Analysis
-
max time kernel
1680s -
max time network
1684s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-05-2024 09:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://macappstores://apps.apple.com/gb/app/macos-sonoma/id6450717509?mt=12
Resource
win11-20240419-en
General
-
Target
http://macappstores://apps.apple.com/gb/app/macos-sonoma/id6450717509?mt=12
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe -
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878097196-921257239-309638238-1000\{BF124E83-7DDF-44A8-9467-5C8CD5E32E74} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\InstallMacOSX.dmg:Zone.Identifier msedge.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2016 WINWORD.EXE 2016 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1044 msedge.exe 1044 msedge.exe 4296 msedge.exe 4296 msedge.exe 4684 identity_helper.exe 4684 identity_helper.exe 656 msedge.exe 656 msedge.exe 2608 msedge.exe 2608 msedge.exe 4376 msedge.exe 4376 msedge.exe 4376 msedge.exe 4376 msedge.exe 720 msedge.exe 720 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2004 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 124 firefox.exe Token: SeDebugPrivilege 124 firefox.exe Token: SeShutdownPrivilege 5196 unregmp2.exe Token: SeCreatePagefilePrivilege 5196 unregmp2.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 2016 WINWORD.EXE 2016 WINWORD.EXE 2016 WINWORD.EXE 2016 WINWORD.EXE 2016 WINWORD.EXE 2016 WINWORD.EXE 2016 WINWORD.EXE 2004 OpenWith.exe 2004 OpenWith.exe 2004 OpenWith.exe 2004 OpenWith.exe 2004 OpenWith.exe 2004 OpenWith.exe 2004 OpenWith.exe 2004 OpenWith.exe 2004 OpenWith.exe 2004 OpenWith.exe 2004 OpenWith.exe 2004 OpenWith.exe 2004 OpenWith.exe 124 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4296 wrote to memory of 4188 4296 msedge.exe 80 PID 4296 wrote to memory of 4188 4296 msedge.exe 80 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 2440 4296 msedge.exe 81 PID 4296 wrote to memory of 1044 4296 msedge.exe 82 PID 4296 wrote to memory of 1044 4296 msedge.exe 82 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 PID 4296 wrote to memory of 4560 4296 msedge.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://macappstores://apps.apple.com/gb/app/macos-sonoma/id6450717509?mt=121⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf2e03cb8,0x7ffdf2e03cc8,0x7ffdf2e03cd82⤵PID:4188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:22⤵PID:2440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:3456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:12⤵PID:2748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:12⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:12⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵PID:1920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:12⤵PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:12⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:12⤵PID:2212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5568 /prefetch:82⤵PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3548 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:12⤵PID:2280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:12⤵PID:3892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:12⤵PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:12⤵PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:12⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵PID:2208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:12⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:12⤵PID:4228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1784,8723746124692955277,339807281980746259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:720
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1516
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3480
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2016
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2072
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2004 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Unconfirmed 63456.crdownload"2⤵PID:1624
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Unconfirmed 63456.crdownload"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:124 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8f7b70e-9bac-462a-8e8e-7d9485e835c0} 124 "\\.\pipe\gecko-crash-server-pipe.124" gpu4⤵PID:784
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 26379 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42b1bb01-1514-4d37-9306-1283d73d6220} 124 "\\.\pipe\gecko-crash-server-pipe.124" socket4⤵
- Checks processor information in registry
PID:1480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3292 -childID 1 -isForBrowser -prefsHandle 3284 -prefMapHandle 3280 -prefsLen 26520 -prefMapSize 244658 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2828d86d-b16c-42c9-89ea-4a492c89f45d} 124 "\\.\pipe\gecko-crash-server-pipe.124" tab4⤵PID:4908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3584 -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3256 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d6386a2-f4a5-4dc4-8546-dd77faac951e} 124 "\\.\pipe\gecko-crash-server-pipe.124" tab4⤵PID:1360
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4360 -prefMapHandle 4260 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a7151d9-224f-47d9-a404-8ede29ac9912} 124 "\\.\pipe\gecko-crash-server-pipe.124" utility4⤵
- Checks processor information in registry
PID:5428
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 3 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57e68376-5ff6-482c-bbfb-5f87d9254dfc} 124 "\\.\pipe\gecko-crash-server-pipe.124" tab4⤵PID:4488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 4 -isForBrowser -prefsHandle 5612 -prefMapHandle 5620 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83bcc61a-727d-4de3-a11f-bd8870866235} 124 "\\.\pipe\gecko-crash-server-pipe.124" tab4⤵PID:4620
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5812 -childID 5 -isForBrowser -prefsHandle 5888 -prefMapHandle 5884 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73270105-c85c-4881-a7e8-cb34029dde1e} 124 "\\.\pipe\gecko-crash-server-pipe.124" tab4⤵PID:5604
-
-
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵PID:5304
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵PID:5268
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵PID:5244
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:5196
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57c16971be0e6f1e01725260be0e299cd
SHA1e7dc1882a0fc68087a2d146b3a639ee7392ac5ed
SHA256b1fa098c668cdf8092aa096c83328b93e4014df102614aaaf6ab8dc12844bdc0
SHA512dc76816e756d27eedc2fe7035101f35d90d54ec7d7c724ad6a330b5dd2b1e6d108f3ae44cedb14a02110157be8ddac7d454efae1becebf0efc9931fdc06e953c
-
Filesize
152B
MD5bdf3e009c72d4fe1aa9a062e409d68f6
SHA17c7cc29a19adb5aa0a44782bb644575340914474
SHA2568728752ef08d5b17d7eb77ed69cfdd1fc73b9d6e27200844b0953aeece7a7fdc
SHA51275b85a025733914163d90846af462124db41a40f1ce97e1e0736a05e4f09fe9e78d72316753317dabea28d50906631f634431a39384a332d66fa87352ff497f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5f33b0173cc207a8796d86cb57d3a6b80
SHA12bd89ef4adefba5063dc4b4c7b80eef4865486b3
SHA2567fd8e53a41631b72e0e77ef4ebe120c8d235ba8acbad757cc8953a11321a573b
SHA512876563a5c2f645d3b0061901c74ee6803815b26f30d7917a7ceaa38d3a13d7ce031d662115639a39a6f93d52182193f860ee93fa9aa7ac791529c4592f808fd5
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
776B
MD5dcd18f5a733dfa77d04fd8991b377d89
SHA14ba66cda69bf023fa6df269337887df7af5ae388
SHA25695e7325f1c654e56f64cd0a32f1ab6e2f87231967cf9a0be4e0f1dc1591e6505
SHA5120115dab449bb91bb17231adae7c7c7a456475c6c1a16f191ab4b1847133ea138aeb06f8af5e7bc7801a3db9ef318a6bd3e914e04b15f5df0190e44a04379eb74
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD5693d32f2cc98c297abebdfb21ab49c41
SHA1407db2bc7ee7afe54f0ba65e3b88678620be6feb
SHA256e55c3dc6b100f618c174904af7fdba198c6860bccdb05e7ef2c642bdc0c53762
SHA51282eae29886cf6f6aa539bb54202cb685df3269fe87f2d3f0988854f1540a20cd2faa06be055e5fc0dbf75b497019ecee26cfe192ac590af8704e585a59c48cf6
-
Filesize
6KB
MD57d8ce125a82a89c855f7183c981d11f8
SHA1d64ccecda79c65070a30c7935f1dff9e09d01df2
SHA256315393de3ded126aa87009e59a8bd4005049682aef17cddcd6d8f3fc90768a36
SHA512c74d2c67a2fd3dc46bcb5bd60e158760dc7559509d1e967ef926c88500f4030eaafe991b9d0abcfef896635b43863da45a3edfe174c8ad5cdaa589ff8dd27ef2
-
Filesize
5KB
MD5cbcbd486d9bc1cccac0ad3ddbf3cfc72
SHA1e67da99248f10f39a15a3c65180d9e4bf16b9811
SHA256f5d9baf2f949bd9f06c112042ce412763e7f5b0c86e76e60dd9fe64d96f12588
SHA51299caffa0315e8f9e8701f458a042ec9176bf8151868aa872c87ca2f8e298400d9e6e8a6acd63024a0caedd5480ea18575bd39e3170d681bcb9c4180384dc887b
-
Filesize
5KB
MD5987cc3647c585ab9911cce9a4f02b03d
SHA10347b0d400e104d913be9eeee4f105b992603df9
SHA2566aa078131c37cb5bf895d42805c36f2daae9e651334ce7f47193ba0cee906949
SHA5120fc1e66cd6782563fb28e406f0c4166cef8f1db60be3a015146daccfa537415c05809960c8b9f00c3dc14278fbf4b69f6fb497048c9702ca7baeab8aa23e376b
-
Filesize
1KB
MD566b8283fc19a13e3c6eaaf7819b98abb
SHA18cf668649efd373a69686bbcdb9e43e955184ea7
SHA2568922822de440aff504622c5a8beeb1f67ff87280fe26b740c7e26f60a0457a25
SHA5122f5f7fed80a073c909aab1d9ecda98e230d894a7de1d1242e8f00d0ff528f14105859e138f3ede54100c5f33f7b5090184827f611f61d8f848ca987ed1778770
-
Filesize
1KB
MD5c904a32534c81868698d536a0af35e48
SHA1f06728f58469b5ec791fa376755e7bf6d533e4f5
SHA256dc16f8e30db4fdb46ef376a8c74d9468c6eba0558f0e924a0f2e93b8cbae3933
SHA512f617f9d24c132e502c3e5826442bbe8d4df1a1053f02ebc04d491dbaf5511fd2bd004381acfb78f25fc57544e7efaa3c1ac499809293d9293ba5f43b69896ee2
-
Filesize
1KB
MD5bee822b556f495aa0fe9a431e9cf25c0
SHA1cc701f6673b621ba7f1b314ca8aecea417049aee
SHA256363f13d98084785888cf511ca30681a5d1491333e3e5f0018d170422e4489adc
SHA512331d3249b0fb9c8b94324e5bc896111b07a0f8daa7d82e614c27d2700bb8b7fa93a9b59d3bb019184bf51242412ab6c9a6416880b657ef669c30e3843035e459
-
Filesize
1KB
MD52c04d896b8c78d4e773c1de94cea6774
SHA19ebc20056b9b44df49b390809a5ba363535b36a9
SHA2561f72262964bbac049198f4501e3c0ffd2a7009a37b10f182040053771a376098
SHA512acb6fd803536e711836f15dc6484caac611eea26a9b4f94c220dc1c7826725f15744c4cd29684cfe857bdffaf152e2252968391184cec6b9e24b3bfb4262fdf9
-
Filesize
1KB
MD5417053b343db0cb18fbc231e15a92ff9
SHA12f6a74bb743fe4c0903d2fd64a15574ed6b2ed75
SHA2568a348543c7de90cc9134d07a321efc6ae9b3fc93e089937f1de7cd7aedf1772e
SHA512a198f3a8fbb502cc52bdbea5d08748a982fec175dd6580a4b507d0c3cb445b555eb3b574b7beecde9bfe02c59c8c4c230abf4eef1f084cb0558a892329149e6f
-
Filesize
1KB
MD56273cf3762d988a70175c78b8c6b172c
SHA10deae1e46dabb6315e96f87748fb7468531e5c9c
SHA2568711048c19c011c1eef1944de3f84d66951febfb11b0df8674ff35a85bf052d3
SHA5128ada104c20dff64b86e2788547594e23dc76b3acd207ec06b2d5a042803502d9975535d504a94fc96162fdd9926e5b812bb413649bafe5acd4d37a9cd1a1d522
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD599191be7961e359c2af6531d71b289f7
SHA153795810a4cec0e8558edec7eac1154cae576d5b
SHA25678d4fabb281e42494a78f3505fde0934f4ff75c2cc9ae12ef2ff67a1dd69d197
SHA5127c8f3e454ea79e558e59ec7b642c0043cf53a7c85db5d4dfc464f990ae70397337c95b529af660869b53c737b729975ca762c70e63d919bda84f78fcf09e5dc6
-
Filesize
12KB
MD502a325c3f7b440adf65ec3ba37d336b7
SHA1b4911b844efdfe6f2912a36c75653764e37ceddd
SHA256966df1f0b0e7ae0a336a25c82633f6c6973e4dca2884e0aa39d55889f2a17f76
SHA51251a5c23a5b452e2f49b2feb82ba6d272dc4502e14f7ce0c05c6737d50c0a61f694b58f61eb1b0f45a53481ee9ded3f9117799eeae5ae0fb286ff4a1e613ab8f1
-
Filesize
11KB
MD51ff06140a1f5a53bad33f270cdcb0955
SHA1d1137b38223f8b8e1d735bf2a23afcd1322c7330
SHA256f66514df49ab5198ecdb00446d362a963fcfb30183d9a32533c711f065023c26
SHA5128e9403fd4d7a057273e692fe1331f57706102079dc34eec3bb579c6c1741e9ee28842b2d5e5aaafd459a20b113dcc85f7c567f4e2128b65144a0a8b5b83e6d52
-
Filesize
12KB
MD5adaa0329ffb641dc4ba7d834575be1f4
SHA172f65dc243da8fceb5716ae1a13aab7eb6ed939c
SHA256926fd8bcee939e4019a8307fabd79425bd9f29d550100a248fa3d8b2b57f7f47
SHA512eec4db9c4decf1b25fc2bc3a1106e046cc097989c42a49f7708c0d77acf4f7112535a7dfe2e213571d0889417c645c476feef22d3fc0d354ce01aab1a00e74c6
-
Filesize
896KB
MD5c9a53384c4a007507091668280afb1d5
SHA176feed5a5a3004453de006f5379d5ab9fbe9f4fb
SHA256cc8923420c9ce0fc1122532d771cb2b8db6f6c80192f132570b2632fba002af5
SHA512566b48f4d7e2acd0d0200ddd5fee2d42780f77d14ba52f1c786c608c1661b7395b09b687fcd5ab15a33535927e1891ba89b4241d6430af5d98c1489f09d27afd
-
Filesize
896KB
MD50f043d240b1fbf06748ccaaf64081529
SHA1aa7ff54b93f5612d2e6a5be6948c7480479e284c
SHA256362f1bba8dbe0d7f833f1d598f2ca03410e98124d9b9297bf61645ff6c8698cb
SHA512ce88d68b68f536fd74eba338b48bd8354b5b151c449c177cb5ca4a81b31f0a9dfc698b8c6016c068639421551a05873939a1b119cd535c3b985a2459f1668e04
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD596c44a5484d9ce51c9fe594e93cd37b8
SHA102de8379d7eab19c8a2c9d5ec44a215eab16a981
SHA25635cb8f80f0362fd89510e2b0591e83fc1f6584185022d3d35b5a50205ea26b26
SHA5128f760aa2f6038950d6bfab420240aaf76e30b040cbdbfc14f20e5ac9337d728c73b6d773ec114901b636fadc515ad86960b0d2a184d645a48a0b9cd7e78d5ed4
-
Filesize
202B
MD54566d1d70073cd75fe35acb78ff9d082
SHA1f602ecc057a3c19aa07671b34b4fdd662aa033cc
SHA256fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0
SHA512b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5b0c2833f68b82b0394f6ec9119503e45
SHA1841d4ebd1f1a3b6b5e51b5185474dd7105a4297d
SHA256c9921498f92ab28d23a9557362f1a9fb0db143bf1ee9a58cfaf8477da3d7fb59
SHA512b95e7f56bdb31041ad9183b110867c6172529b39e1cd4c38cf7f740a169c40108ed41d9854462ed0e3bc20a863992695a354e1a35f767b292d4f43ac038d06c7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5b1af54ec3ddced9a2921109cf287d8f5
SHA1c600c1af9f6394f854a642246c74b3777570116e
SHA2566a8b3282acd9b6034e26571db4cd5a8140802d831d8e026e93a8c68b4fc4c9a1
SHA5121eef10ccc90eb171e942877b4304f634bd15bdf64ed66addd961355278c24599742014344e60488d02a04454eafd0d2581429239b04443b624a4a672a78b941c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\pending_pings\23e02bc2-da25-47e6-8caf-1c82ff195d29
Filesize23KB
MD5770ec51b59b8d42eaba6d9bd57b4b63c
SHA1b947ac7ba28c504df2b03b69eb9f40310ebfe09b
SHA2569fe20eef3064aeee6f89c3671e9ffb8fc71d53557e09acc5ee422c17d1d0e7c4
SHA512fe124f8b28d9ec6c01d0d200dc7eef39413d5cd37e76e51657b0ec57226d8ed9ae111862baa0afbc7e117b6aa00d8cf6bc2c459682db35eba4620a8eafbd2121
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\pending_pings\7930e23d-2823-44f0-b676-73451c611a27
Filesize671B
MD5b4bc345c4691dfcb307e78fe9934c442
SHA128f0c583775159df20a572f2d9b66326570aa89f
SHA2564ee9fb5f03c7c0041d5e88cd3705c75721bcfdea35829c89453f9e5b479ca54c
SHA512d5f3dd25a4b5d704f12a2e4af95e36f788c55040da199816087ab339fc21bd364fd289afe923fad34698e1b9be832cecaaf786ad46a6d0844a2cbe4b96d46542
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\pending_pings\feb8d1a9-45e2-4946-b3db-949b10b17aaa
Filesize982B
MD54f5c3f1f2c1d6eb75a005056e1862fe2
SHA16b07f48eafe7792b6085800d78736d0e947e128a
SHA256f317d6d744238965f83c9f945b67914b0bfe9c50a29d84c6ed2c3b06306d3946
SHA512e898f6e93407ed87d0be0dd40d162d3fd79437adb6d8eb48cc1aff109d83fd47ed5b7f15b74abd427fedc7c5df6d15229a27cb4c3f5ea97bef5ecb8f496318c5
-
Filesize
8KB
MD585d799042bce391af9a09beab7082d28
SHA1f58cca214afac3cc8cabb6ec5b68c618748fd697
SHA256f06e288c79b76f9d4fa7f31d3f8a1ccf0d44bd566af6fe9b81a2754920fff27b
SHA5123897ce3cf59e81a3ef7349049e5ed9c033a0e16fbe74828376642f89910f338d79fa7da2c356af17f0858d841e528b04af26c73d9142ed870f267c815396892f
-
Filesize
8KB
MD5c895006227d5b0cc62a40c46aabfa5b4
SHA157f4ed7d4877ce1465134c905ae7e85cc544beeb
SHA2565ce9eca7827cdf7a9b4e0136c71d9e76fb60a560d0b1565a9f9341b47d687490
SHA5121aa0759a8960b7d5d1b18f34c228c298aa2ad85788b9b7f18d92d3eea4ad6e237b97b2c1441fd9cb79212556212c0cfda79329bf37240e9e99481cd1452ab4c7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\sessionCheckpoints.json.tmp
Filesize288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
Filesize
201B
MD52d8e97558131735df14abc8985854267
SHA18c1b6bdba98cc70864957a808fe46e9f1831a35b
SHA2569ffc820efee59a2be91ca9431e2915ea82051c2a72a371cbbc75bbad0a5c6502
SHA512ed46cfa33f70f6d08cf1296466d4314fb7a48b1afd26c7697f4ffb5e36959448e011635974da874c6e6849df6d46560a865a9be308a0271342e84566d601f97f