hxxps://cdn[.]discordapp[.]com/attachments/1210890454485442563/1210890781221720074/file_release_2_0[.]rar?ex=65ec34eb&is=65d9bfeb&hm=4003e820e2652713a56076607a66a4561ed3da1ea58d34f2571fc81549450d2e&?space=File[.]zip

Resubmissions

24/02/2024, 18:40

240224-xa85yabh9s 6

24/02/2024, 18:37

24/02/2024, 18:36

24/02/2024, 18:35

24/02/2024, 18:34

24/02/2024, 18:31

24/02/2024, 18:28

Analysis

max time kernel
147s
max time network
153s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
24/02/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1210890454485442563/1210890781221720074/file_release_2_0.rar?ex=65ec34eb&is=65d9bfeb&hm=4003e820e2652713a56076607a66a4561ed3da1ea58d34f2571fc81549450d2e&?space=File.zip

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133532729410806475"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "415591112"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "415592866"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000f03f6938f29eb60bf24d143c05dd599ab05bdda6a65b06ebcfe760025d9f006eb86483be995085d9fcd8d0ceda1a49d3cc10bdee8c542aba6501	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = ae6d82524f67da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{280895B8-FE61-4F89-801B-8AB16FC012E4} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8c740f664f67da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "415566925"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "414961230"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2732	chrome.exe
2732	chrome.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4468	MicrosoftEdgeCP.exe
4468	MicrosoftEdgeCP.exe
4468	MicrosoftEdgeCP.exe
4468	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5060	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5060	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5060	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeCreatePagefilePrivilege	2732	chrome.exe
Token: SeDebugPrivilege	5212	firefox.exe
Token: SeDebugPrivilege	5212	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3060	MicrosoftEdge.exe
4468	MicrosoftEdgeCP.exe
5060	MicrosoftEdgeCP.exe
4468	MicrosoftEdgeCP.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe
5212	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 3764	4468	MicrosoftEdgeCP.exe	78
PID 4468 wrote to memory of 3764	4468	MicrosoftEdgeCP.exe	78
PID 4468 wrote to memory of 3764	4468	MicrosoftEdgeCP.exe	78
PID 4468 wrote to memory of 1508	4468	MicrosoftEdgeCP.exe	79
PID 4468 wrote to memory of 1508	4468	MicrosoftEdgeCP.exe	79
PID 4468 wrote to memory of 1508	4468	MicrosoftEdgeCP.exe	79
PID 2732 wrote to memory of 4172	2732	chrome.exe	82
PID 2732 wrote to memory of 4172	2732	chrome.exe	82
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2144	2732	chrome.exe	88
PID 2732 wrote to memory of 2228	2732	chrome.exe	84
PID 2732 wrote to memory of 2228	2732	chrome.exe	84
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87
PID 2732 wrote to memory of 4900	2732	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://cdn.discordapp.com/attachments/1210890454485442563/1210890781221720074/file_release_2_0.rar?ex=65ec34eb&is=65d9bfeb&hm=4003e820e2652713a56076607a66a4561ed3da1ea58d34f2571fc81549450d2e&?space=File.zip"
1⤵
PID:4512

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3060

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4328

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5060

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3764

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe77819758,0x7ffe77819768,0x7ffe77819778
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1856 --field-trial-handle=1784,i,3312237057989875506,15110683711581369026,131072 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2884 --field-trial-handle=1784,i,3312237057989875506,15110683711581369026,131072 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1784,i,3312237057989875506,15110683711581369026,131072 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 --field-trial-handle=1784,i,3312237057989875506,15110683711581369026,131072 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1784,i,3312237057989875506,15110683711581369026,131072 /prefetch:2
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4484 --field-trial-handle=1784,i,3312237057989875506,15110683711581369026,131072 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1784,i,3312237057989875506,15110683711581369026,131072 /prefetch:8
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1784,i,3312237057989875506,15110683711581369026,131072 /prefetch:8
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5024 --field-trial-handle=1784,i,3312237057989875506,15110683711581369026,131072 /prefetch:1
  2⤵
  PID:5600

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2012
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.0.929844573\1897348721" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1696 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {764cecb1-9068-4ef2-ad0a-83ed6b1195f7} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 1796 21862a04758 gpu
    3⤵
    PID:5404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.1.1888389918\1149007219" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2931a9fc-cbf7-4299-ba3c-58905ef5ccc3} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 2152 21861330858 socket
    3⤵
    - Checks processor information in registry
    PID:4912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.2.1714067147\1982010269" -childID 1 -isForBrowser -prefsHandle 2956 -prefMapHandle 2952 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11708e52-bee3-447f-8b37-4194c153917a} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 2804 218658b0e58 tab
    3⤵
    PID:4516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.3.185466732\264885010" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5308aa95-cc9c-4b18-ae74-27487cf1c717} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 3604 2185682d858 tab
    3⤵
    PID:5308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.4.888710299\37577011" -childID 3 -isForBrowser -prefsHandle 4244 -prefMapHandle 4236 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48969fdb-ecb2-4dfc-887d-eb58ce6d8b1e} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 4256 21867880258 tab
    3⤵
    PID:5868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.5.1997660578\1053709238" -childID 4 -isForBrowser -prefsHandle 4704 -prefMapHandle 4460 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3abb1a43-dd75-42d0-8cf9-3549520693d2} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 4700 2186863f858 tab
    3⤵
    PID:1680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.6.602760346\1447728977" -childID 5 -isForBrowser -prefsHandle 2520 -prefMapHandle 4292 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ca6229f-2f48-4ed5-a9ad-837be27a0b70} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 4876 21868642258 tab
    3⤵
    PID:6128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.7.1102120459\1572559388" -childID 6 -isForBrowser -prefsHandle 4952 -prefMapHandle 4956 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2eb643d6-c73b-4696-b1dc-21152e7e2fb9} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 4944 21868640458 tab
    3⤵
    PID:4276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.8.795560427\1339433472" -childID 7 -isForBrowser -prefsHandle 5612 -prefMapHandle 5616 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ced5c872-d1c0-4020-bd10-a1e5bbb37801} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 5604 218691eb358 tab
    3⤵
    PID:5640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.9.1998718360\1161653468" -childID 8 -isForBrowser -prefsHandle 5908 -prefMapHandle 5904 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08d196c6-e50b-47f3-944e-287bb34576d2} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 5828 218686fba58 tab
    3⤵
    PID:1740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.11.1753992083\1316092746" -childID 10 -isForBrowser -prefsHandle 5256 -prefMapHandle 5240 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {714355cb-6c95-42cc-ab7e-34399c6e87d1} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 5072 2186863fb58 tab
    3⤵
    PID:4860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.10.301648232\1512554839" -childID 9 -isForBrowser -prefsHandle 4928 -prefMapHandle 5068 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3717680f-3ea0-40e6-9f7d-ae060580f98f} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 5160 21867970f58 tab
    3⤵
    PID:6096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.12.76212689\316029107" -childID 11 -isForBrowser -prefsHandle 4256 -prefMapHandle 4568 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8f74b83-cada-4e37-aac1-5d08685129df} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 4448 21869d55b58 tab
    3⤵
    PID:1492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.13.1510170562\909480054" -childID 12 -isForBrowser -prefsHandle 9700 -prefMapHandle 9528 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c497440-9e9b-4445-b8cb-a65f3859d5aa} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 5340 2186a358858 tab
    3⤵
    PID:5616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.14.440204366\2084139060" -childID 13 -isForBrowser -prefsHandle 5740 -prefMapHandle 3260 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e42a22fe-5ed7-42b5-bb57-705efb49260c} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 4376 2186863fb58 tab
    3⤵
    PID:3280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.15.67391345\1385816766" -childID 14 -isForBrowser -prefsHandle 7228 -prefMapHandle 5696 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a45de5d-38b8-4df1-b87b-c7a082bcb5fe} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 4328 218640d6d58 tab
    3⤵
    PID:4136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.16.1223594203\334731636" -childID 15 -isForBrowser -prefsHandle 7128 -prefMapHandle 5652 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9db83be3-621f-421a-96a3-45779c58716e} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 9588 218678ca858 tab
    3⤵
    PID:6080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
ab989cc0e8c81bba9db2c9324f32ff40

SHA1
81c84841dd1da628709d730bd6ce5f266daddc26

SHA256
25f1e07b8e134ac8cdc19bc4b9c8b5dd31b6a6e435471fe1ac546d5a846237f7

SHA512
ee04592c3684473407b2d561d2bf85ee0417942e27d904956c2ced65976f35617274dc62dc2fabd20b4434e130ed0f990ad29b5a4efbf3a8f044133180ee366b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
faa925d29d458de434ca16f7338125be

SHA1
acc0467e538e09ad066346f85fc88de5c7d85503

SHA256
d795f1d6b4cd24eff94fdc81a1e722e0363bda0fa2a8fce0537dbdad63a7276e

SHA512
75aa1730c998197a57c8d8a9d891a75dc0719fc7c29064457a9b228cadd44870fdf2d20ec7fd465238eab09d96142b9916ef9dc27eabe9de1154f5d7e30f43cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
88dded2ea2059e1d1e89ee3bd40a1cc6

SHA1
f40a9e3e0913b8b2b10fc74b3d987de961d5296b

SHA256
52facc93810f4b52bbfa8ae65e6cd4f0505d4f42e749bd34ae90a30f9c23c0d7

SHA512
4e953790ab61e1181b68225b7c10fc18c5d7ed1005d353e1f51aadb6a6d80809fbfac60c5ee0c87ff1a5cf574459ad3ccf110801d017dca2a89849ff73e489b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
06b6380b7b96b55bee417b004696df69

SHA1
76933303baeef2662f836513cd28b3407fdd02ef

SHA256
d73dcf0c14730c3a13200cbc413424e05053649411481100078e27da924835d1

SHA512
a220228d9309905ae52cce96dd90b5dfb5163c400369a8004d50c97e45e92217ca874c81f81b6b779818c7ba4a57dde2df8016a6ea8e5c983c85fc19c2ed2370

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9fa03f67091ae148a501ea2e4e1a0bfb

SHA1
7cc282bd8260683c3c037329b0e86970c71e565c

SHA256
171fa54357e72c0c01310f2849002e6746cf6235d7a93107e9c8037c5379a8af

SHA512
53b5fc93a6d675da06d4e4949c5204f6fa982b98b0615b79c2b4368faf9c07dc8c91dd01341327693abd3eeeb8d06a224b5930285611c382c3fcf21517ce3652

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
315f1526bf1a2f0dee7f422da213c267

SHA1
32b3dc7eece71679810af55487a921fb0843493d

SHA256
11d5d2bcb1b7e2924275a2d804c17175fafc67d6b80185e83108a0e19d38c6fc

SHA512
a9d8233504409f09a31c9d8dd71c0f4468e35028ea4403d537a959bcd2a7bd51ee7baa02a56e4f97efd953630d8b8aeee0103dc3e3eb4f8b129a9c6b3785a335

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
079cdfee23930bc34c3f188346ef3ceb

SHA1
624f74407ab8ad1a8770e5f285f974f757f5904f

SHA256
24604068dc9a575e806f12f087747efc6d5e01f1e471c16a9acb7f2892728856

SHA512
af4dcd18f93ccec0dae0c4fbbdaade08beefd8e68aa3377baecd8a97ebd4dc7e8931583625a38080ec658c76dda6870acdcab16a2eecf907afdad9b87038786c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
12029c11d47c1f242657b1c3175add59

SHA1
e86f15e7c89676d8bbd8bec35c13d25b20a95a10

SHA256
ea64432d2e9138fd6a6693daf1d9fa1fcb193894e2817a4a0634cb2c35a059c1

SHA512
a7e2ad2e061d523eefbaffc8c30109f856ed84d6412ac1dab612d01002fc640a26fdd387c85493afcae0108f3f8a36f2d747e36465a5e4b9486894fc6527fd34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U2DI4E2V\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0htfzopy.default-release\cache2\doomed\15782

Filesize
13KB

MD5
6e67289def7cfeb226ea63c27aba1638

SHA1
5b9c40c16de96687bf4fd0f0c87fc81faa149e8f

SHA256
84abb366a5092981f5669f8f5eb522474bd31c2e21e9c80bd23f9d62d53ce568

SHA512
5d8e7e4abd0f95b141e2087dbed2f3b4d94e51a868f4a24ac2103cbf8a9842f16a4cd1e463c9962e15e271ab9f793645a5beb2990fdf421c3e3d0a4d1a30ccbc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0htfzopy.default-release\cache2\doomed\20450

Filesize
13KB

MD5
0fc72a77b936d4eb4dc52c176a3831db

SHA1
5380dc8c042bef99f6b7909b13f2fe4775004537

SHA256
43fcf792b332b6d3a67acb26f909b48c718e6b68c59accf81d90a2dc840ca34b

SHA512
4a8b0ad0df7dc18db43b0a72c9d6c4904d2cac719d4a8ee05c8e372fb1afff83f4a3c411920140c0b6cf3227fc4e58f535cea554d5fcd58ab64b05137bf6bd62

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0htfzopy.default-release\cache2\doomed\22194

Filesize
10KB

MD5
e0d932b259a7fd6c28349206c032975f

SHA1
32f8d01171364a44fce874316747c06a13632add

SHA256
621ea369b281a00b6670b6b1bf4fb58a57f1fae05234b03000483f38734f4151

SHA512
bf22d0ea712b32226362a6ff788c39ec8bd811fc3f088db2952ab66eb76a80908ecdce8f512ac04c93926b189abc6390252e3eb752eef5fe93234898f9752123

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0htfzopy.default-release\cache2\doomed\28063

Filesize
21KB

MD5
16e584cb06a5d0e4db50ad730405986e

SHA1
64f618ce5b626502a0d069f9bf0bdf66e6bd5ae3

SHA256
40a8f8659486763aea8ca1224d98ac81b2a960fa67902de1a969f0c429f19939

SHA512
69f0b73dd3bdc31a072b3de9ae65ee80ad6b6601da5463119c2e55d6ba957e34f74d948a5a3beb71db0fb33df8dee21aa124a1f5f5c6acba70aa2e4622ac089c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\FLLGVCNT\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TD8ZI6FA\file_release_2_0[1].rar

Filesize
7.0MB

MD5
c0b5f6f2b9d9628f560fd9441415d5dc

SHA1
28776af66f14d6c0e8fa90414f81bfd706920324

SHA256
03238ca754e1f8d03fbb5b9ba850b950d868523c305e7c34dcb700c1360194bc

SHA512
81aa3b82d0bca872fb05655d24ddb6879c1dbfb889249af42582ddff0bd511d7996560ccb4c4e67e718c6b904814fae399d0b8cd07e5c43707e4679f54c0d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
97588e69ece0e953ec9df4ab6d9027e2

SHA1
b879bce30bac77353e61b29b123c239fd3bbd9b5

SHA256
3d8a8fdfa77fbf4bb632b1a93afea02ca7a6c5adbaba927cdc80957dbd0dc966

SHA512
5f725a852f30e09cde0aada2b588c5f365c5a688f0265fbb9c3f55a9b11f2934b313285457f084008a826a578a6cda4b6e3ea5be7d8c276147474f6a21e22bea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\datareporting\glean\pending_pings\0e8c2bba-6995-4ad6-9157-de7503acd579

Filesize
746B

MD5
87571b7f5d7d145dba56bd55ffcb6756

SHA1
788ea1dc615f82e5d651dec9ce78760711678fb1

SHA256
7180be6e2bf63edfce8b2ffdcdb3393a82b57004ecbf0fb7a1e564cd0ffad2d7

SHA512
c04bae2788706048877c69e6c7e72b70645beeeafc0e92bac07fecf0817364a714d5846dde1d717e6ad019769c43e3a95f5e4e3e50922156885b81905cab2a2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\datareporting\glean\pending_pings\604220cf-35e1-4135-beb8-d25082256f56

Filesize
9KB

MD5
f0b6e4dc69389e5f0f6fd7ae48d89f29

SHA1
a00018d24af0fc82aa739e046bad99544d68e352

SHA256
cd230b974a22b43465e31735d18c1b02e44c35329a56fe6d5fc892fe70b4f2ba

SHA512
e8e5c3d070b774fb64a8976bc80c48877ab6e278f1acec7028578bf2d5d6407e6e3c02be5e43b31bbd0f093339ed93fa3d20ab103d06d6c6bb9b7b4a0753440a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\prefs-1.js

Filesize
6KB

MD5
a12c69e318d444c50b2340d168a5686f

SHA1
2240b7f9022e2bedbc6ea7166627924785f9094b

SHA256
f3c5d4d0f1c69470911fecf3f13025dedd803e35365be85d05e220c2482de963

SHA512
5b14be9a1c599f7681c64a02ccd156a9de68eeeb5020f93d7cbc503e9b3ab3877ae44a983e439137f88f61ea9cd96b93a34d4798060defe25aaca26d44feee2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\prefs-1.js

Filesize
6KB

MD5
b5580a80a822e47b02a571b84a1218e1

SHA1
774cd98f2fa14f794768dd87e064f5679935cdd0

SHA256
bfba8ea4832c18a93e0097b613de1f7cfd04927205b6d8cb5af35d9336a3263e

SHA512
8f633843c1cdbd4a01b8377d7572519116f8a78bb1bb6945b3b9560681cc2b002f96d0073ef39965d0f6f9a25eb55faa69bb41edc02c3aeeef4c3a1c1613a0a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\prefs-1.js

Filesize
6KB

MD5
f8ca951ede950ab5c46e0a2211df6c77

SHA1
279db125681469b407a9f1babda1e898163ad455

SHA256
9073ffb192bcc7dc03eafb1c6ee943b308d300988e30c2d93fe7e079b4a6476f

SHA512
6c6504957fd43c54a809c3c299add8af88f378cb1c7a43d89316247113bf3c10ad3010230def563b09499db0f7f7c611be749b692d0e89ed0268e39a57fc77cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\prefs.js

Filesize
6KB

MD5
3488b0159baa81747546f58187db3b40

SHA1
1ab42020f332f292430d934f497d201330c8c421

SHA256
6c5f3be0d9cbcffc2921d0a2bf4134bed8ffcdf0a0decfe2398d0b7116ff2fce

SHA512
d3a82c658103671c5d3e91355d14429d7405128091ac519b7103dfe82b80038e1948675f5adc72f9019ab763af2b01c4851941bd060642838a97d3dd7c0742f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
5fb54b03e08c1259f27fe8581ac3c3fa

SHA1
d1c1bc31da721159f91181ffa06f849d445a7c8a

SHA256
54439dd9b8ac72849beca3a6a6094d1f4435be8d9ee364a11252c8ad491196a8

SHA512
dae9355f0b51a7ff516b5a035890755aa0e004ba3955cd1256f37cfbaed3dc5865b584af7713255093772dc7f650d51e173025194943d2f824ee542693112fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
140abe60192d9c961b10aef3c7e12ab0

SHA1
879e79809818f3a4d70478658d8b8079fe0fbaf0

SHA256
937d1c8042ac08c17a937f5356505b1ae443dcdab8e22f3e1c9b2f2fc60b9f8b

SHA512
c219ee8a0cbe2e693793d7a74c264743ad8853d91e3ed59b0922420f71aa02067d586147fbdb3d08af16501d9f4955093395d74f57faf953eb70227777836a26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
00befb6a8a8a4c388a1cb840e8f99f57

SHA1
0fc34cb95234fb50aaeb39c890d82af5b9b61f07

SHA256
3b7883f61194133d45644158c78bcd4e8f5df2082cd6181c525971e408ea584e

SHA512
9ee61da004c007f1cb5fb599280f50a733a7babaa1b32cd5b869ab6345ada7f5eb1691cacf3011bf4aeabb0e738167398d88c5f646a7b366ffc02fd4572d575b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
b38f409338122aea89961cc159ae5e90

SHA1
841279a74c7052d2ac5b067b706f6c1670a089c5

SHA256
a75ebe7cded1ac72e74b15df9fe0060c728bc8871c9c67e8720b937d91c631ce

SHA512
7f874497feb45cf0bb9571a90e3aeabb4500018161476ffe747840f254afeba4396e3b885fafcc77c0a7a48aa38b36ad9c41a0410f7998a787d648a0593e7bf9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
e2bb5f9d540a24bd40e2091ea23e66a9

SHA1
a8e2f82846eefd01f7772bc82b155992ef7f7c61

SHA256
edbb93232b79bd507bfe61b2a1ab8a255a899f7d8637f875c918c9a92a0e457e

SHA512
9887bf35e250311c92219ad89e41fb2f34a7f056a3aefb6aa31ac3fa69f1b168b2c6055cc8876dde6a1c56d472925e42a12c393235fa12d28a1a508faf7cd6a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
041222fb70d425fb929964d4407a1fac

SHA1
5575f863367000a777e6d17ed13937620d53537d

SHA256
095886d0bcf3ff97b8a2f86f46be2324f28ab73aab9cb13f24516acc840322ae

SHA512
6a173eefea68c33b48fe40f0718514366e4cc3f37a2b0e0c2acb4f51e79c4636b01011061cfed1556755eeb65cbe942d076006a4b86bf52e15abaa8601661bad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore.jsonlz4

Filesize
11KB

MD5
508cf990de54aaf784c7c99f31a3477f

SHA1
a2205a0cfbbe71cc61238b5a35c847928c6e3218

SHA256
d1c5604801689ff066d0bb0f48391e0f174b9c06c8a0e978a3c2dff8a85569d4

SHA512
69226f16ee096155f1e773327f6da17ce26c2ebe0805a6175dd0c9b3d1e69ae32134f7a6452645f2c1f9affac176cbc3743b20b685686b03d88f1796dd45c67a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\storage\default\https+++infyg.wedonhisdhiltew.info\cache\morgue\114\{38c2214d-09ae-4038-a3dd-2b6dadc96772}.final

Filesize
19KB

MD5
c389e5bb00bfb633dfc9b98693d96cfe

SHA1
6d5127f98178f30d25728f3a9fd03f47df093a64

SHA256
e47500ee91582c193406359654d557a70e4897bccec72faf334716e34ba80695

SHA512
d1d4f7eb8b2c906f73c26cd4a624b4fa2e9cd5a98af92e9c090355c6f682c46d1ca98ec2be63ec48f52da404445403a52c806594c4b7bb4b4c45973fd5b2013c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\storage\default\https+++infyg.wedonhisdhiltew.info\cache\morgue\230\{c802bfda-7fff-446b-afb2-b0cb2a3882e6}.final

Filesize
19KB

MD5
d2756c953b30c96a3fb7b18451be8c75

SHA1
44b19d2383d47b2c83f0819260a6a864be450a46

SHA256
c594faf680f85b4ff60736377da742542f91ccadbd9981a8940acab66a5976ec

SHA512
7b8fa70f8dc61033c5944e93de3173ba0e206dea2789312eeedb727ab6ed55cb0bd1cf043deb6e79ef8c4377296d16e3a84e7a10d03a22385c432e2519cd979f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\storage\default\https+++infyg.wedonhisdhiltew.info\cache\morgue\73\{35afbc72-9b27-491a-8596-a6f81dd4ad49}.final

Filesize
19KB

MD5
22064e7a9f4cd5ec33d90e7911378ac8

SHA1
ebf30706a38e92875996a3f6e68799ab730542ff

SHA256
da04307a539e815ca70f3c1ab19ea3bf518b6cc5d49ca7d4c0dd2a0b48ecdb19

SHA512
60e700caf0f49ce506b729020690ddcf471b0ac8dee2a8ddee769754af87b066b0f48955ab72e7a10f64ea7de5c229c810d61e63a50528afcf1450dfe48c2299

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\storage\default\https+++infyg.wedonhisdhiltew.info\idb\2728594770keeryovtasl-.sqlite

Filesize
48KB

MD5
39853c53a5e78e3b31a8667bfd1f4f4a

SHA1
101e0bd4e886000f89efb4b17a5134de4b1d1711

SHA256
28b7886b8abc6191196f0e3236cd4db5cab20322e63d06e08805e3ec47260029

SHA512
8eaf21463944a32d6cab12598d7abf977588c76f9e248d3aff3c67cca17e4b3efa9de82dd6af0e2d31720aa52363e6a28599f85bd82d732779828aceed86592a

Download Submit
memory/3060-35-0x00000284C72D0000-0x00000284C72D2000-memory.dmp

Filesize
8KB

Download
memory/3060-16-0x00000284C7940000-0x00000284C7950000-memory.dmp

Filesize
64KB

Download
memory/3060-0-0x00000284C7120000-0x00000284C7130000-memory.dmp

Filesize
64KB

Download
memory/3060-412-0x00000284CF810000-0x00000284CF811000-memory.dmp

Filesize
4KB

Download
memory/3060-411-0x00000284CF800000-0x00000284CF801000-memory.dmp

Filesize
4KB

Download
memory/3764-62-0x0000018C63EC0000-0x0000018C63EC2000-memory.dmp

Filesize
8KB

Download
memory/3764-64-0x0000018C63EE0000-0x0000018C63EE2000-memory.dmp

Filesize
8KB

Download
memory/3764-58-0x0000018C63E90000-0x0000018C63E92000-memory.dmp

Filesize
8KB

Download