bf515aa1bb9865424fa665d4e781980135cb44422a84e8c63ed18b000e7541b8

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2023, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

agentactivationruntimestarter.exe
Size

13KB
MD5

a49c26aa0cadd994de158f51cb7eefbc
SHA1

1def17e66467910d0cb7984810efe5c0d366975a
SHA256

bf515aa1bb9865424fa665d4e781980135cb44422a84e8c63ed18b000e7541b8
SHA512

9c1b2307bdcc0f60c33ea1f8fb0d1bf1fa520b026968c1cf08a3467b3928c09ad9ffe120348644be2f12bfbfc999e882baf19cd57dba8e8cbd68fc8b5c019d4b
SSDEEP

192:wFcdVHZqzn/3dbd3380z/hDU48AoAvclD21FZpKsBJGJZ6lE96Uc7EN:1dVH8Tdbx8ExPvt0lDOVZlUc7

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4692	msedge.exe
4692	msedge.exe
3388	msedge.exe
3388	msedge.exe
3428	identity_helper.exe
3428	identity_helper.exe
6264	msedge.exe
6264	msedge.exe
6264	msedge.exe
6264	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	892	svchost.exe
Token: SeShutdownPrivilege	892	svchost.exe
Token: SeCreatePagefilePrivilege	892	svchost.exe
Token: SeDebugPrivilege	3964	firefox.exe
Token: SeDebugPrivilege	3964	firefox.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe
3964	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3964	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 3772	3388	msedge.exe	97
PID 3388 wrote to memory of 3772	3388	msedge.exe	97
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 436	3388	msedge.exe	98
PID 3388 wrote to memory of 4692	3388	msedge.exe	99
PID 3388 wrote to memory of 4692	3388	msedge.exe	99
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100
PID 3388 wrote to memory of 232	3388	msedge.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\agentactivationruntimestarter.exe
"C:\Users\Admin\AppData\Local\Temp\agentactivationruntimestarter.exe"
1⤵
PID:3796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490 0x4a8
1⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff84f3c46f8,0x7ff84f3c4708,0x7ff84f3c4718
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9290246681350204148,10067678652935633377,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9290246681350204148,10067678652935633377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9290246681350204148,10067678652935633377,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9290246681350204148,10067678652935633377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9290246681350204148,10067678652935633377,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9290246681350204148,10067678652935633377,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9290246681350204148,10067678652935633377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9290246681350204148,10067678652935633377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9290246681350204148,10067678652935633377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9290246681350204148,10067678652935633377,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:6980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9290246681350204148,10067678652935633377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:6972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9290246681350204148,10067678652935633377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:7132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9290246681350204148,10067678652935633377,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5804 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4016
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3964.0.688986298\916249752" -parentBuildID 20221007134813 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32116a5c-d84f-4e4e-b6a0-f68f0a3a6f23} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 1896 1f0e1f08e58 gpu
    3⤵
    PID:5192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3964.1.1258241826\1264313519" -parentBuildID 20221007134813 -prefsHandle 2280 -prefMapHandle 2276 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d48d4b77-ae5f-4a89-be6b-3a53bdad939e} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 2292 1f0d4d72258 socket
    3⤵
    PID:5260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3964.2.751124122\435359573" -childID 1 -isForBrowser -prefsHandle 3304 -prefMapHandle 3300 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 956 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d6c32bb-45a7-4f86-b8df-f6cd7f8eb59f} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 2884 1f0e5761158 tab
    3⤵
    PID:5640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3964.4.1311095408\1031986333" -childID 3 -isForBrowser -prefsHandle 3684 -prefMapHandle 3688 -prefsLen 21118 -prefMapSize 232675 -jsInitHandle 956 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5f187a4-4928-440b-9f72-4322bbda5349} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 3236 1f0e23b3958 tab
    3⤵
    PID:5780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3964.5.30357249\1077453435" -childID 4 -isForBrowser -prefsHandle 3832 -prefMapHandle 3836 -prefsLen 21118 -prefMapSize 232675 -jsInitHandle 956 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e465e44-f041-45a3-b268-8e27ea3ff3b7} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 3916 1f0e58d7258 tab
    3⤵
    PID:5788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3964.3.321519956\1012046854" -childID 2 -isForBrowser -prefsHandle 3212 -prefMapHandle 3032 -prefsLen 21118 -prefMapSize 232675 -jsInitHandle 956 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cb1f9dc-1bf2-41a3-a98d-581b4fdf4ea5} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 2932 1f0e23b2158 tab
    3⤵
    PID:5772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3964.6.1538395412\893422501" -childID 5 -isForBrowser -prefsHandle 4748 -prefMapHandle 4728 -prefsLen 21957 -prefMapSize 232675 -jsInitHandle 956 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eb2fae1-4235-4786-ba4d-f83c95746164} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 4756 1f0d4d65c58 tab
    3⤵
    PID:5244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3964.7.1994702134\992294711" -childID 6 -isForBrowser -prefsHandle 2944 -prefMapHandle 2828 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 956 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6d592f5-82cc-476e-a58e-0e302ff7af8c} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" 1572 1f0e3e7fb58 tab
    3⤵
    PID:928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5236
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fc99b0086d7714fd471ed4acc862ccc0

SHA1
39a3c43c97f778d67413a023d66e8e930d0e2314

SHA256
45ef01f81605bfd96126d5520c5aa0304c7fa7d5fdb3e4d5b2dd2bf84e2afd96

SHA512
c308fa3eda9235d67a506a5f058fefb9a769ec01d7b0d4f5a2397892cc4f8155301c55c1fac23bebacdd087ab3f47f1eacc9ff88eff4115a7d67aa7b1d6581a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
de9515ba70034d15ff535b13852c3d51

SHA1
b302f5c9cd54c1de21cf93dc047d81f758e59c98

SHA256
217d8c22c3d1992aaa40c809e3c737df170badb5b88dd07866e83436d99335a3

SHA512
f5ba7db0384ac8175e7f3412861cb0f8429472c5c37b64dde12afdccb3765086dbd8b46d5783aa779550f902177d92e5475d9a5a83bc347f87cc69062120cadf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5a70206d71c48e60673a3afb5bc586bf

SHA1
c3a137827096f1a7df6243266376d7a746f3deb1

SHA256
2cae4f3a8adaf9e52a6c6e52efbe74428d6916f5a975aaeb434050c1e1136638

SHA512
5996c77acf600c4f4f46f0f65e5ec4f9bc3c90d1153e0ce8bbbf25ca780d9074e6c2d5d2a6b6d0e102e5cd0076efcc7750014659b6299be28c08f51df94a383b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c2b6b56fc75618bd78800315f266be99

SHA1
204a83a55cd715e80b73beb57a589a59a4aa6f43

SHA256
e858b42fbbe5ada79cc68a23cec5dc79fe0ddb2fbc7e875b6b36fc853dca9ac4

SHA512
b8e242f801569db7b5fe0b5d2e3c607a28616eb1ec207f7fe157467986bf24cce0d1e0ed5b81e3c5c0ea1b8f3e468091e5f8a73898362cc086302e80212e4fb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
96f00bbd6a174879c58220f95f0115f5

SHA1
d3d7f82b0bf27daf1b3903bfe050c2d05422050f

SHA256
644442e740a8c0bb20f712f6f84f5bf4a81bb29d4e9446b2832ca65618961107

SHA512
e7c5e90eb85aee7b81b9c163f618ad3789a48b256040f6f00eee7fce52c60e1ff491bf0538b9c846fb115b73163710e46a45ce056e3b41ca59d88c421502ccea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
dd30d85b378d110b62bd80951249d90d

SHA1
10b9aaeab7271d8eafaf256f5f85056aac6594f7

SHA256
673a6be58644b905b13a7a0319ae9492a7f97959f3d702207a72b2d21dc64154

SHA512
fb5feb106505e5ed391a1efae76e7077c0eb20e19d1ab132ce17ae739f6e5994b85ca6c74f56f4e2a2c12a273fef40910634171ba58871be329fd3621cdb24d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0afd9e8d839e9520c973ff447cea6857

SHA1
f23380e7fa35f1cec2e4cf46b5daab13b5c8ab56

SHA256
17667ca5924f6b94aaf48eb27f1a446585875651dd37d5f213e5100a42b2e6b7

SHA512
6effbc79d291c6546fd4f15ab62f5e700b9adff33904dda5269d144e63f2c05ca664bae35db2c92eaa8a12de65fc8cfb21f4bd4e33d1f28d614c34adaf7838ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1588bfa81c05c5859942b741b45b5aaa

SHA1
6e006fba21fcdc695177048551f93e1c8853068d

SHA256
515d54c6e74c6359c8614901d5d07a0bbe80669006386f522a7b6b3d3c4963b1

SHA512
4b183417f062c5f532316e84757376c5900081cfef4f16993ce22f9c64f701431c086723d5cf7453b749deedb0130a394d79682a142e79d305fc85554df3a29d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\activity-stream.discovery_stream.json.tmp

Filesize
135KB

MD5
be7d664d2ad046360d14e9e3a01247b0

SHA1
7dfa7e6b5187101664d36c9850ca83d350248d35

SHA256
9a5c7fec09495988872aa17442cfbe1c2cc20a81558c6fbc5813d962ca768ef3

SHA512
ab5980c77158d9cd565e69f9aef498669d4ac262d2813f1812516a3d894f13d921e0dcdf96d3dc666366ff77e675d1c91deebbeacf9060753a1e7ad41cf718e4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\cache2\entries\ED9826654AE8BD972BDE17A9E0A449D3F881E430

Filesize
14KB

MD5
a629388584749a837ab305fe644640a2

SHA1
a8df6a5b316ddc792a229f3e7689dce66340681e

SHA256
b9822567c3e30837a6f2636c4c21323f1db248c07838f22bf180e397585f13d6

SHA512
16e9e65ddc8d143a18544b3edba00e5dcdc7aa1b7f56d663ffa06c520155691797d2e6cabf591d0d45c9851cca60d0cd6ca3b48d1dc58c2ce0fd2afff5456a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\prefs-1.js

Filesize
6KB

MD5
9571a8f23c318a8a4a2c36c22eb3b05f

SHA1
45d91920a1531cef4511bcd24a92295e40eb8668

SHA256
5134336e02cd704657da485e21461e3827282f78302859b3d36c64cf0c70e4b3

SHA512
32fb2951433568af5d7cc7eb197c498e40c71d0758ddf70ee3d3f40eadc88072171452b9365565dec0d5f3765da8f7e80f7c9968b437892ad56b3fe5c47abdac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\prefs-1.js

Filesize
7KB

MD5
de74a83ad814e207af128a4b4388dd43

SHA1
958ef9e75d3bc917570bf65bc2e1278ab331c01c

SHA256
83f308eedb5263a0436fff4a2e386d5d5aa0f149ee61bf9dac094173e4fb65fc

SHA512
07bc1925f32c82f6b272125b5c7ea6aa5656b878c57f0b50101b3cc014b350ba80c7ad4c6ec89f8d3cdbcdd8a921826974697c3d9a96936a2e2afc6dc00ddbc5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\prefs-1.js

Filesize
6KB

MD5
e1cbd55d0c11e1c269c0cae1859c81b1

SHA1
c62e85785c91556e56b918cf0c37d453af7d12aa

SHA256
c2f62ce64609c13cdcab2ba2d364b4c506d4f2a737b565cf24d3a1abcc09ab48

SHA512
b93271704f2162994af9ad4c2579b6f7e277276efed09d062923eebd544d3646f3cc7cb8c80ec01819e3b94fcd765971a487a6c8a8a5c3c4e3566884d2cd08f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
271B

MD5
65f2789a81832d23b2e0e85df56782f7

SHA1
7b10554e845fdc0aaf656dfe63aebd8243ababd8

SHA256
47e547447f967a8835635b5357357134466866a74d2b37445697c5c5ccce81eb

SHA512
04e7ea16e2f5e495e1da86624a1aed488494227f987017bb9c4c310624651d5f03111197856d485cc4dfb431d69d7cbfb3b28a8c7e5fb8a152b65b9d6ce4e68a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6636e0014fc99849c86a63f854998e57

SHA1
e3e9bf7e07082f95501dea4705c9c820dedf6757

SHA256
6e4f8352cee5fbd487c7c572d0fe968edb3ddd89e439874f3c18fecd00e86dcc

SHA512
d4940e12041cfc6a67ce305e91c9a816c2f4c829e4b01ea2baf9433e059c149abc708cd338d7838f298233ed0b60755d5fadf10303d8ef6c60c102c6e7873406

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b68da3ba443a48c3de46237d002c5f75

SHA1
6f487727996dac0325bd44bffa6ee1611084393f

SHA256
b6873eb9e58194162efa94ac53e50c0d1555f4a5194ee6b91f35918721899eaf

SHA512
77c3d35d7726acdd4c73916d2fe389fd36a3145247266aa491b111f20dee7f3cc126d68d9adde4fbf6bd0d4c4c9a27281baf732c2aafda1978b67e3dd9cbe845

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
15101600fc8506f17e5bf88d806e694b

SHA1
6bac87fca6c0fecfb1d2fe133aa835a7a3a3b1eb

SHA256
40c68556bc2574072d280955a40e03f6905bea31165d751ba723772d1d9e1e68

SHA512
4c90f15dbd04606e79604d68daa00a703b1158e884b1c182659fa7f7896eb88bc0199155b87452d71b72e7d66b3082b1cb109af69e3ee563efd498311cb1236e

Download Submit