3f35b2d5ad4fdb3801352505bd55aaf66c1acc6c2d2e8b83
SHA5127f695b4fce4cfe28a76d4521f706536cd9da7dae9bbb1caa9b725a9df178910a9e319aff7119212df7d89b03bbdd0ed8ad0e69cf8c894e043adfb0be3b2a7487
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD58193a499981ebfc2a0a508efe0379b68
SHA17ffa965c1f9fa0ae8618470396b78234146070bc
SHA2560ab5b1170f3593fbe725f15b2deaef3827ff7de896cb64d56ef99a1002e9d00e
SHA5122c3c00e543a3ec4e6c58272df3abd54fccd2432c44416437aa7d3f49b0456d1fcf24607ec6f1dded5353e5d365ddb49b0b707e41dbad91e1a3f2405841fa6d2c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD55a301613b0a7572b322eca75ae1dba66
SHA17b372dd4b7cf9f819a7e207916b073f50e9c2ecf
SHA256fe32f94a00159c4868ec35a4401502be53c7ad96675f0b5ee5901833232dbd9e
SHA5123c7e8484f63e2db3e45fd21ce52d761a3e26bad16bd41f0a7ebe20a19afecb14f42c0905a497feee502feb2680434bbaefde0842ecb461ca868e9c19c33b3766
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\events\events
Filesize701B
MD5cd0f631efdd92ac5e66ba7f1f3e42b55
SHA125a96156cab742f3e60b561b67cd4eb39b3cef75
SHA2568809d1bfcafe97844845d91de8a38b2c312c8713b2869fa191a56b086d025398
SHA5128e90ae1c640797ac33bc24769e8a4c43305bb04365f40a0bdc5952356b5e4599462feba77256009d254f002675515e2a58b5d619690d30585faf3d1c069e0eb9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\0ce25701-d6cd-46ed-ba3f-9555445ae040
Filesize797B
MD58128a943e868cf5f154b2ee9562e0af2
SHA1f18e58312c86ad93a8ce3043f446c960b58e68fb
SHA256a0fbb3c883600b1c66cec3df992959fb81eeab65a66d75207435d093ddb08ebf
SHA512a2d8f3e6db4661ea25f7dd7d970dc2b09ed31d512659f60c5989230e10ad6f7359824c76271ffbf0db7386e11c4f5594186b98e4d73783d5b2bb7c46f86acab8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\2c4a573b-63dd-447a-a115-28573fc04f65
Filesize1KB
MD50e7a58eeb01633dcce126074df68b65c
SHA1add533dc7fed694ca60730c86610cbb4697d1d63
SHA256a9d1fe6d55b3d6496e73dcdb0941acc2b3f6b2171b80615ced0cbab74471b6ac
SHA512dc659bda0659b6440654b92f698d71b3e5a58d8c6a53aabe44875e8828dd3c3a516b0cc42ad05b9fa3d91a4575ce76aeef4453aaf388005d3916060eedf2a9e0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\59d0b8b2-3b10-4bd1-ae3d-0be9f2ba581d
Filesize671B
MD5e10a22d781b16b67a2d9e68f83790c52
SHA16686ddc2af93da0d33b0e2aef9f1d9056c574700
SHA2560a3809afa3895bc0dc003214a9c27ade20d9067964f66d041f49e16460ea5add
SHA51202873f5e6495402d6b25eaa9c07636d3e0f5a3009c10f2872835c625b9fea8772c18aa1a01c434f64cb9cd7f9dd9f22369c5747abb757ff4b1abd287bc93019b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\874eb8d2-a4b5-4a60-80b2-aceaf0441fb2
Filesize25KB
MD515d1f5528ffcc6b08bf999280219bb68
SHA15c6e31afd8e493e0b8a7449968acdbe4f43b99e5
SHA2561dd789d63990342618e514788905ecf5529f4a315eaf119727f14f67dedae16e
SHA512db3c071ebdee7deca962e0072c7ddd324559c2f50d3ef35bb5dca5b1cf33cabb8096a46a9b39704e1600a83746b77f72dafdf5077db5e0caa99e34cc6ac2a130
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\8e827ea9-5152-484f-93fa-22d169fea6f0
Filesize756B
MD5b6b447bfdc45f6e5780b5a5c1f109bea
SHA156cc6f4ea18477e20bd0ad6ddcc08f66535fd988
SHA2564b234435495dcd9b35254f76931c4180d8be924338f8d5f80d3c8eadabdd8d89
SHA512ef75ab33bbf6d961b8c2a7d404ecd0b67487c031b2ba533d7aa63aa139dfa9cfc45e109e3084d2c3612457722f37f7ad5f9de1b8ebc93185fb2a1100bc14b942
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\928c7b97-1ff5-4594-bd99-58f7e86be1d2
Filesize676B
MD5b29e8a57ee10e92a46694d3a20e74e9e
SHA1033a2cd4a8d60187d0365b10c9113c8edaf535d0
SHA2566ae68901e57686de28179b9d7374dfddb1ee1e1918a79e60f2e5d6fa0436ce0a
SHA512178c4136b38a39c2f2730ed570f98c9191ef59087bc6ae8de52ced71d981468d8066aca30c9d86a6254fa2f2e925134134e3e0ffb6fb195556de48f66a9c07a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\f29077f6-a268-4402-8d54-6a41db16e694
Filesize982B
MD5e20bce3b844d4deae09cc2a2ef1cbc6c
SHA1b10229a4f90f971e3815e39118fa11162bf032ac
SHA2567dc01bf37f0e620b8db1d1e15e1f83fc3518d8b94095518098dfb656271c8319
SHA51275dd4db1cf145ea93c68e2672ef536a2560e419ad5087f8a8fffdb042cd960e0a05111a79bc1936d9e16ce0c5b4d00bd050c918086f02cb6529a61fa047f7e8f
-
Filesize
37KB
MD5ec1f08c03a98e5b376abbf43e707d5fb
SHA155f3c934a1537aec7e6508ee6318c5ac82e4035b
SHA25613e4af3b246805c49351ad879dd98a02b7e9f09894073df1319b3dee236e7231
SHA5128426c3556d6a5592eb198e82e392f50b6eba0121afdfd4922bbabcae8f31e8face0259e4b9b53fd00c4bb50c8737d2f8d017c04a0aaf7955141f2a822b311aa7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp
Filesize1KB
MD536e5ee071a6f2f03c5d3889de80b0f0d
SHA1cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA2566be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA51299b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e
-
Filesize
15KB
MD58dee956780324b0cf2040f844e394f5c
SHA1cad5ef2e3f23ee79dbf1bb62a3b7e0b0fdbba095
SHA2560c25258cc6d5199587d935b00bb48c99ab54032b0c8a7683a18399216c44d30b
SHA512e8d1432b12c1582a6d6b2308219cab0bf344ddd7f33afedaf3ce72bffeb7740d8d0b71ec79424695f0c75402c511c8f5938252d021201e17603ef91397a31387
-
Filesize
11KB
MD578836a2d949f19d961e99cca377972e2
SHA1c8355af3a673a5b1c25dbd5fb1d30ab072d1a16f
SHA25695f3b16c347ea67763677fa3afd41471efa6be5cf229b55827762a7d60e447c4
SHA5126d2d61272580b6eea582ea4bf9da7d710a5c8322db8dbb34d219b508fa890312fd049fbf74b577bfd5615e57c4682f62c1f465f426899bca9592ec3ab5f2a509
-
Filesize
10KB
MD574f486ea3d81594bae44455de18f9c88
SHA1e5cb36186db7dbde62775f0178d58acbef5328e7
SHA256535dcf601256d03a3e71e413841447459b6ae57ce40ed953025994c739eac90a
SHA512fdceae09941b195b1b7cb7d461d100b6ef52460a2776378c8a1f802ca5e8680af4c82af3e0ddbd66c18886cb5e3b959ca63146e2fd5f22afdf4bd54015b6394d
-
Filesize
15KB
MD5c4737a63386224366f9dfeb3e72fc696
SHA1d76ed650c9bcd5b215ffbb3e07067a5b85993c48
SHA256877bf330b6d35383f29a8d947e4e73eaf101900c2591fbebb25f7c5a8112b1bb
SHA51206cb0f1eef1922cda59648e56e62e23fd428645b3815fbf2207963a197aae5ff5788a6551071da86cd668e6f0b8fa00f3024d1781bda579a2be42bf748b50ca3
-
Filesize
64KB
MD576786a4c0dd19d88d6d3ed95a293bf2f
SHA1b0d6d676127a7694fc6e71ee57fcc2ffaa621ff7
SHA2561a2564c1ba20b8038d35c2319258d94dc15d97914dcf753b31c48b79940dfd31
SHA5128cd3298e2ebba763d3c80ac4b17e44af7eb63b46304967d0c6316d314baf8611c05f7b9979c2c5c329ac167aea0246e8c9f057ffbb272481c13fd5e4b4bcb2d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\security_state\data.safe.bin
Filesize2.9MB
MD57a902730d00c26e80adc802a03a10734
SHA1b22c1a9e69e615ba0bfee39b4824613887bb8789
SHA256b2b63dd6d881800bf7141fac25d7c31857e9a86d8c12dd3ddb40350fd0e4b9c2
SHA512ac583a12e75e428a1bbb33f092ad1b266e23a8bd2341023e2d7ec16f40812e1ad12709751e284110184d675c942f87c9b14b016e0b33bc49872f9c7df03afbe4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionCheckpoints.json
Filesize288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionCheckpoints.json
Filesize122B
MD599601438ae1349b653fcd00278943f90
SHA18958d05e9362f6f0f3b616f7bfd0aeb5d37967c9
SHA25672d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a
SHA512ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionCheckpoints.json
Filesize146B
MD565690c43c42921410ec8043e34f09079
SHA1362add4dbd0c978ae222a354a4e8d35563da14b4
SHA2567343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d
SHA512c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionCheckpoints.json.tmp
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionCheckpoints.json.tmp
Filesize288B
MD5362985746d24dbb2b166089f30cd1bb7
SHA16520fc33381879a120165ede6a0f8aadf9013d3b
SHA256b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e
SHA5120e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\sessionstore.jsonlz4
Filesize1KB
MD51930705464a62c141d57c2d056b2947a
SHA1e47650d694e6678254a8a302a918967c96e8130e
SHA2569b97c2f6bda333e355f4cbc9d1d757ea3dc767912de5524c4aa917ff551f46c4
SHA5127651ca1d8ff9ca667dd89ab9604bcea05b2a7d47e644cc7ca27742dab47454ea0774ad3af45932bb404eb9a411bf4a37e7fe6acce37d2ad5e51fd336cdb4c629
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Filesize48KB
MD5e56f3a6397593fdb119a4bd0ea5312b5
SHA1f3419fc1eca02fe1fb19bae7cfcc129cd3fa4717
SHA2563bda63b5af08e8ee200f45cb092957a5d7d07b559ea240617d0bf1364a1d82eb
SHA51243c7390de01f348948f1b42215045d6f79aa1fc6ac9ea2ae3161dd8d895409a789b8eddd73a23ac12ba113db0b2e5148d32f3862b2771d6e01293845f08e3d49
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize11.0MB
MD569eff33cbc11b5ec85f30fe13265daec
SHA109fbefa3c5462dacf248fffabf6e3dc0cc6d07e7
SHA2568dcffcc87c97b1824415f2e8d827ad55044d6e19183ea74f4927d0d9b94ba6db
SHA512f06d04ec159db4d0604810ba2eb8840129b8263a8fc6cea01efe031dd6ce3c1fa67098344086a1ab663ac7e2d8dbf811037be2086f12b39f25ac5028b414ce2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.3MB
MD5bc32eb2314153d5d078da1e6e515523b
SHA1c793b923b5b9906850ca7a0e9331209a0d69fd4a
SHA2562a87b3afba539ae800ccd6317a12a14b4ba9722a2fc69b5e06946e96c92c3cf2
SHA512ac39245fe8d9b3a0bcd0c514a4a9e67aaa4274d6d37e6155b9d0fe36ba41b43ef1284974c9e7c866715bb80e94d99a6a89312d66277ba17185f3c769d4fdfcf4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.5MB
MD5e1ba3781c7c5f98380bba451b9c3b0c1
SHA164355cbdb364971d7d71bf75130cb8fc14ebadd6
SHA256235df99956126069a63903ed89f854e24d880535be3e3df991f93a74f7b7ee11
SHA5129545e69dd050af48c2519c1b188a0d7b3227cd1513a11db08054226482d6acbc18a987656f10e0e3e24892b75b063124d6a83186849ff4edfb6c0914543a4d09
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.7MB
MD5507667c3a3ee76d4e2365aa9ef8e6fb4
SHA1b801c8254637605d5d14b08ae715232e455c9670
SHA2561a5900c670d9885304f2ef25c486bae6eaa8881718d8ffd656a39260a8be1f34
SHA51298fe6128d6617cbdb27cf8d4307baaa2c52c338bfd20631b7d26b2cbeff0c507869ed9b4eac9020525435b2c5f99ca45a24b9297e1ab012d04f6cbef85bb94c2
-
Filesize
141B
MD5d7a9c29a5421078a9135ccf1cade552a
SHA1e1b43108778d359d8d9287cf59225617e1769463
SHA256bade20948c677d1d458e39a4cf6d8c4d8237263d55e63370d6272fa3243ffe28
SHA51249553b13fa1cc8d257f2ca9056742e6e11fbdce21633edeb5af6f863294f97ccf3cabe851d94bcedba03e2716311a48dcf8064eb1500f8a7c400b049bf48296f
-
Filesize
217B
MD53c7edbdeecdb47fba617e3d03c36b0d3
SHA153628ce8c5170810fabafab8e001bfd971d47825
SHA256c3db6f2519b071b7441022f9ed508b0da5ba40295be0ee449a27bd6146595d04
SHA512bbf56ea374114173f7de198cd71ac6e75276b0f30926c6690db512f45ac2e54d099d990c285578f702696494d2884d8550e5dddadeee01077933034ac3817842