Analysis
-
max time kernel
392s -
max time network
400s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 17:43
Static task
static1
Behavioral task
behavioral1
Sample
TLauncher-2.919-Installer-1.3.3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TLauncher-2.919-Installer-1.3.3.exe
Resource
win10v2004-20240412-en
General
-
Target
TLauncher-2.919-Installer-1.3.3.exe
-
Size
23.0MB
-
MD5
38d4740072a8962d2301b482c96ad41d
-
SHA1
f4058683b559f1a3cac9e19ff6121a3d990a5909
-
SHA256
1127fd6ea53d54feb45168d7e98488387e11b0673123142cf8a8f84fbe73140d
-
SHA512
77b981c49fdcb351a5b6cbe0a0feae3c702b98d68c71ae28b570f0e8a449c664f284059887fbf3f7d32d7e3ea0ae54ce63cd7c2c4ecfdcb89b9a9d0aab2179b7
-
SSDEEP
393216:c25K22hvhyr4hQ5+kcOWyiGhtkNtdal39+ytpUcOy0rr6of5MJ7ZWqxPAIgtMIMo:5K2Q7m+QWpGEtgl3n3vObrrKJBH5lFRq
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation TLauncher-2.919-Installer-1.3.3.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation TLauncher-2.919-Installer-1.3.3.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation TLauncher-2.919-Installer-1.3.3.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation TLauncher-2.919-Installer-1.3.3.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation TLauncher-2.919-Installer-1.3.3.exe -
Executes dropped EXE 8 IoCs
pid Process 3420 irsetup.exe 1568 TLauncher-2.919-Installer-1.3.3.exe 5548 TLauncher-2.919-Installer-1.3.3.exe 5928 irsetup.exe 4064 TLauncher-2.919-Installer-1.3.3.exe 5124 irsetup.exe 1788 TLauncher-2.919-Installer-1.3.3.exe 5568 irsetup.exe -
Loads dropped DLL 12 IoCs
pid Process 3420 irsetup.exe 3420 irsetup.exe 3420 irsetup.exe 5928 irsetup.exe 5928 irsetup.exe 5928 irsetup.exe 5124 irsetup.exe 5124 irsetup.exe 5124 irsetup.exe 5568 irsetup.exe 5568 irsetup.exe 5568 irsetup.exe -
resource yara_rule behavioral2/files/0x0008000000023397-5.dat upx behavioral2/memory/3420-12-0x0000000000E80000-0x0000000001269000-memory.dmp upx behavioral2/memory/3420-617-0x0000000000E80000-0x0000000001269000-memory.dmp upx behavioral2/memory/5928-1267-0x0000000000200000-0x00000000005E9000-memory.dmp upx behavioral2/memory/5928-1886-0x0000000000200000-0x00000000005E9000-memory.dmp upx behavioral2/memory/5124-1901-0x0000000000590000-0x0000000000979000-memory.dmp upx behavioral2/memory/5124-2522-0x0000000000590000-0x0000000000979000-memory.dmp upx behavioral2/memory/5568-2562-0x0000000000D40000-0x0000000001129000-memory.dmp upx behavioral2/memory/5568-3177-0x0000000000D40000-0x0000000001129000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4084619521-2220719027-1909462854-1000\{4CE80A15-4958-4C55-B796-F566ADAC759E} msedge.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 542454.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 5280 msedge.exe 5280 msedge.exe 788 msedge.exe 788 msedge.exe 1232 identity_helper.exe 1232 identity_helper.exe 1524 msedge.exe 1524 msedge.exe 2016 msedge.exe 2016 msedge.exe 5760 msedge.exe 5760 msedge.exe 5760 msedge.exe 5760 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2868 firefox.exe Token: SeDebugPrivilege 2868 firefox.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
pid Process 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe -
Suspicious use of SendNotifyMessage 41 IoCs
pid Process 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe 788 msedge.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 3420 irsetup.exe 3420 irsetup.exe 3420 irsetup.exe 3420 irsetup.exe 3420 irsetup.exe 2868 firefox.exe 5928 irsetup.exe 5928 irsetup.exe 5928 irsetup.exe 5928 irsetup.exe 5124 irsetup.exe 5124 irsetup.exe 5124 irsetup.exe 5124 irsetup.exe 1788 TLauncher-2.919-Installer-1.3.3.exe 5568 irsetup.exe 5568 irsetup.exe 5568 irsetup.exe 5568 irsetup.exe 5568 irsetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 3420 3016 TLauncher-2.919-Installer-1.3.3.exe 87 PID 3016 wrote to memory of 3420 3016 TLauncher-2.919-Installer-1.3.3.exe 87 PID 3016 wrote to memory of 3420 3016 TLauncher-2.919-Installer-1.3.3.exe 87 PID 3376 wrote to memory of 2868 3376 firefox.exe 94 PID 3376 wrote to memory of 2868 3376 firefox.exe 94 PID 3376 wrote to memory of 2868 3376 firefox.exe 94 PID 3376 wrote to memory of 2868 3376 firefox.exe 94 PID 3376 wrote to memory of 2868 3376 firefox.exe 94 PID 3376 wrote to memory of 2868 3376 firefox.exe 94 PID 3376 wrote to memory of 2868 3376 firefox.exe 94 PID 3376 wrote to memory of 2868 3376 firefox.exe 94 PID 3376 wrote to memory of 2868 3376 firefox.exe 94 PID 3376 wrote to memory of 2868 3376 firefox.exe 94 PID 3376 wrote to memory of 2868 3376 firefox.exe 94 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 856 2868 firefox.exe 95 PID 2868 wrote to memory of 3372 2868 firefox.exe 96 PID 2868 wrote to memory of 3372 2868 firefox.exe 96 PID 2868 wrote to memory of 3372 2868 firefox.exe 96 PID 2868 wrote to memory of 3372 2868 firefox.exe 96 PID 2868 wrote to memory of 3372 2868 firefox.exe 96 PID 2868 wrote to memory of 3372 2868 firefox.exe 96 PID 2868 wrote to memory of 3372 2868 firefox.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe" "__IRCT:3" "__IRTSS:24067351" "__IRSID:S-1-5-21-4084619521-2220719027-1909462854-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3420
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4284
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\515004542a5d4676a77b503b192ab6c9 /t 876 /p 34201⤵PID:4684
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.0.1228229175\520720536" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f89dc637-ff12-4400-a6c2-06628286886d} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 1836 1d49ca0ee58 gpu3⤵PID:856
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.1.515332813\2005320785" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1332fed-f2ac-495f-b38b-405bbd2e3d98} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 2404 1d48fd88d58 socket3⤵
- Checks processor information in registry
PID:3372
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.2.1556525951\735010926" -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 2964 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab079856-e670-47fb-8512-66a9f3502592} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 2980 1d49f8edb58 tab3⤵PID:3588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.3.1209212337\1783483486" -childID 2 -isForBrowser -prefsHandle 3980 -prefMapHandle 3976 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5abfac29-03a5-4b77-9a17-7c080f95318a} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 3988 1d4a1b46558 tab3⤵PID:2100
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.4.1662370508\621343641" -childID 3 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {088c3525-4c95-4132-af0d-fbbb2e48f528} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 5168 1d4a3e66158 tab3⤵PID:3604
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.5.2053481274\1594978448" -childID 4 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b02a870-051d-4b4d-9174-a5c8f58f58ca} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 5296 1d4a3e66758 tab3⤵PID:3280
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.6.802818947\2042195371" -childID 5 -isForBrowser -prefsHandle 5496 -prefMapHandle 5500 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46aff685-30d6-4fd0-90e8-c92df9dd2752} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 5484 1d4a3e67f58 tab3⤵PID:3664
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.7.643523807\2086537567" -childID 6 -isForBrowser -prefsHandle 5876 -prefMapHandle 5872 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11a2dc2f-f1c6-418b-ae21-3eea5cd7ff87} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 5888 1d4a354e658 tab3⤵PID:2424
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:788 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffac4d046f8,0x7ffac4d04708,0x7ffac4d047182⤵PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵PID:5272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵PID:5560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:12⤵PID:5572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:12⤵PID:5584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:5552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4132 /prefetch:82⤵PID:5964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4132 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:12⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:12⤵PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵PID:3528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:12⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5784 /prefetch:82⤵PID:1156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5796 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:12⤵PID:1040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵PID:5760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵PID:5772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵PID:6020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:12⤵PID:3660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5200 /prefetch:82⤵PID:5252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:12⤵PID:6076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7000 /prefetch:82⤵PID:3308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7124 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2016
-
-
C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1568
-
-
C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5548 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe" "__IRCT:3" "__IRTSS:24067351" "__IRSID:S-1-5-21-4084619521-2220719027-1909462854-1000"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5928
-
-
-
C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe" "__IRCT:3" "__IRTSS:24067351" "__IRSID:S-1-5-21-4084619521-2220719027-1909462854-1000"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5124
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2692 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5760
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5508
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5552
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\e17a32795ed2427c822b9c510b215c86 /t 5636 /p 59281⤵PID:5084
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\9b670e8ca714427896e4807c5aea1450 /t 6140 /p 51241⤵PID:2836
-
C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_3\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_3\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe" "__IRCT:3" "__IRTSS:24067351" "__IRSID:S-1-5-21-4084619521-2220719027-1909462854-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5cb138796dbfb37877fcae3430bb1e2a7
SHA182bb82178c07530e42eca6caf3178d66527558bc
SHA25650c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd
SHA512287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5
-
Filesize
152B
MD5a9519bc058003dbea34765176083739e
SHA1ef49b8790219eaddbdacb7fc97d3d05433b8575c
SHA256e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b
SHA512a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53
-
Filesize
198KB
MD5319e0c36436ee0bf24476acbcc83565c
SHA1fb2658d5791fe5b37424119557ab8cee30acdc54
SHA256f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1
SHA512ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD59da0bfe043cd743dde5fdc139a2945a8
SHA12f63986b86d650e83d65cfb9559a90180fb8ff8b
SHA256b0d1cd4652bb53ee9c863df5646436e840ef775b16f081fc3201a602d4187df9
SHA5128091e405a1bb9f2eebb8348077664ae0e718e70711d6b60df481a87fdf6917e54cc8fe286ec6b80e2455803b2b5ed9df0ca1b0871993700cd62c0dd4dafae13f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
1KB
MD5035c44509e6169f5e972c3cb137e84db
SHA149972ef8b48dece4e87eed3372f4303f4a6c4279
SHA25675ade053fc4930c5b74ce36be004dd60e9e8ec2748b2bc027fb67e8e6d476d25
SHA512ddb210c097a89c925bb5a96ae730b62525f77b80f6aa8a851315de4d816fa706cb1cc3b2c155911f5dad0127bd7d844de7c4ab373e1543a37dc8eca150982670
-
Filesize
6KB
MD5169637b5ad78db2e90529ef2811090de
SHA1b76a1341e6720bb2805c7b1ed526c058a6e1bc6f
SHA256b16bfdbdb5e6ffc66d0e4e6da2258595e0c3769b22d42d196ea300e28733b513
SHA512d5a4a257bc5cf884ffa509dfe553b3d6788b18a1c077d82faf213b7c26bf2016b4578c25e91f69ad87cdbcc7d59218913bad7f3b46199a3aaaabc4fc27d1f175
-
Filesize
6KB
MD5430f8d6c4717560b1715b3289e4899cb
SHA14e311de82b217076a2b84b309e760bb36f13ddd2
SHA25699478c91805a0d0d93c9a7c9a5641124ae8767db1cd6b9f64aec92b0bc9a02ca
SHA5129820710ee3a7fc0cce253e7dd86e7d1875e9804d7041b1c51e8504634eaaf26a39bb2c42e1be6cc53d25212d4f22c8476ca935923e0d54a60fc6744a4b5b8fda
-
Filesize
7KB
MD586acef5e6bd2eac2fb02e29166378236
SHA195261fbe3f1e38bbd8c3c6ae7d9ea45d249abad5
SHA256f8029e8d42eea558076465e639283167891745264552a1d4b479af23a141d4a3
SHA512d879757e03f26dc847e6f5fc9cae93f6be16dd1c48248f08b386c5222b584f305a7108ac0fcdf2ba496bc72b13217c6f463e63976780c6a49223711e7b4b34f6
-
Filesize
7KB
MD587a046a8015f7288906e90cc22396e25
SHA12a5c8323c508c3e6ac9edd893150744cc20ff04d
SHA256845eec8f1e30f6ca57221fe3186be0eb2642c0ab02978690492eecf6f08e5001
SHA51287529c57bf7d0998887a5e41f4dae996cbf4bb35b1414519d23d97b7068b34b14d40ba82f95b42502f8e39157fa5830a35b967b2dc1b3aaac67cbf0f0dde355e
-
Filesize
6KB
MD58a46bab80b92941f75247b64e1c7cab6
SHA18693a61c5718803e8e6b19fead72cfb3b665850f
SHA256e6f6a1b3f93d9074b4a04c817bdc284f1b142e8ed443320a2b2d179828e89efa
SHA51250d817af04638774d495a325028cb991e5f649ad24463c83a1880e04dafe87f8abe141d510bce7303a3ff055ac3e6146f480f6df69869d27a229421fb1342bc1
-
Filesize
1KB
MD5f73563ac66885a077a815746eb876f36
SHA1f38d4530aef29b7d0261fd2ea22a7ef97405c80c
SHA2566b55d0e94eb470829dc47e637e06837bbed4f817c8ff44840162b88c21705f33
SHA51237519a4c2a9678a3810e9cad9c663a49eacdf236fe58bd9b432e63e4f6e7ff899d02957e8b937b82b3c876e2dce1b1523e9aec55065f4512b72087f588492c81
-
Filesize
1KB
MD5e407031196e6203d323be53bcfbe0af4
SHA1e36c0756644249ffe8ab343388ec6de5691ef325
SHA256f8c0897c1643a4b63bb583720f680d309d557876d48de094f123d6882b90827c
SHA51296169ea6dc381aa3cbfa0822dd3e3ed375febbd09fb38ab04fa0e4707c6b66996a9aea237ebd50ee571db038bc345148afe9ae33810037abbe069444d1bb0d97
-
Filesize
1KB
MD5b5b32a8e9caf9e87e072cbe2913a1f15
SHA1cd87d9868eace720bc48e11dd68071abb5571f47
SHA256107828b0d4502a29a633b1bda3764939fb513e02529d0de176b775695d52b083
SHA5120d261790778e7c3949f292738e336f0c66f0f8fb2f5a327aea48a82304366be73e8bc277b634f2aff8bcbe6484ce42c18e6b72804dd3636d397418596592fa38
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5f0afeed77c8a38c72fa7674014b8e433
SHA11e9f88236872551f39bd578fe071f255b879bac5
SHA2568f2e6c4e29dbeafa9bd64fb4dd3da1c091a71adde9264cddd3702c5533dd108f
SHA5128dfef3561de98e0e3fd351b775348ad71f304ce721446a9846d872fb28731d62fb05d82860d7dea939a8ca6ef52435844cc8775498160ab75af616263fe2f4d7
-
Filesize
11KB
MD5740910f21e830658f18033fef9fa5b9b
SHA14540bea9d9f8de31837e51b560fedbe956639350
SHA25649269be48430dec505d4469e5ff805a70f964989d06624bcc353010a44de5056
SHA5128c820193855dd4dd874763027ac821b4cf5bf241d59577b104713f5a3372db4a73a9cbedf69340d93e235ecf67508bdf53843f1299db097389e06aeb85929f62
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\activity-stream.discovery_stream.json.tmp
Filesize28KB
MD57dcf9c03a3c218d4cabb98ac8e5581fb
SHA1e805f269e74d3613f85b99442775fce5df4b8970
SHA256ccad81e2cd3048425990ab6e4336a5834ae3e4a6b0b7519996e75a22e3a753f1
SHA5124a58be99edb4a7cefbe1701fd42fde8d87352577ff5eb32a4c5e4b9881b3f6701c0694c14b1b532b4c9abdecaa21f152b0ad7a77ec74a986ce22dc129aa4bafe
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\activity-stream.discovery_stream.json.tmp
Filesize27KB
MD50f7aa9333f1d83eff701d3a653a15cd4
SHA1dd0de04f2a186028a71267a13fee49084faa6f17
SHA256ad25624d9452c22bce0357476648f02b7ce476eb472f765bd797ba264e29b977
SHA5128238ccd0cdc9c886e9f4e59dd97bb992f3637df38c2791707f696a5003c1e3679102311dfaf184dae53c60c5aef55f9adaa0c31236163114c06908ef9f3b47a1
-
Filesize
116KB
MD5e043a9cb014d641a56f50f9d9ac9a1b9
SHA161dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA2569dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA5124ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f
-
Filesize
1.6MB
MD583a8f0546164c9ba1a248acedefd6e5d
SHA17652f353ed74015e7e78bc9f9e305a48d336b6d1
SHA256e7c5072ec60d32022b3c818c527ad86f4985837a4f0e9fc6477f54ae86d9f1c9
SHA512111d11acdaef0036ff5cabeb16ed55bf4c681fa6eb3c006af450a0ebadae3e213a8f3abb0f4a9aecc8e893af7a79b4eb7f74a5fc3743e338c3e3136b5d7f9f2d
-
Filesize
1.7MB
MD5dabd469bae99f6f2ada08cd2dd3139c3
SHA16714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b
SHA25689acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606
SHA5129c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915
-
Filesize
97KB
MD5da1d0cd400e0b6ad6415fd4d90f69666
SHA1de9083d2902906cacf57259cf581b1466400b799
SHA2567a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a
-
Filesize
1.2MB
MD585772cc6142fd068e316f5bcdfb9fa18
SHA12b6169f71860685189abef7c46a271b43a6af36b
SHA256b5e561a9e6aa55cdde55a182aa753b726dd9ce299d1734824ea4ef4f0a1775a8
SHA5120f03c69813b366ee352c5fc0209fe4a7dc257230f82afdda75d97d7676ff1abf30bc09cb900ce28916e9ee07e5b9f850c4f3ec803c0d23cd572ffee928d0418d
-
Filesize
325KB
MD5c333af59fa9f0b12d1cd9f6bba111e3a
SHA166ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0
SHA256fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34
SHA5122f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4
-
Filesize
1KB
MD5afd9d86cd13fb4992a691eb6b7b669f8
SHA10bdfb5a6af9acf4b93d1c68a16c0afb4d0ba713f
SHA25661290ab69926cd585fc7c2bd413657e138f86927d9ce119c13d6ef691ee808cc
SHA512880340ef1d89260337955ab2e1b8f59525ecf7551c6111b048b067d9879a36a0e9caea6b650e8eefe1a1cc6be4a5084b49e8ecd2d6819229a0a9d86bc8b1612d
-
Filesize
12KB
MD53adf5e8387c828f62f12d2dd59349d63
SHA1bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a
SHA2561d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0
SHA512e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be
-
Filesize
45KB
MD5300bf5341502ba7eee93c2b16c63af7a
SHA1c0b30be839455dfe2f514c07c52dd085392bb022
SHA256046d24487296987dd7126d52df2bcf36040bb573f8fa695018e255b48200f7b2
SHA5127720d9e1b94bcd4480100d430bb103d332214b7062212a33e066e60457659645251b86c1e331b1afd872ac5cae1835b826c94f9400c56bc40fd43ba1c4daa6a7
-
Filesize
12KB
MD5f35117734829b05cfceaa7e39b2b61fb
SHA1342ae5f530dce669fedaca053bd15b47e755adc2
SHA2569c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3
SHA5121805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471
-
Filesize
12KB
MD5f5d6a81635291e408332cc01c565068f
SHA172fa5c8111e95cc7c5e97a09d1376f0619be111b
SHA2564c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26
SHA51233333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a
-
Filesize
7.7MB
MD5e7282fc5d2847e3cdee0dae1ea32d1b3
SHA13b347cda4ff7f6f21d71d59927716b1778b10c03
SHA25671d73df9b43ac108be553e4ff4e74e399245df4994dd845cb6183757b3a6c54a
SHA5128908ba25038334f89c1af67918e3afb69ace1ad8f4c2ea1937d7384f39b247a2aeebefe04306ee0625f3888013e3b3e4853fba76b8f5f1c5926f19fca6f5136f
-
Filesize
38B
MD579d2c55e39e9f6f35e25678fb5fa2419
SHA12e987d70a56b1d2f5838330f4e031fda7ac51bd8
SHA25608ef10a513966ccf7674296c66aff6c215120f56e20b2673d121030bee162dbc
SHA512476dbf61aaba40a3989bf3abb201186aeba9943b1564c582c633fe382002e7be155e906ae0ee2d1de8f5d1a804b76a5ad76c9cb90d07205e7d05e1dc4f25098d
-
Filesize
7KB
MD59caa61ae1bce8445f51c4658bc4cf46f
SHA1ccbd3f5d9575d536d3506dc5b243f1693398576d
SHA256630e9a4bc67cab434d1d7009b31a1a7d332af06c5893a20a6cc3e335ba3d616d
SHA51269b769ef15ba420abb29a9a4b0643edd5e1d8683086fe2ed4c1fb2a8fdd56d5d66542fb857f47ace57582beec6131cd7922a0b5b0b97579ef351a4f952962675
-
Filesize
6KB
MD58b8488cf0d0f582f8e50277f4d468c84
SHA134d21ae266fadf08e8a9435c20696d7d4586eef5
SHA256bfcc643756263fa683093b8d5ef0fa7629c21443e9bba11a58716917219244f4
SHA512be4ca04bd7d41879bb6cd28a720c1b713a686e031a2c09dc89f44c9c621285748c6b90a915f11f12c6272bf92e5ceb251a91014a2ef7bcf4939effac0f09ca48
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD51d09bb605a0f88b453edc1e0e98b2ed5
SHA1b5b19b11318db5f5e137866f027eacd1519cc566
SHA2563eb66f76511d623656d3eb4d516d219601f9b064681f4dc5cbf3e86eabbdd099
SHA5127752f0e4e4655085cb96c8d9f6851b187bea256a55b513c07bd01817085476dc2b6a6942e11e0bf0c1e52024c429634c3cf57dbba2405daaede57f635dc12d8c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5aefa7003e09d72a52f7d9ac8ecafad9d
SHA1689fb6112e7796c78d586d9c17b4b1dc7572c353
SHA256005c519ab95ebbc6db13e9cf411d79b969ffefa2631bf22cbfcd50abf416a9d3
SHA51205fb75c83a084f9ac687db99163d8b849f9e1fe3d46a4cc1ded4b5123be1cebee3e401c9252b1f052d6f9f765a87ef81932e000afb634370cd0fad5a53b5bd9f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore.jsonlz4
Filesize4KB
MD5acef6a43820306f94001a4f7e740fae5
SHA1f0fa736ed5a2f88586c2cdf69b33cf682ab66ab1
SHA256270bdd2bde58c94a5bc87a8f1945764edac9b355eddd35f794eef6496e817789
SHA512051f1270a360862a9f3d67ce9336557019fe1dd1705404759567e22f1e9223201e9b8bda5a5d5a0611ca983c2b9c9370180d9c31d56c50fd806998b5041e42d9
-
Filesize
23.0MB
MD538d4740072a8962d2301b482c96ad41d
SHA1f4058683b559f1a3cac9e19ff6121a3d990a5909
SHA2561127fd6ea53d54feb45168d7e98488387e11b0673123142cf8a8f84fbe73140d
SHA51277b981c49fdcb351a5b6cbe0a0feae3c702b98d68c71ae28b570f0e8a449c664f284059887fbf3f7d32d7e3ea0ae54ce63cd7c2c4ecfdcb89b9a9d0aab2179b7