Analysis
-
max time kernel
128s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
27/05/2024, 19:06
Static task
static1
Behavioral task
behavioral1
Sample
Screenshot_669.png
Resource
win10-20240404-en
General
-
Target
Screenshot_669.png
-
Size
673KB
-
MD5
faf5a49e81f44a0ad2a62d05ed4a7a19
-
SHA1
0778c8e500f653892c6a4991ebf874a7f7cfa998
-
SHA256
37cd90d1f0591d1b80ac337fda767da566a41e86de8f1ebf9cf12419865563e2
-
SHA512
869641f75ecc1351af0fd62a07316ce01d4dd77f8d487effd1b962fb6e85f369443e12337a2264ffd76a3b0af4bb64db1fb504379f8f79534d63876b80ccc63b
-
SSDEEP
12288:LI8knVB9dtWtGIJZ1qLCTQvwlH7pJgtP2rVbKog8sw+6YbB8NrVH7f5ISQfPK:2B9dtAGIL1qLCMviH7pJggjIwxiB8NrN
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8e6db95969b0da01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ea9af65969b0da01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packag = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2032 MicrosoftEdgeCP.exe 2032 MicrosoftEdgeCP.exe 2032 MicrosoftEdgeCP.exe 2032 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1520 firefox.exe Token: SeDebugPrivilege 1520 firefox.exe Token: SeShutdownPrivilege 6004 unregmp2.exe Token: SeCreatePagefilePrivilege 6004 unregmp2.exe Token: SeDebugPrivilege 5584 firefox.exe Token: SeDebugPrivilege 5584 firefox.exe Token: SeDebugPrivilege 4356 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4356 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4356 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4356 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4740 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4740 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4740 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4740 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 6052 MicrosoftEdge.exe Token: SeDebugPrivilege 6052 MicrosoftEdge.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 1520 firefox.exe 1520 firefox.exe 1520 firefox.exe 1520 firefox.exe 5584 firefox.exe 5584 firefox.exe 5584 firefox.exe 5584 firefox.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1520 firefox.exe 1520 firefox.exe 1520 firefox.exe 5584 firefox.exe 5584 firefox.exe 5584 firefox.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1520 firefox.exe 5584 firefox.exe 6052 MicrosoftEdge.exe 2032 MicrosoftEdgeCP.exe 4356 MicrosoftEdgeCP.exe 2032 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4960 wrote to memory of 1520 4960 firefox.exe 74 PID 4960 wrote to memory of 1520 4960 firefox.exe 74 PID 4960 wrote to memory of 1520 4960 firefox.exe 74 PID 4960 wrote to memory of 1520 4960 firefox.exe 74 PID 4960 wrote to memory of 1520 4960 firefox.exe 74 PID 4960 wrote to memory of 1520 4960 firefox.exe 74 PID 4960 wrote to memory of 1520 4960 firefox.exe 74 PID 4960 wrote to memory of 1520 4960 firefox.exe 74 PID 4960 wrote to memory of 1520 4960 firefox.exe 74 PID 4960 wrote to memory of 1520 4960 firefox.exe 74 PID 4960 wrote to memory of 1520 4960 firefox.exe 74 PID 1520 wrote to memory of 672 1520 firefox.exe 75 PID 1520 wrote to memory of 672 1520 firefox.exe 75 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 520 1520 firefox.exe 76 PID 1520 wrote to memory of 2000 1520 firefox.exe 77 PID 1520 wrote to memory of 2000 1520 firefox.exe 77 PID 1520 wrote to memory of 2000 1520 firefox.exe 77 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Screenshot_669.png1⤵PID:2512
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.0.2142032419\681885644" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1da0d01b-c6e4-423f-89c2-54fb1a2ffea2} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 1796 1ba46dd8a58 gpu3⤵PID:672
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.1.805141899\298033704" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc45cbc9-2165-4c8b-ba85-976678260f33} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 2152 1ba3bb72558 socket3⤵
- Checks processor information in registry
PID:520
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.2.2147028412\1079500831" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3024 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f225f387-3a60-479c-a146-e8fdaa5c784d} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 2996 1ba46d5cb58 tab3⤵PID:2000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.3.1539832661\2038680017" -childID 2 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45052f5d-027f-4893-8b6e-7770c8c64151} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3536 1ba3bb62b58 tab3⤵PID:1572
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.4.1118984791\376083299" -childID 3 -isForBrowser -prefsHandle 3916 -prefMapHandle 3300 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e85c8732-8a29-4102-ae7a-ae16c8aa0dbf} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3896 1ba4b3c4758 tab3⤵PID:4732
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.5.1129974136\14621525" -childID 4 -isForBrowser -prefsHandle 4932 -prefMapHandle 4768 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a29e3da-3c6d-4482-9788-8825d00adcee} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 4596 1ba4df9de58 tab3⤵PID:4244
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.6.1246488677\663933885" -childID 5 -isForBrowser -prefsHandle 5084 -prefMapHandle 5080 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94b52b54-e648-46e8-866a-64aabee90801} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3532 1ba4df9e158 tab3⤵PID:604
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.7.1246496987\599212798" -childID 6 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22dbae7a-9f89-485c-a280-cd9cb8e064ce} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 5180 1ba4df9db58 tab3⤵PID:4048
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.8.130921710\121774774" -childID 7 -isForBrowser -prefsHandle 5384 -prefMapHandle 5392 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bbe088e-0b20-4465-982e-66e50376dccc} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 5376 1ba3bb66b58 tab3⤵PID:2452
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.9.1308446641\2123261126" -childID 8 -isForBrowser -prefsHandle 4452 -prefMapHandle 4496 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3649397c-026e-407b-acfe-69317634391a} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 4540 1ba46d0c958 tab3⤵PID:4152
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.10.924717105\1049638565" -parentBuildID 20221007134813 -prefsHandle 5828 -prefMapHandle 5028 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6f7ab4b-7d98-4b1b-a1c2-3e118c439bff} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 4620 1ba4bed2858 rdd3⤵PID:752
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.11.462798372\920789521" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5840 -prefMapHandle 5852 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cebf709c-1c4c-4dd4-8fa3-6d62bf13bb7b} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 5944 1ba4c110458 utility3⤵PID:5108
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.12.118873210\400280486" -childID 9 -isForBrowser -prefsHandle 6104 -prefMapHandle 6100 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cacfb3f7-fc71-4f43-b5f4-967bb32662b0} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 6112 1ba4bb10458 tab3⤵PID:3720
-
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵PID:5912
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵PID:5944
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵PID:5960
-
C:\Windows\System32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:6004
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:3692
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5584 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5584.0.711185369\1095834317" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1692 -prefsLen 20871 -prefMapSize 233543 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3237ea38-1f81-4b6c-90c0-332f623910ec} 5584 "\\.\pipe\gecko-crash-server-pipe.5584" 1796 29dd57b9758 gpu3⤵PID:4292
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5584.1.1445675566\2080464002" -parentBuildID 20221007134813 -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 20952 -prefMapSize 233543 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2142d5e7-f7e9-4661-88fd-30e290767872} 5584 "\\.\pipe\gecko-crash-server-pipe.5584" 2136 29dc2c72e58 socket3⤵
- Checks processor information in registry
PID:5704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5584.2.1585238565\1184136273" -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3228 -prefsLen 21055 -prefMapSize 233543 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fca5d78d-0d93-42c2-9dcd-61eb8c195abe} 5584 "\\.\pipe\gecko-crash-server-pipe.5584" 3240 29dd8f9e558 tab3⤵PID:5736
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5584.3.1748716395\1742114691" -childID 2 -isForBrowser -prefsHandle 3192 -prefMapHandle 3188 -prefsLen 26233 -prefMapSize 233543 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a85e327-7b36-4462-86a4-983022f9536b} 5584 "\\.\pipe\gecko-crash-server-pipe.5584" 3168 29dd9ff6358 tab3⤵PID:1712
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5584.4.2014976336\567643322" -childID 3 -isForBrowser -prefsHandle 4120 -prefMapHandle 4116 -prefsLen 26233 -prefMapSize 233543 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0eb0ba9-0c3b-4d10-a73f-b4d59764c7e1} 5584 "\\.\pipe\gecko-crash-server-pipe.5584" 4132 29ddb3cf558 tab3⤵PID:4304
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5584.5.1601636317\1392774316" -childID 4 -isForBrowser -prefsHandle 4500 -prefMapHandle 4496 -prefsLen 26233 -prefMapSize 233543 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fabe7dff-ee1f-42d2-a8b3-d4de5e7702cd} 5584 "\\.\pipe\gecko-crash-server-pipe.5584" 4456 29ddb3d2558 tab3⤵PID:5980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5584.6.1302763117\384229563" -childID 5 -isForBrowser -prefsHandle 4608 -prefMapHandle 4612 -prefsLen 26233 -prefMapSize 233543 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b384c7a9-96d1-4309-970b-d6e4e995abc4} 5584 "\\.\pipe\gecko-crash-server-pipe.5584" 4596 29ddb3d0a58 tab3⤵PID:5964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5584.7.264903907\494217015" -childID 6 -isForBrowser -prefsHandle 4812 -prefMapHandle 4816 -prefsLen 26233 -prefMapSize 233543 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b6ac049-6cb0-487b-91b2-de1c6adbddca} 5584 "\\.\pipe\gecko-crash-server-pipe.5584" 4800 29ddb3d1658 tab3⤵PID:5996
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6052
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5476
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2032
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4356
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD598df921f667bf303621c789390ed9f2e
SHA1d9c82e51534cf1c2eb5a255286de6a09ca364d1a
SHA2568b8497d37fa9ddd44e275aa7631d7c7173c384a501d11e73e3d4401513c4bbe3
SHA51258e896295763c2729c5a19986356e7cc7706265bbda5cd9cec98201ec9ce86c4b68a3e388c86aba198870ca4b8ab1a7876f2d8e1fff7437216dd2789b3ed3796
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize11KB
MD59a9033b42a7fcb91cb22143950a3ffd6
SHA1db9d9e46d83a134c39c7ff7d6b07e89d09c763fa
SHA25612575381a56277f506577ae73d3c4dd9f2615265bc2fc93a237d9ea5df2dfc59
SHA5121cdf900a2aa072ca849e85cf2308fb38e459e81768d6abddafb7648f471f282cf66f40c819b04e5a882d93b1f492486a915e1ec893a0d24eb43a303bf8afa717
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\startupCache\scriptCache.bin
Filesize7.7MB
MD583f257c1400d958be29329f7da8c3ebe
SHA1b22050c7cf522d5232c29e30715b76c08e4be168
SHA256e8ac78cd24c344d73b6d77138c583efc721a9a2dc791f337d593c6123ef0bde3
SHA51242b2906e8d06d88b7647ab4c89bcfe701bae5ae21a135ee308eaea6c0306be6a019f715cd06f613f969d3723c1c10647a0ee9500257bb03b446fd1c33171b3db
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\startupCache\urlCache.bin
Filesize2KB
MD57d0a6c9c1bf7c542de9c50793c00ac0a
SHA1ae53836b8f2451c63b1438a5811b4f0f6b497813
SHA256ec8a26b5da6ff640f90dbccfe2daeb2f984f8caf4710df2d64bf7ac989a1441c
SHA51205706e5b1234d657438d466962d69c96c5f39ca18ae591c0a0d682e571cd1cb26cf1fd85cab52ff28df59bf727ec1545be2871e1361bff30157558d324e96c83
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF0D1D22F016C415B2.TMP
Filesize16KB
MD5d147dc1e7531b845694a0366ace1f4e7
SHA10c3120ce43d7f950f4589aedf7ccc810e468c892
SHA25699d264af5289dd3ea2d9ac547b6e19636d4711a07f0c53ba284cde06a71a8aab
SHA512feb7904e6f5e528bc323fc5797da923fadf77593dc6c8730cbf72bf1616b02cf960fab683fb5e5e91ffacc57a00383ecf6a1ba0432cc1127fac353f6103e6f0c
-
Filesize
546B
MD5df03e65b8e082f24dab09c57bc9c6241
SHA16b0dacbf38744c9a381830e6a5dc4c71bd7cedbf
SHA256155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba
SHA512ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99
-
Filesize
1KB
MD5308a73e186f10bb0fb97d842cccfb12d
SHA156589e38922f32ca1599e1807e76343edf5f44cc
SHA2569de8dc3c6d2330ef1feeedbff656698ce2ae80b924633fe784c8582d9e343cc7
SHA5122abd28310750ea6bd9859852355ee6b364c3c4096d6edd8a466f5d26bb839beb2e5bcab81a1e4fc9eb06859279fe811475d3d53083ce977c28e58847e01339ab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\AlternateServices.txt
Filesize1KB
MD5ed4dea7d6ee28685aa96620612af1c3a
SHA15942a53ddc4748ce6e7c883a8cd267a4e433f243
SHA256bcdfb03680242c6a3632e70bd5448166d278a281eaed05d3e33429c13e9c8ae7
SHA512f6adb226b5218bb09fdaeeafbc2f18bb75361973cd68163bfd9ae9767d760afe8c4e5af587c9caac5b420d7a4bd873d4953db40b324b2bccf325c9599c1433fa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\SiteSecurityServiceState.txt
Filesize409B
MD5c4c6d8ee5c78e0a6a368ca349e01a3b0
SHA1efc5965e17a6dcd1954c2149b1dc5dddc0f1f637
SHA2566bebea058a08803e275b7e3435d41b8df7dcaae213690c4eef24b8f57c52adfd
SHA5122c0f41fd9f8efa28f63f38a729ac9d6929b22eba3d38e7dadd4415531ec1e09a85f0f9f222625f1e1e19d95e793d4b44da97c18200731f5302eab47367928cd2
-
Filesize
224KB
MD537610b8ae7d46b26250b4c5faafe3603
SHA11b07d30b33b2025dc7f202c5423b841796a47fa4
SHA256c40bdd555673eab6cd861bcd7cc3b0f47a1796e338ad0ceabe49dfdbb6978742
SHA512d7dd264b3174f4f66d17ba43839a41f43f4cf10b1484b1e1cf350a8482f9dfd6c0a9345a320a735d3b33607e4bf9bcd132691b17f2ebca488d35278cce942cc3
-
Filesize
512KB
MD5302115dabeca30b1db4cd9aa0914209d
SHA1c0551568e1a0eaf47648ed8a082944272f839713
SHA256e629af49e28385f932d28f2c1b7c98977f4dc7c949e567aa168ea1da92af574b
SHA512e0abc35ca6979d3e6208693309636a0d03720a7b24e5416c2a91269a6327eb7a96e22e99240eb2f9466b535098c2531262b2db77aec1192d2059d134599d928a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD59fcff1cd11de776f8071930e062a4f7f
SHA123ae5a83f330676392560da2681f98acd43bdba4
SHA2564c65f7ec9e0d653192a1ea56315db68cf2b5b432b5c599715bc2e330c9043d60
SHA51287fed97200e01a30c8e63a0dddb4edc95ecdf9472df18c55de2cdd16bca1ac20eba7e826939b9e98a4d07a79a3a7ffff68a6fbfc3d8a33da4ad2a8ef1494203d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin
Filesize12KB
MD5156bfc99633d64f3dc967623fd824b04
SHA1b3b348dcadfb68539ea65a1791045b973b36154d
SHA2567c64fc4997de50c18337e79e7eba1b6588ca449a06bb8312dc5211bf4d52e078
SHA512a992e4d7e5c08823555ade70bad2516307a7e0400c1a5da248f59273d966fc5608f245fe4b30b31667ba06f9b5df5d4ac70ff238580977bccf45939e1a8134f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\events\events
Filesize166B
MD543fd170218cc927a3474d69fd69e45d5
SHA1867c5f23568101298fa173ccd586226ecaf70bec
SHA25694b5429cba41fe6de17b87ccc59e76120aeaa1a644c0553879e6583736e04c97
SHA512039c7eb4cfca2175f4b159304a476b772c5ec933e91ecdccc90ae81635a90d844fcf6e38eb11a778ecc9e528a9b9ab00b11f69079e75e7f20789522011f16129
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\3a50357d-ffdc-4d8a-830c-2f0dcf998b46
Filesize746B
MD5631264f3b45d70ba4d5039a25cf5523f
SHA102dae4add63f8e823aa99e8aace34170c1bde041
SHA2569805758a44828cfa7364ce00d523fc0340d79217630500c7051889ad6a8c854a
SHA512dd7eabe1bab3d5cfba27e6745e3900a0e24b36b75a47e2690575a9a76e3f0beeaf52956fe38da485c3370cb88a2f4fa7cda222462ccf9098cb7f97483fc0e3fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\9883389b-bce2-4321-a3c9-3ddc5565b319
Filesize9KB
MD559f86240e182d6cb8251bd75d707d0bf
SHA195df80ada930ac638042c88d0593cf96d35f165d
SHA256d80c16b515e2f930a7285665887234c79e156a2eb7e0b5fdf7b7003b3abc33bc
SHA5127ce074343d434413891ab041588d7cb84efb710f991cd1a7f1861ec55c9ac7414dae97f99ac0d91de6a6c4aa82bcb5c067bae0d9ecd5195f96cd3cc806b3712d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\e7ac4fae-1c2e-4756-8c49-b1a06af3aa9d
Filesize790B
MD55883e2c9de03e9724ac4c14055c179a0
SHA16d70b4b6c40b6394f07206e228d41a066f4c7896
SHA256372d1920a05ec99f6e5813e216f5b153231ef1ac947112ea288b91d61d257610
SHA512e541fd4cc3db9ed809a118bc5715ff121724f9bce8423bf387afb15b10f00a0f03b87e6e09fd091702a01a8e06214cec4edf3a364414bd6a6e475249911110f5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\ec0e80a5-b613-4297-9f6b-fb365433fb2a
Filesize771B
MD5b85688d8c5f9f1873f08b70c8eb2b7c3
SHA120849a3d50e36e5a8f4d1c2ba85f929172316a8e
SHA2560676d574c2abd0a5dc10b0fdc1b05e855c51a58f60d89611bb087ee9bb127d05
SHA512a8b62d7362027ee4062bc6bf18b68ddb9e0fade252bd7594890ecb5347812cf75bde7bfbfd8b0074d5d0259def6e7a5c49087a9f8ebfb4bfc0e7763bff47a400
-
Filesize
5.0MB
MD52ab772b122b85998b6b33d6571a204ed
SHA17f90f82112d15ed4ddc7b31c18758e4a507afff2
SHA256e088627b81f14b2ef39f8d156091fd47f51abb338a2fa4c0a64db03a53472929
SHA512fa4dd83ee4bf7b81797cb40df100f1397c38d7846c60789075ee1a34c00909d3e27bd0b96f35a519f80d023673e5ef71e882b0eac763cd7701696a5b8dea330b
-
Filesize
96KB
MD500e28365345074ccb475ee6b920ce17f
SHA104617057809d38820ca89ecc7f6d1052f095e280
SHA2564a435c8eff48fed75e9ad2a483df3d7c5cd3f7a22bd9a4d82570024a0a1124c6
SHA512f0f58b99331a3580f6570342a82d851e7e14f2594dfac8227769383bb1fde22e9b85e35c6791ee473659ae0a958d5ae435b6af17a7970263ff0f31e794058b1a
-
Filesize
5.0MB
MD5cb45818750ff0b6e49c29b6d85a2f98d
SHA19a705e54281466ceb8b1767efcf72a355ac02643
SHA2564ed4446577f044eb9fd6ebadf59f1bbeb57c51757f497fc63fc76cf1a4ccfa70
SHA5121b217b1c66cadc7c8debf690e2b980dd38abc06b5f18b1609b529319204f08e591bc9ea30de8a6cbebe3b72e96bbe10fa609021ecf91c4b4c59fa6967d53df0e
-
Filesize
6KB
MD5c44e440cc0a6c6e3d0180d143e544b78
SHA1fa3e245256b750c1916ac0ab4dde550dba44952f
SHA256d05643ac29dd48f77bee2d66efb2ccc99d2266f6356f7b1bbc72de55ef01bb38
SHA51223bab00c3ec99c7749da70da3f456b7653305a5a40872971fd2e8c0805ea4e9f172f6f89dc5782c67e4f630a5dba5af2ea2c84d988437bd51bf8e430d2f61c4d
-
Filesize
6KB
MD5ef7710d2d51bef422f4a1aa7426218c3
SHA12a9cd72980b5fcd7dd76ba30d6f966b3725ccd6a
SHA25641ebb5e7d9e46602420ed9d9e0206842b565e0f9bffaffedb11fe7a9b34c5c11
SHA51262bc8ef3ea11f142d82020f0eda04408a80324170ded5a46f0d9ff360b06ee0bbcef0e7e96676fdbe93113ca8b3f993f3e42301120b287cdbdaf9c4bcf6e3743
-
Filesize
6KB
MD5857c213810c165965e6376b414286559
SHA1c0b96d99f585f620b3d071258f80d73d15b82f76
SHA256e46ff7abcbc5a5ef3fa29aee6077fc78d09884154206a49f3c6d8f0a7d48f166
SHA51295297ce24c035ff4287c63ebb7367ce18e9d3a38fe3a82e1ce374b00d13aaa9a77e9b51cfac1f79375be8bfa4b741edafd738a724e91d1dba62bc755a08d77f6
-
Filesize
6KB
MD5f0140613bb83309e55ecc5bc69b6df0e
SHA142514dcacda926be0b9a5ea5ee2a58569702384c
SHA256ca418d968fd51fe17787ae7d38ec11d83601a19abc94c589e2ffd7040ae4a751
SHA51284a96e66bc39ca0e01f35ddca0f96ce17b5d0e454a942a091f5632b3efb042963c4fd908d30189091f6614d30a3e4755cd479a47ed1db71c3bf93360249b3731
-
Filesize
6KB
MD58e9d0368b34aa5d4b726fafb2b5dd314
SHA1da2808cc67f999a62b1f1adcdc7e34e1b4074028
SHA256cdfb708756a2cafc5aa8d79c089e3f8a5c75dd9daefe509be6824bbbf7a86f0b
SHA512f4b9c5b317bb654cbfcdb70c9faf036601f0324b09cfb2c5dfecae8e4bb4eda7d26212148944625a26a2b1244b80c3eb16ad57f5fdac04f7d115897f589c4c6b
-
Filesize
6KB
MD5a817af6d1f2010b2125ac7ad10f17d1d
SHA19d7648f8fd42d727be53810f99e326bc51ea4546
SHA2560e4d138643de853c0745bc3d23c5bebb8d644d0ef0523aaf9255af2ea820615a
SHA512ae8894761f8c0bd6f430935868be0e70749491c1bf72341366398865c01e498bfc48a6e5d61adb0b5d78de06ba0637b978573020b93c60edc14b6e210ffff0f7
-
Filesize
64KB
MD5deeced8825e857ead7ba3784966be7be
SHA1e72a09807d97d0aeb8baedd537f2489306e25490
SHA256b9f022442a1506e592bf51284091a8a7fe17580b165d07e70c06fd6827343a54
SHA51201d303232d6481af322137b44fef6c2a584f0643c48bab2836f9fe3193207015da7f7514fe338500ae4469651e3d9618293858ae507e722198a249257677099e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionCheckpoints.json
Filesize288B
MD56b77a9f779399e95d1cee931a2c8f8ff
SHA1826efd4feb0d50fcce5696111af7c811b81adcd9
SHA2563a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3
SHA512ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionCheckpoints.json.tmp
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionCheckpoints.json.tmp
Filesize146B
MD565690c43c42921410ec8043e34f09079
SHA1362add4dbd0c978ae222a354a4e8d35563da14b4
SHA2567343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d
SHA512c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionCheckpoints.json.tmp
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5700fe59d2eb10b8cd28525fcc46bc0cc
SHA1339badf0e1eba5332bff317d7cf8a41d5860390d
SHA2564f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea
SHA5123fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionCheckpoints.json.tmp
Filesize288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionCheckpoints.json.tmp
Filesize122B
MD599601438ae1349b653fcd00278943f90
SHA18958d05e9362f6f0f3b616f7bfd0aeb5d37967c9
SHA25672d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a
SHA512ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD51edfb9a182c23c867632563c13be6b0b
SHA14e9305d2d8b0c9420bab3ec238ed246804933a46
SHA25622ebe0b3c7bddb34389dcbba048cf93739e5cb6f190b640eb57d638d43dd2bab
SHA512f02030a9200c0c96f5b0eb53c7c5976e4f0950e2f5dbb56cc57f026a56f71e7e857ab8e10941436b1d26994920f5563f438015cd458b3e1b8fcb089ce4dcb0a2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD508e0ecd7697ffefdfe4a90cdf45eb3af
SHA1ef9eba1483b74f7972f6bb222c771c9bd5130a34
SHA256e88238ad174aede1cd7dde423927860341501fe567bd801b067c4c6143be103b
SHA512acce093493a29fe14318a38ed74c00510c3804e6b9ee1ed434eeda5e452689ebd65c49748d1ac7a84ceb7a502b173f35f8e6769868b966a8f74b4d5d98de0c65
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD5d0fde98af85e77f7f2f63b37174e2a54
SHA1eda5d4f3474c3a7496c3d6d50dbf6ec35caae7b2
SHA256621a7f71287fb1c13caf48b8cfcb8dd12aa5b0420ef20a217b2022c4261807fc
SHA5125dd120c327e80104e1f5419003dabae7ebb04b1aa536f3f001b6e39db2f865846a489fb5e95ee75348ce25e033f05c5579c74c25f30bb8392a27d943555b5f7a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore.jsonlz4
Filesize2KB
MD5634c4b38460a8ffa3ea48360cdc1ec01
SHA107fe78fbef8f615c744285c52962a2647252b66e
SHA256824ea6e199b14d140493929ce5dbe82092f6721ef3a9f1c4c3df5fbdd5142041
SHA512d116ce7f56469cd6c91a5a11198ef0f2bf461095f77ccb7f20a1f992a41d9335701bb4465b14142771a01873909ab6ae82b3846f65c2c95b5612992091e33a5b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore.jsonlz4
Filesize897B
MD51aef34c490c564b2a5859ea059de9d04
SHA1262cd41d3b97cee3bf44ec83c2ba1995afb18069
SHA2566157da92aa50a386bf00c779b8e8379d34572d87b2138f4d9e280692d1a88dda
SHA512cf310a7f26a4cd9407a1937cfd538820d86c8c7ba13ec2f29c9bea60621f2a56cc93afd46009650ffdc52954d3f7e66efb0ca4d4daa9438e92f2750a0866cfdf
-
Filesize
4KB
MD5f3ef789d1431b684774ecbb5f4d9c0c9
SHA19b7bbe31b5b25ca799fbb43e5aaf7da59a5a74b8
SHA2560ddbabf403e90454eb41b1aedcc2a0ff91d6190a8301949e510739de96f9093c
SHA5121b699e89749a1b36df517b9e985e519f9f3c0815adf70d542dd2ac979305d4d65d4989a8ab4400a90e5f2f904312f23ab4ddfe9950d2e3bd7f848207e22e565e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\default\https+++www.youtube.com\cache\morgue\11\{bd17c7a9-6bea-4906-9103-9893583e210b}.final
Filesize192B
MD52a252393b98be6348c4ba18003cc3471
SHA140f75302fcbe4a8ac2e33a8d9daf801abc2a9598
SHA25604cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee
SHA51207af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\default\https+++www.youtube.com\idb\3265427339yCt7-%iCt7-%r8e9sfp2o.sqlite
Filesize48KB
MD52a286d4b6d43df6aa5b27ba753a27083
SHA12b3453f760c96a9b64a09083483576d3c37c7b08
SHA2565c21fed5eba985da547e6775ab4a3fcf540bbd36d01e53ef3792a893a8636a97
SHA512a670973b4cdc57e40bd7011dacce9cc1547e2e4f79b34ca97d4e0d29cd88e3cdf6b3818b3b6be335bd250f13dbd2e0a58162e5e6ded16b1d26eed17ae1123fa7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Filesize48KB
MD51d6ec695ec51166f0f2be27dc58d271f
SHA1a0c551a10bf58fe4fb851d42df9bd02e5ae6e380
SHA2565480bd50f39b04454f2d02bd2717d004d798655e5f10585d2441f6c18c2a6d3e
SHA5124a621d0f6bade8429e2b48bbb059e2e3885a9427b8e5b5621fe08bb0813c1b93f2ee2520976896929f720ebe412599463c25460469b27c607d282e14dd1f24d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5637e42544bf4e4e5c858d87fceb302a2
SHA11d747ea0d89437cd39d02c76ed70df3b7c505ee1
SHA2565a519846989ec4eed303d9fe8b5554410b502177bb6b4199c6cf25290a4913c2
SHA512bde691d8015773707c4445155ba1ad419033c335bb11ca325b9c249e8aed83fefd096bab28806213ad368508e2a5be362c4a5a8038dae40246a8bf0a246cb8cb
-
Filesize
120B
MD505e1ddb4298be4c948c3ae839859c3e9
SHA1ea9195602eeed8d06644026809e07b3ad29335e5
SHA2561c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be
SHA5123177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e
-
Filesize
551KB
MD532f6d302dd0a4b736f592ab69738aebc
SHA17f2f7f50a45cab253fef265701c560896f014d4e
SHA256cf9726b559d375ddf1c8dc3fbe6f97cd6fd352c7050b2975a8571773e8d8d705
SHA5129c585bb0041cd9d56c4d358b3922117fbe25423b888fb3a6b54bb141f0b11aba90df33bab81aafabefe81a374e8804eada5e1ad99484c4ade284c7e9ef8c6e18
-
Filesize
657KB
MD541c922e524bf33f91426616c4e898ee0
SHA181bdea82f7ab62fd3bb039c7e001764048052795
SHA256ff81c47a7401446a043907a10099f554851adb7306c2cabea1ab89f88791e4f1
SHA512a051576de3be2a208c79812e64240c29ea8ce7a2a8d56d5b6e3159ef0bed2e83fb5c0edb180b93c4e2b92d5f221e8381090a47f0b3646e6b47020b05c99b250c