eeee2b0a6ad1c7e4614fed4dfbe58b63776f6a3a6758267b5a976b4dc4315f48

Analysis

max time kernel
535s
max time network
585s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wireguard-installer.exe
Size

85KB
MD5

1cf9257c07936d7fbf508dc113e9b6d5
SHA1

324f8a1f0779fe42baabc544bc7f6814a3d150ca
SHA256

eeee2b0a6ad1c7e4614fed4dfbe58b63776f6a3a6758267b5a976b4dc4315f48
SHA512

081fa75e73138fb403aa01cb09f3051b7ee6954ab0a15366016cabe873d7a64f8374c85d9bcdf068fa019930419c818d102063983a5547ae5107773fe25e5c12
SSDEEP

1536:+UD86+VKgtoNMJiYkiW2yF4q/4i98+ayxpF0Kxn+7ygK/fM:RwlJnsiJyrQi98+ay+KqK/k

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
215	api.ipify.org
218	api.ipify.org

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WireGuard\Data\log.bin	wireguard.exe
File created	C:\Program Files\WireGuard\wg.exe	msiexec.exe
File created	C:\Program Files\WireGuard\wireguard.exe	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF1D4.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE73E.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2FDB79CE-5193-4A39-82BB-E00158CC1533}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE9E0.tmp	msiexec.exe
File created	C:\Windows\Installer\{2FDB79CE-5193-4A39-82BB-E00158CC1533}\wireguard.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\e58e2f8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIECA2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{2FDB79CE-5193-4A39-82BB-E00158CC1533}\wireguard.ico	msiexec.exe
File created	C:\Windows\Installer\e58e2f8.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA20.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIECB3.tmp	msiexec.exe
File created	C:\Windows\Installer\e58e2fc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE81A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC24.tmp	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
3980	wireguard.exe
2148	wireguard.exe
1696	wireguard.exe
1388	wireguard.exe

Loads dropped DLL 6 IoCs

pid	Process
4644	MsiExec.exe
4644	MsiExec.exe
4644	MsiExec.exe
4936	MsiExec.exe
4936	MsiExec.exe
4936	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 17 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000840d5e5e83918180000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000840d5e50000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809000840d5e5000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809190840d5e5000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000840d5e500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	wireguard.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	wireguard.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	wireguard.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	wireguard.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	wireguard.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	wireguard.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	wireguard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wireguard.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	wireguard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	wireguard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wireguard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wireguard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wireguard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	wireguard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wireguard.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	wireguard.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\ProductIcon = "C:\\Windows\\Installer\\{2FDB79CE-5193-4A39-82BB-E00158CC1533}\\wireguard.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\Version = "327683"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList\PackageName = "29de4e0f0337dfd8f5329774059d1a06cbae774cdbc9cd327317cd18426b6b4c"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EC97BDF2391593A428BB0E1085CC5133\WireGuardFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\PackageCode = "95F92915D6255534F9EA3FE06731F9BB"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5AD1A5E563ABD40429CE1450D0C197C9\EC97BDF2391593A428BB0E1085CC5133	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList\Net\1 = "C:\\Windows\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\SourceList\LastUsedSource = "n;1;C:\\Windows\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EC97BDF2391593A428BB0E1085CC5133	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\ProductName = "WireGuard"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5AD1A5E563ABD40429CE1450D0C197C9	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	wireguard-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	wireguard-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	wireguard-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	wireguard-installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	wireguard-installer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1388	wireguard.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
2480	msedge.exe
2480	msedge.exe
3376	identity_helper.exe
3376	identity_helper.exe
1064	msiexec.exe
1064	msiexec.exe
1696	wireguard.exe
5804	msedge.exe
5804	msedge.exe
5804	msedge.exe
5804	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1388	wireguard.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	736	wireguard-installer.exe
Token: SeIncreaseQuotaPrivilege	736	wireguard-installer.exe
Token: SeSecurityPrivilege	1064	msiexec.exe
Token: SeCreateTokenPrivilege	736	wireguard-installer.exe
Token: SeAssignPrimaryTokenPrivilege	736	wireguard-installer.exe
Token: SeLockMemoryPrivilege	736	wireguard-installer.exe
Token: SeIncreaseQuotaPrivilege	736	wireguard-installer.exe
Token: SeMachineAccountPrivilege	736	wireguard-installer.exe
Token: SeTcbPrivilege	736	wireguard-installer.exe
Token: SeSecurityPrivilege	736	wireguard-installer.exe
Token: SeTakeOwnershipPrivilege	736	wireguard-installer.exe
Token: SeLoadDriverPrivilege	736	wireguard-installer.exe
Token: SeSystemProfilePrivilege	736	wireguard-installer.exe
Token: SeSystemtimePrivilege	736	wireguard-installer.exe
Token: SeProfSingleProcessPrivilege	736	wireguard-installer.exe
Token: SeIncBasePriorityPrivilege	736	wireguard-installer.exe
Token: SeCreatePagefilePrivilege	736	wireguard-installer.exe
Token: SeCreatePermanentPrivilege	736	wireguard-installer.exe
Token: SeBackupPrivilege	736	wireguard-installer.exe
Token: SeRestorePrivilege	736	wireguard-installer.exe
Token: SeShutdownPrivilege	736	wireguard-installer.exe
Token: SeDebugPrivilege	736	wireguard-installer.exe
Token: SeAuditPrivilege	736	wireguard-installer.exe
Token: SeSystemEnvironmentPrivilege	736	wireguard-installer.exe
Token: SeChangeNotifyPrivilege	736	wireguard-installer.exe
Token: SeRemoteShutdownPrivilege	736	wireguard-installer.exe
Token: SeUndockPrivilege	736	wireguard-installer.exe
Token: SeSyncAgentPrivilege	736	wireguard-installer.exe
Token: SeEnableDelegationPrivilege	736	wireguard-installer.exe
Token: SeManageVolumePrivilege	736	wireguard-installer.exe
Token: SeImpersonatePrivilege	736	wireguard-installer.exe
Token: SeCreateGlobalPrivilege	736	wireguard-installer.exe
Token: SeBackupPrivilege	1160	vssvc.exe
Token: SeRestorePrivilege	1160	vssvc.exe
Token: SeAuditPrivilege	1160	vssvc.exe
Token: SeBackupPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeBackupPrivilege	1528	srtasks.exe
Token: SeRestorePrivilege	1528	srtasks.exe
Token: SeSecurityPrivilege	1528	srtasks.exe
Token: SeTakeOwnershipPrivilege	1528	srtasks.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
736	wireguard-installer.exe
736	wireguard-installer.exe
1388	wireguard.exe
1388	wireguard.exe
1388	wireguard.exe
1388	wireguard.exe
1388	wireguard.exe
1388	wireguard.exe
1388	wireguard.exe
1388	wireguard.exe
1388	wireguard.exe
1388	wireguard.exe
216	firefox.exe
216	firefox.exe
216	firefox.exe
216	firefox.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
1388	wireguard.exe
1388	wireguard.exe
1388	wireguard.exe
1388	wireguard.exe
1388	wireguard.exe
1388	wireguard.exe
216	firefox.exe
216	firefox.exe
216	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
216	firefox.exe
216	firefox.exe
216	firefox.exe
216	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1164	2480	msedge.exe	82
PID 2480 wrote to memory of 1164	2480	msedge.exe	82
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4876	2480	msedge.exe	84
PID 2480 wrote to memory of 4572	2480	msedge.exe	85
PID 2480 wrote to memory of 4572	2480	msedge.exe	85
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86
PID 2480 wrote to memory of 8	2480	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\wireguard-installer.exe
"C:\Users\Admin\AppData\Local\Temp\wireguard-installer.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7fff0a2746f8,0x7fff0a274708,0x7fff0a274718
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3744 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7610229189292872380,1358880247403602234,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4968 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:492

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B591F496AADECECC88EB5BB6ACE76D8D
  2⤵
  - Loads dropped DLL
  PID:4644
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 8287F8A8FE053F57C0E7AEB11048C4FB E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4936
- C:\Program Files\WireGuard\wireguard.exe
  "C:\Program Files\WireGuard\wireguard.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:3980
- - C:\Program Files\WireGuard\wireguard.exe
    "C:\Program Files\WireGuard\wireguard.exe" /installmanagerservice
    3⤵
    - Executes dropped EXE
    PID:2148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Program Files\WireGuard\wireguard.exe
"C:\Program Files\WireGuard\wireguard.exe" /managerservice
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:1696
- C:\Program Files\WireGuard\wireguard.exe
  "C:\Program Files\WireGuard\wireguard.exe" /ui 872 868 880 888
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1388

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5092
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.0.1208023002\1655449008" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f845221-4886-44a9-9ba3-40ac1d1ff3ee} 216 "\\.\pipe\gecko-crash-server-pipe.216" 1920 25dffff4258 gpu
    3⤵
    PID:1900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.1.1628190783\2103437696" -parentBuildID 20221007134813 -prefsHandle 2272 -prefMapHandle 2268 -prefsLen 20896 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bc0cfbe-ea07-44a8-94e0-f61b233a9e5a} 216 "\\.\pipe\gecko-crash-server-pipe.216" 2300 25d889b0258 socket
    3⤵
    PID:2996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.2.1222171104\1234099187" -childID 1 -isForBrowser -prefsHandle 3268 -prefMapHandle 3264 -prefsLen 20999 -prefMapSize 232645 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {276a19d4-fc8a-4b08-ad99-bfa8e468a434} 216 "\\.\pipe\gecko-crash-server-pipe.216" 3276 25d8b5acc58 tab
    3⤵
    PID:4236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.3.727068010\402563852" -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3504 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32617901-4ab6-4bb5-a95d-e79e0b10a70d} 216 "\\.\pipe\gecko-crash-server-pipe.216" 3520 25d8a347258 tab
    3⤵
    PID:2372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.4.1119001560\1250475652" -childID 3 -isForBrowser -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7949442f-7330-4ce6-aeec-0b48a3f7b007} 216 "\\.\pipe\gecko-crash-server-pipe.216" 3952 25dfae2d858 tab
    3⤵
    PID:1308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.6.624768557\2091382238" -childID 5 -isForBrowser -prefsHandle 4984 -prefMapHandle 4988 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c5c835c-43da-4c53-87de-2cc1c3720ec4} 216 "\\.\pipe\gecko-crash-server-pipe.216" 5060 25d8da30c58 tab
    3⤵
    PID:1528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.7.2046009743\1410919665" -childID 6 -isForBrowser -prefsHandle 5180 -prefMapHandle 5068 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0790e083-6db0-412f-9ad1-df04b8c0128c} 216 "\\.\pipe\gecko-crash-server-pipe.216" 5168 25d8e1bb058 tab
    3⤵
    PID:2600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.5.486484239\384235764" -childID 4 -isForBrowser -prefsHandle 4852 -prefMapHandle 4836 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5e65046-5e2e-4884-82ee-ef2e0b0929ab} 216 "\\.\pipe\gecko-crash-server-pipe.216" 4840 25d8da30958 tab
    3⤵
    PID:2012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.8.118827684\1832350906" -childID 7 -isForBrowser -prefsHandle 5568 -prefMapHandle 5560 -prefsLen 26672 -prefMapSize 232645 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {147f6fd2-0c12-4769-a3d5-72f8d3a3eb28} 216 "\\.\pipe\gecko-crash-server-pipe.216" 5504 25d8e014d58 tab
    3⤵
    PID:5876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.9.735302128\1234582145" -childID 8 -isForBrowser -prefsHandle 4328 -prefMapHandle 3988 -prefsLen 29773 -prefMapSize 232645 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1acbd17-1c80-40b1-8292-094f88584e22} 216 "\\.\pipe\gecko-crash-server-pipe.216" 5772 25d91d46058 tab
    3⤵
    PID:5508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.10.1215548422\859143931" -childID 9 -isForBrowser -prefsHandle 4876 -prefMapHandle 4872 -prefsLen 29905 -prefMapSize 232645 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54f316e8-642c-451d-b699-fc2dffad64c5} 216 "\\.\pipe\gecko-crash-server-pipe.216" 4884 25d9231f658 tab
    3⤵
    PID:1700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.11.1075621613\152588798" -childID 10 -isForBrowser -prefsHandle 6196 -prefMapHandle 10124 -prefsLen 29905 -prefMapSize 232645 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3951ed45-5930-4b93-bb2d-3388ed1f56ae} 216 "\\.\pipe\gecko-crash-server-pipe.216" 10076 25d8f1b4d58 tab
    3⤵
    PID:6036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.12.249986968\635441688" -childID 11 -isForBrowser -prefsHandle 10148 -prefMapHandle 2788 -prefsLen 29905 -prefMapSize 232645 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aab2ea0a-ae86-4506-9d9b-cdf46ad76071} 216 "\\.\pipe\gecko-crash-server-pipe.216" 10176 25d91a59558 tab
    3⤵
    PID:5428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="216.13.1713978689\1122013181" -childID 12 -isForBrowser -prefsHandle 4064 -prefMapHandle 8968 -prefsLen 30041 -prefMapSize 232645 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c51cce00-cca0-4e63-8a76-6d203a6580bc} 216 "\\.\pipe\gecko-crash-server-pipe.216" 10104 25d8ada2258 tab
    3⤵
    PID:5308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58e2fb.rbs

Filesize
8KB

MD5
9ccf1aca73bed2ef77f38cbfb17abfbc

SHA1
04249aaa188e3c0a086d2ac5d635a72d84018345

SHA256
a7c892f28e7a751a89eb9f19e15de5c14decb6399755281315f6891dad94f6bb

SHA512
1335569e3780427fe7f524030744ca2ed09f7a84deb44478690cbce5b395b04a7acab949a5cfc9478d38a06c0686aaa952b1f665f6937970ec46c5aff96d0273

Download Submit
C:\Config.Msi\e58e2fd.rbs

Filesize
456B

MD5
bcbc9375b63c0cfb2caa49737e83c1ba

SHA1
1bfc96917ba01f431ef422a4b59fe15d3eee74d9

SHA256
c32817125f1b212ff45b0d3829151f1d4b004ebdff298144bc0463aa24276b60

SHA512
02d8667b66511751194901e188ef368c2425a86b0a22a6dc866e55fa713a77b15f46d9a249eb30b4c52ac7562809e955cc88b37bcfb3030b51904891e3675913

Download Submit
C:\Program Files\WireGuard\wireguard.exe

Filesize
7.8MB

MD5
18d5b6964a434af936e1db19d969dbbb

SHA1
61ab3ac36394d5a49b6e24cf6498a1f80f3a6a99

SHA256
32717d15b57965adf78b33f61db32cb26e11759dd78d441a218dd349c731a160

SHA512
73588b50a865f0191c057e0896e93168b54436656a2c08ca7f2777593bb528e2ab16c5a37dafa7489765f2736381a9ccf4bfa43374da22208c3a87c14165bb03

Download Submit
C:\Program Files\WireGuard\wireguard.exe

Filesize
7.8MB

MD5
18d5b6964a434af936e1db19d969dbbb

SHA1
61ab3ac36394d5a49b6e24cf6498a1f80f3a6a99

SHA256
32717d15b57965adf78b33f61db32cb26e11759dd78d441a218dd349c731a160

SHA512
73588b50a865f0191c057e0896e93168b54436656a2c08ca7f2777593bb528e2ab16c5a37dafa7489765f2736381a9ccf4bfa43374da22208c3a87c14165bb03

Download Submit
C:\Program Files\WireGuard\wireguard.exe

Filesize
7.8MB

MD5
18d5b6964a434af936e1db19d969dbbb

SHA1
61ab3ac36394d5a49b6e24cf6498a1f80f3a6a99

SHA256
32717d15b57965adf78b33f61db32cb26e11759dd78d441a218dd349c731a160

SHA512
73588b50a865f0191c057e0896e93168b54436656a2c08ca7f2777593bb528e2ab16c5a37dafa7489765f2736381a9ccf4bfa43374da22208c3a87c14165bb03

Download Submit
C:\Program Files\WireGuard\wireguard.exe

Filesize
7.8MB

MD5
18d5b6964a434af936e1db19d969dbbb

SHA1
61ab3ac36394d5a49b6e24cf6498a1f80f3a6a99

SHA256
32717d15b57965adf78b33f61db32cb26e11759dd78d441a218dd349c731a160

SHA512
73588b50a865f0191c057e0896e93168b54436656a2c08ca7f2777593bb528e2ab16c5a37dafa7489765f2736381a9ccf4bfa43374da22208c3a87c14165bb03

Download Submit
C:\Program Files\WireGuard\wireguard.exe

Filesize
7.8MB

MD5
18d5b6964a434af936e1db19d969dbbb

SHA1
61ab3ac36394d5a49b6e24cf6498a1f80f3a6a99

SHA256
32717d15b57965adf78b33f61db32cb26e11759dd78d441a218dd349c731a160

SHA512
73588b50a865f0191c057e0896e93168b54436656a2c08ca7f2777593bb528e2ab16c5a37dafa7489765f2736381a9ccf4bfa43374da22208c3a87c14165bb03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
812B

MD5
25c5faca96f6451a176f9e3776b22324

SHA1
66339a1e2c9fa166c00bc135a42c9a35b1fed9f2

SHA256
5ca35412eb9395b3a5ff2002aeaff77cf582f76f33647116ed6004f6e79eaddd

SHA512
f868a52d12fe853c28ad4b8c8a0208793341a84aa3bdfa7a1bb8c2088801883f6f08c5212c973c0ecf00261fd47cab72e2d82e25f7b69301510258628a68fc93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
1KB

MD5
914855676f32d7fb3dbfd57e9cffb9d0

SHA1
4126030a4454259342b5c70b19392b06b94f8282

SHA256
e98fab02854fb236855a05a98127e4c8a207193379e99cb1a89e30d2117fc5e5

SHA512
46423bab9bde6ffe45e23bcef9f745c1b940eeab157ed40349c302f356c7e3570d16f181afa17d1cda0c5da975e4ac4e2e8595dcb57709d6e28c72146c18a5c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AF360AACB1570042DEFBC833317997D0_6D40F27EBCB4D57A7D8447DAAC4FFE30

Filesize
806B

MD5
9ca489e7764f73effe202050692964be

SHA1
6e4cf3332241a2b4888bc0d5b9344c34d0d7bbab

SHA256
9956c2b4c58ec988d3921d8cc939b68f68a70a7df5b954a8c4923f091cd7302e

SHA512
338b03c98253d327a4ba81febd1aadd366331085262213ca57464542dc17347ef6cdabaf07a0d56b699db3c4b036d761ff99a85af277175a16be15a661454cb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
540B

MD5
d1c2a6b23662569c2cfb8e62e6ee8168

SHA1
545f9100e61b58029322a731c0e0f7cf7922900f

SHA256
0d2c78942a2958916f8570f90be90d98b95e8422bcaee387ce7304778e67b092

SHA512
6bd96d332ea210b8e7754e8a448d9ee7233f278d40560dde0f84e82f35ba5c606fcb4d1e8234bc5a296a71950aa370dd8089badfac9097357a57bd5b2129363f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
528B

MD5
b2471428c1d001f3f1b76da51ac8c613

SHA1
48e4bb767cf78252dbd22f2d3334adede28f620e

SHA256
5c50d1f7c1dcbed35dbb8ad53d234d3ede1a0eed46054f20dbeb539cac8941d0

SHA512
2a3f59c303d23240b8ff85828821a8e55422807f6bdeba8a1832837bbb66e0a93c1d5f98d668aec9f56d64e6a26a63c7e620bb3bc652fea20a5300220f3aa188

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AF360AACB1570042DEFBC833317997D0_6D40F27EBCB4D57A7D8447DAAC4FFE30

Filesize
540B

MD5
7d0d7d8d215515a9adaa6a2029c4f9c9

SHA1
440a0b5b642b24e473d0c790f627c476d77e1c8f

SHA256
9d019763ba9b501898a003fc3fb7d4423460534e67017d26ce71914af8fbe5a1

SHA512
3bf1623d1a92f2d6ccd3ddeea7e34172d139814daaa1fc309aa43e4f7f6e9899792f3dae9e7766bd5766116e9fd99f41c628e8abe11a4f36920b2d5476749ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8411007bafe7b1182af1ad3a1809b4f8

SHA1
4a78ee0762aadd53accae8bb211b8b18dc602070

SHA256
1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3

SHA512
909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2de1c0d2-04aa-4a41-9319-9b29edc9cfa3.tmp

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
93d6358a80c89ccd8e029c34dbeb6a62

SHA1
46072b5c7d47dbe7db3dcd23268077823051c0a7

SHA256
c2f13764989f2265220080c6e2afbc1b0b20ae1a7161e6f9fdb79b89c87e7649

SHA512
2c74a7c00d08fa406df0d31a6c50f3961b05dbe801c279433b70259714273d559a5190b4596682b2b1e0a6ddce30b1f35b942373891eea8de9a8ae8c5c24d9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f03743e19fd51020561f2ba1c564bec2

SHA1
e23c247342b66bdd6bbcec6edf4edc2be905e01e

SHA256
9eeab40b51c897e4225137ce763fe8e91db2d846c66fde3354b90dc82933a8a3

SHA512
0ce214e18b87621d6ad27f5128e1b1d0d5efec6101f7514a818cf60ffd38c68b13bc8f4752f9de6588ef6655ac871cadf0a864f90fe2f30b858c9fce628bb8ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c57bd01988a8c827a79bb63756e6d983

SHA1
c57050640d2af319bd9594b587a288c1ee113941

SHA256
859d31a4dec4e3cd36d81e1bdec90209014bcd85d5d78a187071048b34cbbb42

SHA512
dc259cdf056a63a8441b09134a37a8c0e24425b107690757a1e09e3e1bf974a2ab5d96ba271753e459d89e72cfb07173451f43d686ea7ef5d41fbdb105fe7952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c0208ff1253af56d2b4d48941a115622

SHA1
f497acf5d1193ab100ec9d6fce5059abe767e4fd

SHA256
031a54f9cb9ec6fc99b491258cd4432195d4980425db2f921006fe45e5587c76

SHA512
92e2ff67383029ad38efa87eb7ef7ca49719aecefc697d8865dc171c09889f932fa12f270f5c6360df5ac36a553304f130ca88419cc095964ba82c1a8625d708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
70c59e4df4cc43b92cd76af8ec803ac8

SHA1
b8f216e629294537390ed86ba08f19e7c086c582

SHA256
462258a64e013f1fb51bc1957f6f4787a736c98da4a5f2f5026fb2ad0ffa20e5

SHA512
934150c4fc727a562f1b6a2e51fe151d4fd5f727783d863632b5522f44b7f3858516cedb8db9029c2f4222a2c0d6e235897ac83d1f32a09ae3c4ebe953c67a76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8caf4d73cc5a7d5e3fb3f9f1a9d4a0cc

SHA1
83f8586805286b716c70ddd14a2b7ec6a4d9d0fe

SHA256
0e0c905b688340512e84db6cf8af6dbdfe29195fefde15bd02e4917a2c5fda8c

SHA512
084ef25ea21ee1083735c61b758281ba84b607e42d0186c35c3700b24a176ada47bf2e76ed7dadd3846f2b458c977e83835ced01cda47cdd7ab2d00e5a1a294e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ab50824a-7352-4f68-8a0c-e8ff3ca36cc6.tmp

Filesize
5KB

MD5
0e566b97eb4a80f52559839766b3ae5f

SHA1
65bc69c52d3af4d05737308264e513ae445772f3

SHA256
da5a544475589f3601fca8f3c17263d07d7d3f6b21b31e2c741cca2922937160

SHA512
62ad590a5405cd24c461291ec0e01e705d7b639517412aa97de92b8d8ea1bd0c18a7a38c3f4217ff0fc2c6f938600a855702febfc0b74729c4e6a3448339600c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6cef3cc220849ee2e98a76547c53250c

SHA1
53245ea688650a82d5ddc4c37c550dd6e1972fc0

SHA256
4f15e2f51e301d8dbea7a0c7128a878f3f5350cda1aedb276628e1f4ee4cdff2

SHA512
6bd652f299cd176f4614122c98bed16a8fadc334cccae3bf41a31b8f6ea004abea1d97e7f80425d9d09f071b32256d570114ea8a955dc25378a9b9b31c9fbdff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f33a1508a50069622e4a2a229687afa5

SHA1
afd3b6beae950f01b7c5dbaae826eca64a44a36c

SHA256
911e2ef71ff9bc427d86e9ca73a06ab419cf9c945eb4c1e4a87cfdcd565b37c2

SHA512
22cc8fbf9eeb609e92ce202ebd8141f87ecc534f9327aa70188316d66176d3cbb791de9c98cae72ff7be166c16b093d9305b5a926d8c7e7b8ead7dc40dacac66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
472ba3bb634444a866363fd0cd71fa59

SHA1
c786a469ce220ff26485ab4e32cc3e01058bb0c3

SHA256
b5e8fccb4a8504c88c144f872e3c18e556eea87baade3dddf5835dd866c63172

SHA512
6ddc4bc81e97eab77c0f7a9fdb93bd06ab79290b60caee8080fd38bfed3cbf0278203375410cb604a5f4678912910a5476d141e327ee36652dd2b78020d86420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
6b8bb4f39aca8e99d84e8b0ce9743652

SHA1
2e055c2789e920adf9afbc30dc98b7a6a152d9e9

SHA256
4d55366be6bd2cda0dc52672ccebcc498c6ca813e2ee7fb755fdfc6f98c9185b

SHA512
5906798c20d6befb9338d42e7d01d519f9dbdc2669f498e47f515537be0adb0b58c6d6b80c739a35574e48e2cce950c8b797a7396947609a767b98a21c49d311

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\activity-stream.discovery_stream.json.tmp

Filesize
153KB

MD5
d1323396b09bce2296ed46e4d270a514

SHA1
3e01ea2441dc7f9a0490c8523dbbf3d42ace20a7

SHA256
08ec9bb088fbd45a4a3e525ea059de8bbed875a72ac813f440bc19cc09d48a1d

SHA512
b1db312bece7efb43a445c208c9c325999fe1fbc3f5866baec4ccf553a614b23e6dd0670d79f21cd0ea82d4c5b4d4007cc3d23c97ebf6a97d621ca0a04762664

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\cache2\doomed\10642

Filesize
92B

MD5
a81b916ae57c5fb38f715388c2f07be9

SHA1
9bd3cce01a498fa89be5d2465297d6bcbf2d86d6

SHA256
3549898f62f2f918c737ff5e3172c5c92b052daa078f79fb7d2df284c52ee6aa

SHA512
5d0bc06d40e460b9c603ba7cc8c29df1d15626f77ebaec173bb289cae76d3a2f8dbd73ac33445356d8766ec7b7c16d5c58158173e8d6467b1b8d7a6db56c32b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\cache2\doomed\27545

Filesize
9KB

MD5
4a06dd6ce8c6eec498e5397223a8f543

SHA1
201d4e5417cb6aae24abc9c06b28467bf2125465

SHA256
e4b4ebcbf7a0349c799d398f9237c0ab6968d6c91b4f24b760c8f6026b3032f4

SHA512
3840a3e0e2f55d795ea9b3bfd94b84c9d0ff1d4708875d187527446aae497cbdb9b85579e8c4cc8b8277158c5df2292fb3efa0f046fb09fae96b460719b5a6d6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\cache2\doomed\29723

Filesize
9KB

MD5
6fff0c114a7d87a355c8f68716795aa0

SHA1
575d10656a52ad30e403375ba682d1c1a5c2b2b3

SHA256
6a945df7d3be7997093e6d7d730ec8656df80df96ac807b2cb5ee892af433d22

SHA512
9dafa6812a257fe4da49e2405d9e7e48bb7466b4c41c77016cc21ecd9097e0fac9e73490affa863a5e00338b4f127a06a263e589e5a44435fbbad95872d1894b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\cache2\entries\118BB2BA245AAA64B01692DF29396B97E11FC1A0

Filesize
14KB

MD5
0ce894ed51085975bc774cf034d1275e

SHA1
af07bedac5a0f364af870463694f58fbbbce411c

SHA256
63b60d8a580aa9ad06f7a391e5d7e588248e560cec4f2deb4cd6e8786057747c

SHA512
67696f5a5cc5d261eb235f44f16e9a93f9a55901b53f22dce959f374afab0579e0188ee30f9af0a22006d34dcc084e3ee42c801a412fbc65a63d5cb1ce85fa7a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\cache2\entries\74ED3CBE7F41983B99EDED451B8999F6DAE2526C

Filesize
14KB

MD5
823e02ac8b6af395e922d581845e532c

SHA1
7ac8cc10aff60525b884c22c3e5f6571f267412f

SHA256
39bf86cc30266328f70f6364239d6e5beb8bfe52a0114cdf7bc08de07645c56e

SHA512
13877955a0d972fa43507abdf815e41de03d4aa1b67df3f529087dcf76bbc02b2deb01346055e791d03b3f19d116acf099fd8659fbcdcf20e84f19d1f064cbeb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\cache2\entries\AF09C34F82A5421807EB3A59C2A3822F960C41D4

Filesize
17KB

MD5
6813ad860bfcd2d610ce22802817ebb5

SHA1
0c7694db1367b64f4b265aeade5311853f401cf4

SHA256
859073ac29009b5b2a755eb214317719cc7b03985e250b41e348d91afb4625a9

SHA512
05c3b8640ef48819501a2b55748289075e62a67bbdaf80f1331408c9b19dd974c9f4289db803277691732b4470fbc19bd23c4cf32aa7e77ebfe7e79c3f208176

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json

Filesize
67KB

MD5
6c651609d367b10d1b25ef4c5f2b3318

SHA1
0abcc756ea415abda969cd1e854e7e8ebeb6f2d4

SHA256
960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9

SHA512
3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json

Filesize
44KB

MD5
39b73a66581c5a481a64f4dedf5b4f5c

SHA1
90e4a0883bb3f050dba2fee218450390d46f35e2

SHA256
022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17

SHA512
cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json

Filesize
33KB

MD5
0ed0473b23b5a9e7d1116e8d4d5ca567

SHA1
4eb5e948ac28453c4b90607e223f9e7d901301c4

SHA256
eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b

SHA512
464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json

Filesize
33KB

MD5
c82700fcfcd9b5117176362d25f3e6f6

SHA1
a7ad40b40c7e8e5e11878f4702952a4014c5d22a

SHA256
c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780

SHA512
d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json

Filesize
67KB

MD5
df96946198f092c029fd6880e5e6c6ec

SHA1
9aee90b66b8f9656063f9476ff7b87d2d267dcda

SHA256
df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996

SHA512
43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json

Filesize
45KB

MD5
a92a0fffc831e6c20431b070a7d16d5a

SHA1
da5bbe65f10e5385cbe09db3630ae636413b4e39

SHA256
8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c

SHA512
31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json

Filesize
45KB

MD5
6ccd943214682ac8c4ec08b7ec6dbcbd

SHA1
18417647f7c76581d79b537a70bf64f614f60fa2

SHA256
ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b

SHA512
e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_finance.json

Filesize
33KB

MD5
e95c2d2fc654b87e77b0a8a37aaa7fcf

SHA1
b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc

SHA256
384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e

SHA512
9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json

Filesize
67KB

MD5
70ba02dedd216430894d29940fc627c2

SHA1
f0c9aa816c6b0e171525a984fd844d3a8cabd505

SHA256
905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34

SHA512
3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_games.json

Filesize
44KB

MD5
4182a69a05463f9c388527a7db4201de

SHA1
5a0044aed787086c0b79ff0f51368d78c36f76bc

SHA256
35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85

SHA512
40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_health.json

Filesize
33KB

MD5
11711337d2acc6c6a10e2fb79ac90187

SHA1
5583047c473c8045324519a4a432d06643de055d

SHA256
150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565

SHA512
c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json

Filesize
67KB

MD5
bb45971231bd3501aba1cd07715e4c95

SHA1
ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a

SHA256
47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d

SHA512
74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json

Filesize
33KB

MD5
250acc54f92176775d6bdd8412432d9f

SHA1
a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65

SHA256
19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54

SHA512
a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json

Filesize
67KB

MD5
36689de6804ca5af92224681ee9ea137

SHA1
729d590068e9c891939fc17921930630cd4938dd

SHA256
e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52

SHA512
1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json

Filesize
33KB

MD5
2d69892acde24ad6383082243efa3d37

SHA1
d8edc1c15739e34232012bb255872991edb72bc7

SHA256
29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a

SHA512
da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_law_and_government.json

Filesize
68KB

MD5
80c49b0f2d195f702e5707ba632ae188

SHA1
e65161da245318d1f6fdc001e8b97b4fd0bc50e7

SHA256
257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63

SHA512
972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_online_communities.json

Filesize
67KB

MD5
37a74ab20e8447abd6ca918b6b39bb04

SHA1
b50986e6bb542f5eca8b805328be51eaa77e6c39

SHA256
11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f

SHA512
49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_people_and_society.json

Filesize
45KB

MD5
b1bd26cf5575ebb7ca511a05ea13fbd2

SHA1
e83d7f64b2884ea73357b4a15d25902517e51da8

SHA256
4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0

SHA512
edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json

Filesize
44KB

MD5
5b26aca80818dd92509f6a9013c4c662

SHA1
31e322209ba7cc1abd55bbb72a3c15bc2e4a895f

SHA256
dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671

SHA512
29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_real_estate.json

Filesize
67KB

MD5
9899942e9cd28bcb9bf5074800eae2d0

SHA1
15e5071e5ed58001011652befc224aed06ee068f

SHA256
efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a

SHA512
9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_reference.json

Filesize
56KB

MD5
567eaa19be0963b28b000826e8dd6c77

SHA1
7e4524c36113bbbafee34e38367b919964649583

SHA256
3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49

SHA512
6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_science.json

Filesize
56KB

MD5
7a8fd079bb1aeb4710a285ec909c62b9

SHA1
8429335e5866c7c21d752a11f57f76399e5634b6

SHA256
9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32

SHA512
8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_shopping.json

Filesize
67KB

MD5
97d4a0fd003e123df601b5fd205e97f8

SHA1
a802a515d04442b6bde60614e3d515d2983d4c00

SHA256
bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6

SHA512
111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_sports.json

Filesize
56KB

MD5
ce4e75385300f9c03fdd52420e0f822f

SHA1
85c34648c253e4c88161d09dd1e25439b763628c

SHA256
44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14

SHA512
d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\nb_model_build_attachment_travel.json

Filesize
67KB

MD5
48139e5ba1c595568f59fe880d6e4e83

SHA1
5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78

SHA256
4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa

SHA512
57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\personality-provider\recipe_attachment.json

Filesize
1KB

MD5
be3d0f91b7957bbbf8a20859fd32d417

SHA1
fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10

SHA256
fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7

SHA512
8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-18467

Filesize
2.3MB

MD5
a5e76e525f10ba0c5e672983f5184225

SHA1
b897f2b8ec8862196b876bce9519675a5e7043b3

SHA256
3fe8954f11d61410428d8896b28a0ba9e519760ca27ef104a4328fbaddb92bad

SHA512
36f298904e74f93d7dba0f1c3c5d61c57a7dc60202f0a1beb5d3a8e25877526d5c596b05a2c3bf1d128fdce10e1761777774c23a565439923fbe589870ad0663

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-6334

Filesize
2.3MB

MD5
3b5042eac68a5a0b42d30dfd8a1c715a

SHA1
9fdff7c23238347dc2d5a42cd1bc60ddc68b6be2

SHA256
6d9ed640b40428aaebc0e96773386b979a5c345b583a0e20e6026bf6c7cacad4

SHA512
349c6642bdc5a3157a85446ff22de7f9817d5b1868dae2e890bd06d1770b5e71c81aa163aa81dd4f7b5a2f599919ff85ed578abf4daff9fafec872e66d602b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
07079a9072f2c4f781df7971d3168388

SHA1
7c8065a7d8fe722a1ecbb696f6a9f742d9bce7ee

SHA256
b94e00edae42389ce240da66962849a9b01449824ab52015fe857744f5f187fe

SHA512
fea33ae29c791c97f25a5d0143006ffab7685a20b5c0c2c383385343b217df0eacc92ba678948d628995a3da7b91f69c55e5fe7a0d16a3e55d03ab2f626b3112

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\bookmarkbackups\bookmarks-2023-07-05_11_FV+w84YL8p7M3s8ws19HOg==.jsonlz4

Filesize
954B

MD5
ae37ce6bfa720e452ac158529ff30d7c

SHA1
a378d69fae7b1ec51d4375dce4028f78503b6a64

SHA256
346fcaa917f307748248468139dcc7e28dda9110740983de9566b44f9f2f717a

SHA512
a97c47df4045933fbbccfbc89a7d81f29e82e2817fe3d03017dd522be7377b0a3bffa19f45191f0d70ba7619881d1d9ef04e0124c960519bfa7b9db42e06c831

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\broadcast-listeners.json

Filesize
216B

MD5
70063483b466c6040ce0eb5379401940

SHA1
a6c6896ae8bc0c1b4cc9fd2d4702530a8842f84e

SHA256
2aa775da20a2cb8ef995174b5e2a75679ce165add4d591c36ec69721cc7df8ef

SHA512
7132b2d3bea95b90fbc7cc71915334da309df9283a6cef74c7b3f8f0650e91d7eb907e68de8b7f125e156882ca234469ff09956f70aad01bf5014129b3062f2a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\prefs-1.js

Filesize
6KB

MD5
bea0bdfc530a70649a7082cc76f6a8e8

SHA1
d90d4b6f970d9591fbee5bc0a1dc8f7111dae261

SHA256
9cdfd4cace6564932d45647dd6c227f1f5b95953c66f07bd073bebf8d5f63f5c

SHA512
601cc167f8f918e33cb67f905ec0bf02bc8c71e2e9daace3c07dd310b56284e22dfddc1bd5e60902bcb6d4ae33ed183f4a558dc67a4cab7e90df69f73af237d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\prefs-1.js

Filesize
7KB

MD5
f6c4f581ad1e906e1482bd14a91a9ae9

SHA1
54f2b07e1728e6c6347cdbd53c5266a494c57822

SHA256
38783f7b333673590e02ad283a0291e98b48768e199fabb975b5ba9ff179c8b2

SHA512
72a32bad477d21216049f6fdd623429b7d56b7014b99cdee792170d5fcfe3c31ba2de390fbc3a180ff5d27b7341fabd07dab768395dace93289500f72021a8a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\prefs-1.js

Filesize
10KB

MD5
d7f51b3b3d5bda80c1c579e24b24f835

SHA1
bcdbe2b6178530b579b7c9b79c5ef8012a9131fe

SHA256
4b96e637b0612f3a4d89344492f3a7edc8fa751b14cb3618ccdb01e039f0c3d1

SHA512
fcd4aa6465bcdc398123f0975c5984a5bb1b235f7f4ea9de6ea66bbad00ac1b691749fb6ca82e81e97469a9ebb7d183141ba2f6862d1aa454f19e10c0638a830

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\prefs.js

Filesize
6KB

MD5
8a51779c3bf95a14f71a8fa54eaf1b0f

SHA1
50bd4f23bba69db6472904382c511e229ffdec34

SHA256
400a532f5bfc93c13a76d28457fc16dd182f51a14116e4d64ef58b9144340b4a

SHA512
38cafccf097530b771a9dbbd9619e379b241efa65b049fba0732cbca06dc9774f4d9d8eac4249201f3a14a04f13ff4343580910abceedaf6070ec5e3ceb9007e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
406197aa1ed04560d0fd5201f03efb44

SHA1
0e0000666aa997ce9bee1d8f40fc957feb66fe15

SHA256
4fef04c78f40f11d632c18d4a999c675a5282df99cb91edcb8668fd80917ef27

SHA512
ac01fecba7ade9e190b8eb29e1acc182de5721d6c20c76011ef5c88cba645019e1e1609251603b1658d20c14765e770feedcfa0e1dad5dbd03c23111fe87bbc5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
a047c8fec1cfe6758af699eab7b957a1

SHA1
b26ea850db0154d7e6dd2c278b10df3df426401c

SHA256
617f39c301650bcbb60ea7b2a3b7e106fdfa824e89b0e48ea431979fa8767ce2

SHA512
a73e58761fe5f7f409f5c005cfd1b8e99a4d940af7b3e0fc6860db2da2dc9c16ee24b93986fd4cb3157ecc2a06cfe4b97a4e1e5123f4795c622b9a60e7c056c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
f232aac2ea69b6081a3024a4deadf5b1

SHA1
493d0fb9f76268c08a171668e56c0997c970bb40

SHA256
2483de1084d424c096b49121a9603509800274e7deac4de53fb07c3e90da4b27

SHA512
4eb208c2f927d242e1b92c2417795547c47a211e90f0fe9d2f72b37ad0755aebf53818f269e9caaf7e16342adecc38f24766ff6bc3bbf34056e01c5e7bb00c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
c30c58764a0cbb7f7efd59c84ddc5f74

SHA1
18bd3021f084d662eee8cd388cf8fb8638837235

SHA256
986c51a2589cde98b4bd5dde08c14665655b5b59d64e5c6b6406eaa263adcdb4

SHA512
e52c9b740e09564a61028b7ea97385cb4d8b1a7b87c129188c9395506de33207ed5c2a3ab54f636e53be04406f89d4ffe76e65e48230cb61f2a74191ed53858f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
7131e37a41a4528e82d95470e12a8786

SHA1
57792cc3d2e59d2fd1695ea8aa6cb5c0a521b16d

SHA256
55000e6f269ae8d505c1056e491d7ee18aa6f03ca571a41cc0894a538c806041

SHA512
2192f40958e97374067e3b2c8214ff0c72ddba9d598d5bde83555a00085662dbc4e2b1642dcf1e4ed47b7cca8fb04062be0b45b3d2ff3e3d601e03958aa7ab8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6e4c704f9fc06ada767e02287da5a323

SHA1
e8d695378c077db09678827924a1f5d92740829f

SHA256
ecc06cb0e1b8aa19ab13a2f4d1c429b50d489074c6dbebc7fd5bd84241410381

SHA512
7c16c08066c4e21fd6c794bc38dfbae8a1249d58b1b8f464851081555f1c3ce25b6a7073fd2a71d55434c62cbb1342133b12357a4a223ffa63b390c27ea09d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
afdc1b7882af5cf7b88a100e92410128

SHA1
f71aea56ae71fe3c0217e7c187fa3f3d91b4fe39

SHA256
38addbab294a5daa063a8cbcba151ed206b6d272469856e2237828a4bfe901c9

SHA512
44252a796e33a9d5ec3e49aee58ca78e18508bde42a202c2a4d841307a6d536b7e48e3531be609a826bf4c9b860fcac3026fed2bee1bd4c15d400c021e5404d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
631dae97bf0d6f065e87a3996271c259

SHA1
653168a02bb8b9e25f8350707f9f70896cc79ac0

SHA256
e5a3be7146c839a2d6ff34eb27e69af22dbd3b660798a2dce4cc081d5c7a5ef7

SHA512
927219e5059b03624a334ad10fbe4eb399b0584c09ad4cab7b82cad8d5a6c5d8ac756e61f6a20a21c2e990d974a122710b76bca6f741c4fcc405d8e796ab75b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
f96023215eb49478d6954ee55c5137f3

SHA1
920b234900ab27727a85b2ab92c1e1e3cef59432

SHA256
db96c7714607fcefb270385764028e176f7c994552c2792c7f91bed0eb0b603e

SHA512
6bc1edab0c1d0bebd0bc371012ae18a0eb23f567bb1cadb54816d55b6452d0fbcbf46cda9cd18bca402e588b5ce072b6ca61402871b2256a65a07cc04858eae6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\46be7tph.default-release\targeting.snapshot.json

Filesize
4KB

MD5
ecd8d6ff842e45e3620cc534ac836a91

SHA1
2e56b7e2d70eaeb3ccf907cd17780d769bd468df

SHA256
e4dd7fe1aef79de12483a9aa1d37b29a5b23337f8929ec1ef31077cf55c52f6c

SHA512
0819eba5c43c6fbc0071644538d438508a6d55fa43b7bcbeb64701091e476bf56d80f1cf2506889437f855669f241bb77c50d9ac2197e5e259b9dbe320e4c559

Download Submit
C:\Windows\Installer\MSIE73E.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIE73E.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIE81A.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIE81A.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIEA20.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIEA20.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIEA20.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIEC24.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIEC24.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIECA2.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIECA2.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIECB3.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Installer\MSIECB3.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Temp\29de4e0f0337dfd8f5329774059d1a06cbae774cdbc9cd327317cd18426b6b4c

Filesize
2.7MB

MD5
7b284c4a07504facad872fbc4348b663

SHA1
1c88b528f51bfdff964580567860de85bbb7363d

SHA256
76fcec042c5989c5b816cd32eaed1e5b1c3b998a4b1c9eca55f299e3314ef7e4

SHA512
fdb8a2fbe22f80331114db09b297fcb19d870bfbed2d49cc567b3df8d179d5b47774cc915bed7cf78d8b5a716645ca11ecd019126f35e10839da631c6af0ec77

Download Submit
C:\Windows\Temp\29de4e0f0337dfd8f5329774059d1a06cbae774cdbc9cd327317cd18426b6b4c

Filesize
2.7MB

MD5
7b284c4a07504facad872fbc4348b663

SHA1
1c88b528f51bfdff964580567860de85bbb7363d

SHA256
76fcec042c5989c5b816cd32eaed1e5b1c3b998a4b1c9eca55f299e3314ef7e4

SHA512
fdb8a2fbe22f80331114db09b297fcb19d870bfbed2d49cc567b3df8d179d5b47774cc915bed7cf78d8b5a716645ca11ecd019126f35e10839da631c6af0ec77

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
4c0b45a5045dacad244087d0e853ad47

SHA1
be3711e487e33725cc207fa20a1a0bdea6c9afb7

SHA256
e207265a1c26efa6a495832c8a249c8aad8d1ad65d2335b64263680f8cd52741

SHA512
d6f6680adee2b0a4a7f9ea2169e3be34202e8bfe43fb47470fee249ab4338f6b9ec7b22bb669757ff6391cdf00a74bed06b9c1a73312a6121da72c4d552a6047

Download Submit
\??\Volume{e5d54008-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{275471fb-1ad5-49f0-bd92-b6da5884bff4}_OnDiskSnapshotProp

Filesize
5KB

MD5
155270fcd1d124fc4d7c41810d1a1a16

SHA1
9d5c8ab51f2a0302a53986329fe91180c322831e

SHA256
9426dd48d7686321b57ca5a049d5d8feb24995c9369de1f03bd05bcc7e093712

SHA512
26b05154e6ffbc59625b547d99117f2cfd80a0a126d52fffb78d3ae26c3e5260e0e0dd148242133dd07ca893a64e50dc2a0da3b6ac75792d4c2a184746ec1a01

Download Submit