hxxps://api[.]getpxlemal[.]com?id=11541916&stepNo=1

Analysis

max time kernel
467s
max time network
477s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09/04/2024, 09:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://api.getpxlemal.com?id=11541916&stepNo=1

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133571304432214884"	chrome.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\.cr2\ = "cr2_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\cr2_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\cr2_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\.cr2	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\cr2_auto_file\shell\Read	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\cr2_auto_file\shell\Read\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\cr2_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\download:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\download (1):Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3196	chrome.exe
3196	chrome.exe
4804	chrome.exe
4804	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2284	OpenWith.exe
1052	OpenWith.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3196	chrome.exe
3196	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3884	firefox.exe
3884	firefox.exe
3884	firefox.exe

Suspicious use of SetWindowsHookEx 49 IoCs

pid	Process
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
3884	firefox.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
4856	AcroRd32.exe
4856	AcroRd32.exe
4856	AcroRd32.exe
4856	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 4564	3196	chrome.exe	78
PID 3196 wrote to memory of 4564	3196	chrome.exe	78
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4680	3196	chrome.exe	81
PID 3196 wrote to memory of 4756	3196	chrome.exe	82
PID 3196 wrote to memory of 4756	3196	chrome.exe	82
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83
PID 3196 wrote to memory of 3540	3196	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://api.getpxlemal.com?id=11541916&stepNo=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffe43d79758,0x7ffe43d79768,0x7ffe43d79778
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1832,i,5644360931404014512,13433628425851255166,131072 /prefetch:2
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1832,i,5644360931404014512,13433628425851255166,131072 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2148 --field-trial-handle=1832,i,5644360931404014512,13433628425851255166,131072 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1832,i,5644360931404014512,13433628425851255166,131072 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1832,i,5644360931404014512,13433628425851255166,131072 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1832,i,5644360931404014512,13433628425851255166,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1832,i,5644360931404014512,13433628425851255166,131072 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1832,i,5644360931404014512,13433628425851255166,131072 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 --field-trial-handle=1832,i,5644360931404014512,13433628425851255166,131072 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1832,i,5644360931404014512,13433628425851255166,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5716 --field-trial-handle=1832,i,5644360931404014512,13433628425851255166,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4804

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2284
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\download"
  2⤵
  PID:3656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\download
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3884
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.0.227871349\863199592" -parentBuildID 20221007134813 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98dd0220-0826-4033-a1bf-3a1d4cc93023} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 1832 290852d6a58 gpu
      4⤵
      PID:4668
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.1.547513458\1281685415" -parentBuildID 20221007134813 -prefsHandle 2224 -prefMapHandle 2220 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9834958-f59d-449a-af56-e76e6dd50724} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 2236 290867cec58 socket
      4⤵
      Checks processor information in registry
      PID:4788
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.2.502502864\1197460446" -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 2932 -prefsLen 21666 -prefMapSize 233444 -jsInitHandle 1012 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dfad8d4-3e67-4c70-ab1a-b20b4dcccd09} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 2908 2908a2b2858 tab
      4⤵
      PID:4844
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.3.1770191634\1154406855" -childID 2 -isForBrowser -prefsHandle 2940 -prefMapHandle 2984 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1012 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d867dbaa-8a55-4d3e-b4f2-62e67dabdfcf} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 3532 29087bfb258 tab
      4⤵
      PID:2696
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.4.133707828\563683833" -childID 3 -isForBrowser -prefsHandle 4808 -prefMapHandle 4804 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1012 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dec5494e-4eb4-4d78-ba94-01d07282c4cb} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 4816 2908cd66258 tab
      4⤵
      PID:2916
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.5.816860128\613477102" -childID 4 -isForBrowser -prefsHandle 4972 -prefMapHandle 4976 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1012 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f20af77-1851-4720-81d0-9a65763f2253} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 4832 2908cd66858 tab
      4⤵
      PID:1868
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.6.1882304847\579863331" -childID 5 -isForBrowser -prefsHandle 5152 -prefMapHandle 5156 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1012 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2e97366-31e6-432c-819f-10c4341be10e} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 5144 2908cd64158 tab
      4⤵
      PID:2568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1052
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\UndoStep.cr2"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4856
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:3500
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=87B4A60A9B83195505FD130E7091BABA --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1284
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=797915E525588ADBA9C123C45C5E7481 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=797915E525588ADBA9C123C45C5E7481 --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:1744
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F59CB3D86FF2C653728CD458405B509 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:3788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:240

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4428

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4640

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\D154AB45-FD50-4A87-A220-4031FFB08FE6\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\D154AB45-FD50-4A87-A220-4031FFB08FE6\dismhost.exe {2DF3DB81-0427-4AF8-93BB-294C18010439}
1⤵
- Drops file in Windows directory
PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
708B

MD5
1d577fc4ecbe33e94f54cef3a360b335

SHA1
c6d53ce25ead66ff765a39fc7b3b31aaa84194eb

SHA256
c349ef205248d8eeda881615d1445281087f7280ae35068fa4efb74248444883

SHA512
fcbbd45c2e69a700965ebb133fbe63a6fb400e1f94b8486ba8c706099615543e8d1c5771595410dce8d380fc8fa484484e917f0fa286793f3b4c13b44efff3d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
677B

MD5
a072b6db2329c45ad48ecac324109458

SHA1
ef237ce016e44d98da624a7d9b98bd60ae88b82f

SHA256
7eb9b3cea515919b523163ad9b60fc03134de7e11d769ae86f57022edff7beca

SHA512
fead3ec2c22759304b6158d9864a8d5086d52c5e9ea523ae33a50ca68adea4448a8d6106d045daf3693d83e1ed7198204a813bd4df0991caa1099e751ebebb20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
da167d146db00b25b35d293c245b5ade

SHA1
18186c46a64ca525dc8c739b1fea1b858807e686

SHA256
e6c9d0483e3a931038679745604be44f2cf9fb24e65a03eca1034435b1f6cd5e

SHA512
23af75578591784d6c61637f8d2905a466edaa378cba10636477605f03f2c7c97bd358d55403382b90cf86d8fb6ee037ed25d98efcff34460a8c85790bf03387

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
ed7098515ba7aa17eed18aab10699b8f

SHA1
b702a093d5dfb272888e2da5df9affd2a33ef555

SHA256
c64ba236bdae75b557b624ea48d1613e1d14fae50fe8e6bf8cbc67a0f71a1c0b

SHA512
ec61c5d7699c4a3e951b32977e1afc98fce85f889286a701fa7d769ab6ae83b0898517e7b68b387e19a96505929d53beb996e7e035b5679ea9ae246464095c00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
7c08b2ea727f6fa30470e7cc72e11e58

SHA1
7bf602fced648aecdf2a1b0938dfc246a795f1b9

SHA256
f887e16a3663477c085bdaaedd57071b681bc638e2fa31a7271d3b1b118f620c

SHA512
d18542697681acb2590ce5dc53b24775530fa40893606794fa1cff406eef6d1d92e93fbaba6f467fd3aa466e7c2e8c67648adab6a69ee18f50a5c99de65a891a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
713c786c24f7529199321b4504713b2d

SHA1
32363f35279cf367f7b52125c49e7d8b4ebb0046

SHA256
76af836faa0a7c5f7f2cbee6add6b8c541ac1ec618dfd172a94efad6d927308c

SHA512
d525fe8e7dc7e70c37b7a0abdf7d61c76f93cf1d45e82c47fd140bb7949524b7a608d5ac658461230fe0b5a29267181aa89c902007055f0e1e2ac42d654e4b8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
baa2de8ee8a9ea72eba79cb454ce9289

SHA1
2f3e5c55389b9385a1d10bb7659e534b3bf1830a

SHA256
dabf98c23b32d3b5e84f9eac68b3c004984868c622d7580b5f4c6c807938c856

SHA512
d0c2872c452ddd4c1d58f9ee032303fa7d37f33b36c4464dd22e55de9e22d9299268e6a62000437cc31ac27c7da16e26e0dc391c9eb05d240503965af5786484

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7ab1afa8cc69b470c664ee8ce85b73bf

SHA1
4defb7bc584d7b8b029be8dab3c71e48ca02ece4

SHA256
f0073d8179ae343cdda9461a6175d6bc9103bf1c1216df6dd8007fc975a30339

SHA512
6b513962ac50afd1e487eb185dabe83c84ffe80d383700339c44694126c5a941680eea79f97d3c9e8c559b5289d4da26cecc605a5d811dd58e4362a26f616b01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
37bcb32780bb7ab5c068ef09ab6e5826

SHA1
43b5854178bf707d760b96ea678d627b96bdbb1b

SHA256
16f528b8c418cb5eaaf6ed4989c9620ea2651f8595bca23dc29a17c3e47e40ea

SHA512
fbdd29c96f39e89c9a89a658ddd1a81e6d1a199e3ae3a4a3db2e7aadb3c29ec35c18e7db77442cb477bd6202477859bd5f36ccef29a7baf5ab65c5a1857298cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
169dbb4e35d1877bbe8bbf62fbdf574a

SHA1
adc5b330c67989a6dd3844ccad08cc9af72cd608

SHA256
224be4afeef9de914ea5637a3c79a1bc303eaf1e093fc755aecd4f6c41376428

SHA512
65c5bef875cf4f3e5a5379fc69878d3721856d72de1cd62520555a3211850e19ab1b27524ae79303c382b32d27ba2d4f4b17ddb413c1d5e1689246ad48d497b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
99KB

MD5
b33d879199892c26fca1b3f6d12d24a7

SHA1
6213f7387be8d7c23f649f1aff48fe94fadaaf4c

SHA256
241812b00841b8aa16056868ba7e1aec6ab08888802ea169a02916aa7750f5f2

SHA512
5772e6167f38c4e821997f48982121f35de056225795ec05144e8a36a248a40920983aa43cd27cd252701bd7e2338bc07b1e49f2bd78b806e2d8cf322bfb9161

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581316.TMP

Filesize
94KB

MD5
aff95d556a6c8ec1b9974f968983a0f7

SHA1
1bddf250ab7f0b2a8421f98607c60fd247002310

SHA256
955b6f76bc9c1fcdfb1681ad068d30fb70402420197769c6331fd0c657625aad

SHA512
5a1f82f2798ce273ca64b1595d4e669be1f7e6dedc47d6abe2299c5dd42de41e802a49688fa109310acbf5d5b64b962f824646816cc73e464a5114981903d11c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-4-9.106.4640.1.odl

Filesize
706B

MD5
710ed97a5ff2fe18c75f9fe06b4fb340

SHA1
b28fb180aac6a67af546481b3ffa4ce198156969

SHA256
cc91fc37f459b57345448a5b945a39780b6d796c86d7359ed06a7dea6b9f7dbe

SHA512
da8ee55b8ecc72f7d96a07e0dd0b404a52e32b2518bed491a2affad64e8bb25b5d0b6f3543b7502a58dd6037999ad8391a76e6a0319db277f6cb77f7bfe597b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
c0dd13ccdcc0b2e78aac66a1e3c7335a

SHA1
aed5cc3b317cd5be9efa7f9124ff958f48e6a640

SHA256
a2984e3e03918be99583871f02008408b5e22baedbdb90d2058a0d0c5b74eca7

SHA512
b255cf0232042fd2e4eeb5d8a78a266e355c83df6061531a8a8a2458dee5b6e85d38ca56e9226c4b2a4224797d5c778fd41fda3e0e1793be6c6709da2d0ae5e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zqw1vh9p.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
de11c927d0ba4dee627828e6f66522d5

SHA1
6e348edea6491f67051595040a9e161ccc795d26

SHA256
aa6785ac2931dc2d0ede9086d8814e2c1f56f23efdfbdc7344bf9e5133470e9d

SHA512
da5bac3159dcd237c7ab1e486ebabe0fa79d7e053238f4ef0142f9e4a375a744d7854b1149f031cba690f46ddb0bca22bc9d9bf7f659ec47e208cb4ba2152e10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zqw1vh9p.default-release\datareporting\glean\pending_pings\3f59483b-c6f4-4029-8ad0-b4fd5ae92096

Filesize
746B

MD5
67cc45b1c61b1eb61b889be74cd43b1d

SHA1
2a011daf472714649aef4f147dbc2563b0a7ead6

SHA256
2bcfc374a22de6c487abb4b5460534b8592a3ce06a43325875bbf3ffe4abadbb

SHA512
a5b9a69b188ef57c2e6a9674cf6e0f570b83d28797eca7660526d4d40b5452c4006fe95dc45a236be726ccd4af18ced7a649355ac12a73100ad17458a7fa60f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zqw1vh9p.default-release\datareporting\glean\pending_pings\9153ef82-31fe-442c-8d91-29b1165655df

Filesize
12KB

MD5
f5d8473af6325faffa379ec9aec81a2d

SHA1
cc2d250737b4f8d1bb9031e69dfd7f8f89d02508

SHA256
f609ddf1fa923711e0789cb0fde334342aca7032424e35a9a15ed5c3ff3367d8

SHA512
3963832517c566b29dbd45b0c6f8e5012cba8214dcc8f5502895274fb550e33d9dbc9ba744dec2ee2f320b509633bbdfd8e9e4a588f4eec68bf91fea3930d60f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zqw1vh9p.default-release\prefs.js

Filesize
6KB

MD5
f6ec8982bdf4975d8b5f7a56f91585ad

SHA1
a4543bd7c0f282e4442e9e25679700b938ff6976

SHA256
523f0a6ad9fba3f265893cf4217d9585a174014a61f80e4d666205baef3cd5f1

SHA512
b0c67d4ca7f8f7746b39325287e9419971f13c9946c25307862cab8c31adda33412ac275526077f47bab39d41cd71e3282afefb4813a15c0a7acffaec95f6534

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zqw1vh9p.default-release\prefs.js

Filesize
6KB

MD5
d6b58b3cecfe01017a2e5a949fb9fc7b

SHA1
8e83e81e10367bc2216713714e8a338ae5ed60b7

SHA256
5987d2b7832d4061d4ab6f7349058e64e551993d0098a110ce79baf341fdf510

SHA512
c8ddb63244ee0914eedb09743a4411337186f415b518cc6edf01b2a91b76e8016cfd5e5f8ee5b71c5e78997eb28d42afc41fae20c149c03da9533d966d66494f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zqw1vh9p.default-release\sessionstore.jsonlz4

Filesize
931B

MD5
11959a945d55d1e4e2fb06bd392f607f

SHA1
2849a8fc0652c008706ffbe44f7097675e6e7e6e

SHA256
dca2e90337f3eec3260094f65c0a8117c50f167b185b3f3c92c37fb085d8945f

SHA512
c74fa07570abfc6d139548c989f30b6d31d15897961dba1d8218522f8103949d4c74560b4cd834b766acc6f028c4e78669ca90feb3b18046c9d7c2d501c27b40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zqw1vh9p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
e036c8064b421aad8f67ec80e0d18d8a

SHA1
b20b0b315b88b074b21e780186fa71a960675c42

SHA256
3a378cd9c43710d6904102d189b1437c3c74dba44e7066d213ef9967e899916e

SHA512
29977e55539c81e864f67400ce47a510bc5daa509d599f217acb298e08ad5faf27ab82e390f14060c95287693200074f3329613663871d46f0b172480fb6345f

Download Submit
C:\Users\Admin\Downloads\download (1).crdownload

Filesize
95B

MD5
71a50dbba44c78128b221b7df7bb51f1

SHA1
0ec63b140374ba704a58fa0c743cb357683313dd

SHA256
3eb10792d1f0c7e07e7248273540f1952d9a5a2996f4b5df70ab026cd9f05517

SHA512
6ad523f5b65487369d305613366b9f68dcdeee225291766e3b25faf45439ca069f614030c08ca54c714fdbf7a944fac489b1515a8bf9e0d3191e1bcbbfe6a9df

Download Submit
C:\Users\Admin\Downloads\download:Zone.Identifier

Filesize
84B

MD5
ba7008d06d55882c8eacba61f536b80b

SHA1
7bfa9de8898fbada811028fe89e450731d9b8422

SHA256
12328f1e70db2d7808ec865e5ea39f4f9aa5b9b2daed28b8e60ac8efa7d6d657

SHA512
22f7e45d31b60484837f25473d7cf8419e357721e92b0df01fecff5436192ba757a88bb634e9cdfdc7d515b7a95bc275bf7e0744121b5f9dfa94c6b2c2bba682

Download Submit