Analysis
-
max time kernel
694s -
max time network
688s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
11-06-2024 15:23
Static task
static1
General
-
Target
-
Size
396KB
-
MD5
13f4b868603cf0dd6c32702d1bd858c9
-
SHA1
a595ab75e134f5616679be5f11deefdfaae1de15
-
SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7
-
SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24
-
SSDEEP
12288:jANwRo+mv8QD4+0V16nkFkkk2kyW9EArjaccoH0qzh4:jAT8QE+kHW9EAr+fr4i
Malware Config
Signatures
-
Executes dropped EXE 20 IoCs
Processes:
Free YouTube Downloader.exeFree YouTube Downloader.exeFree YouTube Downloader.exeBox.exeBox.exeUninstall.exeUninstall.exeFree YouTube Downloader.exeBox.exeFree YouTube Downloader.exeFree YouTube Downloader.exeBox.exeBox.exeBox.exeBox.exeBox.exeBox.exeBox.exeBox.exeBox.exepid process 3012 Free YouTube Downloader.exe 5004 Free YouTube Downloader.exe 5044 Free YouTube Downloader.exe 1016 Box.exe 4728 Box.exe 2616 Uninstall.exe 4556 Uninstall.exe 4112 Free YouTube Downloader.exe 4320 Box.exe 2312 Free YouTube Downloader.exe 64 Free YouTube Downloader.exe 4688 Box.exe 596 Box.exe 4236 Box.exe 5160 Box.exe 5264 Box.exe 3656 Box.exe 1300 Box.exe 5572 Box.exe 5332 Box.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
[email protected]Uninstall.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" [email protected] Key deleted \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run Uninstall.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
Processes:
flow ioc 97 camo.githubusercontent.com 115 raw.githubusercontent.com 116 raw.githubusercontent.com 117 raw.githubusercontent.com 118 raw.githubusercontent.com 87 camo.githubusercontent.com 89 camo.githubusercontent.com 91 camo.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
description ioc process File opened for modification \??\PhysicalDrive0 [email protected] -
Drops file in Windows directory 40 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exetaskmgr.exetaskmgr.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe[email protected]MicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exeSecHealthUI.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe [email protected] File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe [email protected] File created C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini [email protected] File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\INF\netrasa.PNF svchost.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\4272278488\2581520266.pri SecHealthUI.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\INF\netsstpa.PNF svchost.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe [email protected] File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exetaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Processes:
browser_broker.exebrowser_broker.exebrowser_broker.exebrowser_broker.exebrowser_broker.exebrowser_broker.exebrowser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.execontrol.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{976432A9-04AA-4B71-80DE-D408A4CF0970} = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f7a525a414bcda01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{415C7CEF-F8AD-4C18-A1EC-FE2EDB39232F} = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\MrtCache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{EE3CFD07-D4FF-4D50-AE34-332D7DF02CE0} = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 82e4cfbc14bcda01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings control.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\MEMZ.zip:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pid process 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 1780 [email protected] 3668 [email protected] 1780 [email protected] 3668 [email protected] 5076 [email protected] 3684 [email protected] 5076 [email protected] 3684 [email protected] 4952 [email protected] -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 632 -
Suspicious behavior: MapViewOfSection 21 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exepid process 5340 MicrosoftEdgeCP.exe 5340 MicrosoftEdgeCP.exe 5340 MicrosoftEdgeCP.exe 5340 MicrosoftEdgeCP.exe 5340 MicrosoftEdgeCP.exe 5340 MicrosoftEdgeCP.exe 5340 MicrosoftEdgeCP.exe 5340 MicrosoftEdgeCP.exe 32 MicrosoftEdgeCP.exe 32 MicrosoftEdgeCP.exe 5152 MicrosoftEdgeCP.exe 5152 MicrosoftEdgeCP.exe 4460 MicrosoftEdgeCP.exe 2796 MicrosoftEdgeCP.exe 5772 MicrosoftEdgeCP.exe 5772 MicrosoftEdgeCP.exe 2732 MicrosoftEdgeCP.exe 5768 MicrosoftEdgeCP.exe 5768 MicrosoftEdgeCP.exe 5768 MicrosoftEdgeCP.exe 5768 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
taskmgr.exefirefox.exetaskmgr.exeMicrosoftEdgeCP.exeAUDIODG.EXEMicrosoftEdge.exesvchost.exeSpeechUXWiz.exedescription pid process Token: SeDebugPrivilege 4984 taskmgr.exe Token: SeSystemProfilePrivilege 4984 taskmgr.exe Token: SeCreateGlobalPrivilege 4984 taskmgr.exe Token: 33 4984 taskmgr.exe Token: SeIncBasePriorityPrivilege 4984 taskmgr.exe Token: SeDebugPrivilege 4912 firefox.exe Token: SeDebugPrivilege 4912 firefox.exe Token: SeDebugPrivilege 4912 firefox.exe Token: SeDebugPrivilege 4912 firefox.exe Token: SeDebugPrivilege 4912 firefox.exe Token: SeDebugPrivilege 4912 firefox.exe Token: SeDebugPrivilege 3352 taskmgr.exe Token: SeSystemProfilePrivilege 3352 taskmgr.exe Token: SeCreateGlobalPrivilege 3352 taskmgr.exe Token: 33 3352 taskmgr.exe Token: SeIncBasePriorityPrivilege 3352 taskmgr.exe Token: SeDebugPrivilege 5764 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5764 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5764 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5764 MicrosoftEdgeCP.exe Token: 33 6020 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 6020 AUDIODG.EXE Token: SeDebugPrivilege 3116 MicrosoftEdge.exe Token: SeDebugPrivilege 3116 MicrosoftEdge.exe Token: SeShutdownPrivilege 1660 svchost.exe Token: SeCreatePagefilePrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 1660 svchost.exe Token: 33 4364 SpeechUXWiz.exe Token: SeIncBasePriorityPrivilege 4364 SpeechUXWiz.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Free YouTube Downloader.exeFree YouTube Downloader.exeFree YouTube Downloader.exeBox.exepid process 3012 Free YouTube Downloader.exe 5004 Free YouTube Downloader.exe 5044 Free YouTube Downloader.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe 1016 Box.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Free YouTube Downloader.exeFree YouTube Downloader.exeFree YouTube Downloader.exeFree YouTube Downloader.exetaskmgr.exepid process 3012 Free YouTube Downloader.exe 5004 Free YouTube Downloader.exe 5044 Free YouTube Downloader.exe 4112 Free YouTube Downloader.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe 4984 taskmgr.exe -
Suspicious use of SetWindowsHookEx 61 IoCs
Processes:
Uninstall.exeUninstall.exefirefox.exe[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeOpenWith.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeSecHealthUI.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exewordpad.exeOpenWith.exepid process 2616 Uninstall.exe 4556 Uninstall.exe 4912 firefox.exe 4912 firefox.exe 4912 firefox.exe 4912 firefox.exe 2192 [email protected] 2540 [email protected] 752 [email protected] 3668 [email protected] 1780 [email protected] 4952 [email protected] 3684 [email protected] 5076 [email protected] 4928 [email protected] 3116 MicrosoftEdge.exe 5340 MicrosoftEdgeCP.exe 5764 MicrosoftEdgeCP.exe 5340 MicrosoftEdgeCP.exe 1264 MicrosoftEdgeCP.exe 5136 MicrosoftEdge.exe 32 MicrosoftEdgeCP.exe 32 MicrosoftEdgeCP.exe 5200 MicrosoftEdge.exe 5152 MicrosoftEdgeCP.exe 5152 MicrosoftEdgeCP.exe 4928 [email protected] 2108 MicrosoftEdge.exe 4460 MicrosoftEdgeCP.exe 4460 MicrosoftEdgeCP.exe 3416 MicrosoftEdge.exe 2796 MicrosoftEdgeCP.exe 2796 MicrosoftEdgeCP.exe 4928 [email protected] 5752 OpenWith.exe 4928 [email protected] 4124 MicrosoftEdge.exe 5772 MicrosoftEdgeCP.exe 5772 MicrosoftEdgeCP.exe 996 SecHealthUI.exe 4928 [email protected] 4928 [email protected] 2584 MicrosoftEdge.exe 2732 MicrosoftEdgeCP.exe 2732 MicrosoftEdgeCP.exe 4424 MicrosoftEdge.exe 5768 MicrosoftEdgeCP.exe 5768 MicrosoftEdgeCP.exe 4928 [email protected] 4928 [email protected] 4928 [email protected] 4928 [email protected] 5508 wordpad.exe 5508 wordpad.exe 5508 wordpad.exe 5508 wordpad.exe 5508 wordpad.exe 5508 wordpad.exe 4928 [email protected] 4928 [email protected] 3472 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
description pid process target process PID 1768 wrote to memory of 3012 1768 [email protected] Free YouTube Downloader.exe PID 1768 wrote to memory of 3012 1768 [email protected] Free YouTube Downloader.exe PID 2616 wrote to memory of 4556 2616 Uninstall.exe Uninstall.exe PID 2616 wrote to memory of 4556 2616 Uninstall.exe Uninstall.exe PID 2616 wrote to memory of 4556 2616 Uninstall.exe Uninstall.exe PID 1772 wrote to memory of 4912 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4912 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4912 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4912 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4912 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4912 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4912 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4912 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4912 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4912 1772 firefox.exe firefox.exe PID 1772 wrote to memory of 4912 1772 firefox.exe firefox.exe PID 4912 wrote to memory of 1052 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 1052 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe PID 4912 wrote to memory of 4208 4912 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3012
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5004
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5044
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3276
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1016
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe" "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"1⤵
- Executes dropped EXE
PID:4728
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" end2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4556
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:4112
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"1⤵
- Executes dropped EXE
PID:4320
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4984
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"1⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
PID:596 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
PID:5160 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
PID:5572
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"1⤵
- Executes dropped EXE
PID:64 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
PID:5264 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"2⤵
- Executes dropped EXE
PID:5332
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"1⤵
- Executes dropped EXE
PID:4688
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.0.421375641\1742135201" -parentBuildID 20221007134813 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b444f6be-def8-42c6-9138-bf248f02bb58} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 1828 29f8a1d5358 gpu3⤵PID:1052
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.1.1722765182\1779663181" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8ceba36-d12e-4a90-9a7e-0cf096ffb02f} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 2184 29f8a1aeb58 socket3⤵
- Checks processor information in registry
PID:4208 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.2.2120995052\327944328" -childID 1 -isForBrowser -prefsHandle 2764 -prefMapHandle 2776 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4680794a-bd42-42f3-9c67-6f703b537060} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 2760 29f8a15ae58 tab3⤵PID:1824
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.3.315143362\932186378" -childID 2 -isForBrowser -prefsHandle 2768 -prefMapHandle 3432 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05eb22d9-87e4-4372-9895-76f4cb7e27f2} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 3484 29ffee66858 tab3⤵PID:2196
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.4.1033068604\753315456" -childID 3 -isForBrowser -prefsHandle 3856 -prefMapHandle 3852 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e575878-dd7a-4a6a-b404-499f3dee2338} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 3872 29f8f543958 tab3⤵PID:3452
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.5.856365399\556600148" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4876 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46ff734d-5bb2-45cc-b281-ab338955bf3c} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 4888 29f908ee358 tab3⤵PID:5004
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.6.1215387722\1567007870" -childID 5 -isForBrowser -prefsHandle 5016 -prefMapHandle 5020 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09993376-0031-4e2a-82f4-257240e3ce14} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 5008 29f908efb58 tab3⤵PID:1916
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.7.155692162\529231728" -childID 6 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00919f7a-b134-443f-8a72-d1df3ecf3c78} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 5208 29f908ecb58 tab3⤵PID:4020
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.8.2019552525\1871191409" -childID 7 -isForBrowser -prefsHandle 4700 -prefMapHandle 3220 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d0e0f90-fe75-4456-ba7f-3479057b0c85} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 3236 29f91d3f158 tab3⤵PID:3432
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.9.1549950828\249230110" -childID 8 -isForBrowser -prefsHandle 5628 -prefMapHandle 1612 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9174bc5a-e6e7-4eae-8594-2f27031943e8} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 4700 29f9295ae58 tab3⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"1⤵
- Suspicious use of SetWindowsHookEx
PID:2192
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"1⤵
- Suspicious use of SetWindowsHookEx
PID:2540
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"1⤵
- Suspicious use of SetWindowsHookEx
PID:752 -
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /main2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4928 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵PID:1944
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"3⤵PID:5164
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"3⤵PID:5460
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"3⤵PID:5728
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵PID:5820
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"3⤵
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"3⤵PID:436
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"3⤵PID:1620
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:5508 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵PID:3416
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵PID:2824
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:5208
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵PID:5428
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3116
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5464
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5340
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5764
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5772
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c81⤵
- Suspicious use of AdjustPrivilegeToken
PID:6020
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1264
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5136
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5020
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:32
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6088
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5200
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5100
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5152
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
PID:1092
-
C:\Windows\System32\SystemSettingsBroker.exeC:\Windows\System32\SystemSettingsBroker.exe -Embedding1⤵PID:5260
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s SstpSvc1⤵PID:5624
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc1⤵PID:5384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3992
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵PID:1560
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2108
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5376
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4460
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
PID:4056
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3416
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:1372
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2796
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
PID:4744
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:5752
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4124
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5268
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5772
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
PID:5908
-
C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:996
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:5396
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:396
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:956
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5304
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2584
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:3016
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2732
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5088
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4424
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:3628
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5768
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5908
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4708
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:2000
-
C:\Windows\Speech\Common\sapisvr.exe"C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX1⤵PID:6104
-
C:\Windows\system32\Speech\SpeechUX\SpeechUXWiz.exe"C:\Windows\system32\Speech\SpeechUX\SpeechUXWiz.exe" UserEnrollment,en-US,HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech\RecoProfiles\Tokens\{B9DE3ED6-BDDF-42E8-B88A-53FB3F92D8F1},65552,0,""2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
PID:5272
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3472
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
Filesize
171KB
MD530ec43ce86e297c1ee42df6209f5b18f
SHA1fe0a5ea6566502081cb23b2f0e91a3ab166aeed6
SHA2568ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4
SHA51219e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae
-
Filesize
2KB
MD5b8da5aac926bbaec818b15f56bb5d7f6
SHA12b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5
SHA2565be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086
SHA512c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\18J4QIHC\MeControl_v6QmZT1KIHvYorogrcRgqA2[1].js
Filesize16KB
MD5bfa426653d4a207bd8a2ba20adc460a8
SHA11c3777307ca89baffe14769945eb2215c0c2700e
SHA256f07fdce076d91c554de135674b5ea92a3b72348d33c72d43f93e7ff9a5bfa490
SHA51256643373ee5af3f6f1ec20da41998b99a5d311aa9b550492683e2ea2a07146939e3abec9c10b525f5a312bbe2b6152d6c8ec3b9e2174c79c316cf21db764c8ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\18J4QIHC\wcp-consent[1].js
Filesize272KB
MD55f524e20ce61f542125454baf867c47b
SHA17e9834fd30dcfd27532ce79165344a438c31d78b
SHA256c688d3f2135b6b51617a306a0b1a665324402a00a6bceba475881af281503ad9
SHA512224a6e2961c75be0236140fed3606507bca49eb10cb13f7df2bcfbb3b12ebeced7107de7aa8b2b2bb3fc2aa07cd4f057739735c040ef908381be5bc86e0479b2
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AGT29K55\js[1].js
Filesize277KB
MD5e1071235219132ed39558b4b6ebdf269
SHA12d60688ad86c9439ea54527518b6a9c3f30c6e77
SHA256257a9f419ad9955e5d2b79191dd9d06491041e16a500259e38d05ff301149f10
SHA512acd0b3294c441f5b3d0a71caee993af3b7026d3092187b2e59a00033a798dc70f3f3a8045e868089844a47d4815dd12bcbf8ca19a12eb6645269beeec23247ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\V6FNNLLL\answers.microsoft[1].xml
Filesize13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\65ES3H0J\favicon[1].ico
Filesize4KB
MD5b939aee911231447cbd2e3ff044b3cce
SHA10f79060358bea92b93ded65860ffbc9ecae3dc14
SHA256f35fe126f90cecbb6addd79308e296e8409dbebf6bc589c31749e67713e9bb3c
SHA5128053232364d54966f4b8acdf9af61a1366bae09789d6a76b8e723d7c3f96287460248eda12083795766809569527f4821f7e87ca4a644ae900c3df33002c9977
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\65ES3H0J\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\H4BZ5K4X\PCOP[1].ico
Filesize6KB
MD56303f12d8874cff180eecf8f113f75e9
SHA1f68c3b96b039a05a77657a76f4330482877dc047
SHA256cd2756b9a2e47b55a7e8e6b6ab2ca63392ed8b6ff400b8d2c99d061b9a4a615e
SHA5126c0c234b9249ed2d755faf2d568c88e6f3db3665df59f4817684b78aaa03edaf1adc72a589d7168e0d706ddf4db2d6e69c6b25a317648bdedf5b1b4ab2ab92c5
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\JODXNRY6\favicon[1].ico
Filesize758B
MD584cc977d0eb148166481b01d8418e375
SHA100e2461bcd67d7ba511db230415000aefbd30d2d
SHA256bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c
SHA512f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\U0U3T4VY\b80692[1].ico
Filesize1KB
MD5ac0cd867e03ed914827807d4715bdfe7
SHA14051a8c23756c10d9cc00fcde6f7215c780fdf6f
SHA256b50546da121186fbffd2aec430249cb21c7c2e2c85e561a393a9df9abfc4477c
SHA512fa11d1d76c39719c218b4ffa34de8dd44d398bdcbb236a666f0be6eeee96bcbe4da9ac65a89441ad284c0de21788c135dc4fd21f6f82c7039f00c8a7c705c8e2
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\U0U3T4VY\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
Filesize512KB
MD5b4b4201fe05ed105782af69160691843
SHA194ed60e21b2bbcc11c74a82e5a4f0b8dbacdf4a1
SHA2562be4864f963739dd6b336572aca9639d50eaefe0ad1cd6f9366324ee003ab526
SHA5129d9120a9c78a1e945b30b753f807f541fbd3fad2005bbff47ab507bde47a5268d6b68c89dd63fa61bd2722cc3d5ee38cdadcd2d2d8ce26e916fa50cc4bad4b16
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF02D5BF1AF0A61ACF.TMP
Filesize24KB
MD53cb73187f095a480743da38333f0e29f
SHA114f7228c55a3125664cef1acbdabad0a68bc3970
SHA256efbb438d7aea9fffef9aa6178b704286411cf69870d47485bf289b9bff0bcaae
SHA5122ba160bd0120ce5704142f0cead33aed12f0a9ed2973085a05a0b91099bf9acadd24d7efb610c51cf34afaa9f227fa3845c340cacc13cfe819bdc8ef23eeba31
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD555d13419ef7e00979888e1f36e85667c
SHA19213fd7f1bfe3399f11d8ce56516c9ecfaef50c3
SHA25699a431ec4372e147cbb89b186806b63791ccac196e7c21362affa2da3dea5883
SHA5124cfbbde7606ea5d8c56ab0a540ef2c4c84d3feabf5b694d41838f00cde9fddac90cac1a2d095f53ca597288a48adbf080f1196fe4c179e5b86be7b6ba4968da5
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322
Filesize471B
MD5837922a3aef2726e8274fd56034fa4a3
SHA1d8da55042c6766da2a83374d8f1bcfad9a4b7288
SHA25686dcf75b1bc623705bcb2cbcf5e24d5a67d993660c4153becd0478008ae46f7a
SHA512944668386a36856b556804ed7c83cfc930c5c26a180bcb47b8944247ab4190ead7bbf5dadfd0ff8a4cd7a5443ee5f04f0d7c232e1eebf77cfd43765bc113034d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize471B
MD5b8bbc463c1cce84a304e9fdbc64d819a
SHA1bf92d1d96c04e7a06787b314c9ab947e473c049d
SHA256a264172c1f386ad788d6723365584799cd5775f339d06599dcc52e971e0cb3ce
SHA5129a6ecd73a1922bb6ea1cb1982df940d04d7dfd51b988d28c540e1a8629b37b748907cdc047a656fcda78f93519e1380695196a0271bcc0d1b2e63724dc3c87db
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize724B
MD5ac89a852c2aaa3d389b2d2dd312ad367
SHA18f421dd6493c61dbda6b839e2debb7b50a20c930
SHA2560b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize471B
MD5c8516a74e879ccc135d6607c07de9c3f
SHA134565a9a50cb7cf9ad973131c2eecc3cf7ebd487
SHA256b689a915a75f5af1e69c557c565b595fedeec09fb3bd96f41633e39e04ecd73b
SHA512379e624f55eda7ef1df73bcfa4f0c61974b0b59662c8e2440aa2e0e72b149689928be14182ed2a57bdcbac596639da708464036f21de074bb77c3fa2dcf04543
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5e66f00e331c8d91185551e8d4991b197
SHA16619025746726c5b2dde1fc1920aca3af26dacfe
SHA256b2ae249ef5a5248f5f3abbd3fdf950d8739ffba2ae50ac0518d46d1db6af3971
SHA512272082afb5856dd616e9b7761f2edd5bf2946dfebb27e184be7e5903108753401e48059123298e2b90c4a83179d3ec7a3ee7896d70b3318b761653cf74095f2c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322
Filesize406B
MD5f6516171928772353e96e616066ed148
SHA1e9f48270bb19007202ae540888c6d84285b623c6
SHA256e7de2b00f53f92ab7b59d657dee8d490c49c4ea28f936d796776a1c80ea274f0
SHA5123eb023088da9fb53326990313b7a8c483628156aa632a1e6ab30824edc0ee475f8db04c8be45d428a35ed66e5f878a8164ea95bc9cedb04c463350391230fa16
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize400B
MD5007d71d0775cde7636ae7932473163c6
SHA1410f3510aaddcb1342e9f3d927371aecb7d86bd7
SHA256a232dd3ac0d02966d8782b3ae7c412dd82b4bdaae9524c2647b2f1003a6370b3
SHA512af7d3addcf96da57d92f557efa364ccb3b0651200f45669d64f047fc7f05a0aa014dc34d67a023868b1e173d198ad0a59404c4613c04cb5edd89413e1fac7290
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize392B
MD5a9bbe67bc23d2da5891604b0bd687237
SHA1449e12c49fed488553cf5b8b7dafea83e6e2b1d9
SHA256a5ad8e6026a87d347b220b0e9ed8afabc0201262f56db70442b31fbe682de065
SHA512ad00328362c95d30f06b373dbbe020c5e55bc86ff39da6743614d44e3941fcc0011be303840f2e1da212120dfd882463d6ae3319b28deafa57cad27a7b5ad835
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize412B
MD5f476d3b7b941b215fc57645e5ceb93dc
SHA1d5b5328f01c274b64ed7081273cacea39adc95d4
SHA2565bbc6a441903100177735157d750d0ccd9f7162c7b6bc2c49a7e332b742896d9
SHA51259d359d47b50c79d259f5c077e486cb9bf129776596b448fe21cc182134eef20ae8dbfc46aa4a55a8d650fa51a8dd0acdce4ba491375d3ac15824908749b71a8
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
Filesize512KB
MD5ce1b29b23248c9dd497a5d0ad49497ec
SHA18e01fde217c598b905bbcd1446055c2d1d4242cc
SHA2564e12b5b35c989de56293059fe72f8d049b9cfb59efa6de6cfc5b9fed2d99289c
SHA512abea3cb32c4070898ffab0cb412f0cff58ac6ef189d575fc406680f5bd8700f0e577bfbddf28deb22c88f3158ac7a025c1edbed36ec99f630337101df9162eb9
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
Filesize512KB
MD5f3d528bc857ea4223d857d1c18cb9b6c
SHA11f14bf0a6504c3df691cb86e1c2937c14d139be4
SHA25670d2e1b92678ae6cb0832a28ddeb04b2af40c3ff28e61d4050f92ab26a6835bb
SHA512e4ee9fa39a9880c9a81baa414dfe2ae92063cd0603deb4d6aa58718029a94866fa4b1220282867a0ee469b92c0e4b57100b570c0f054998938d7d853d6e15bc5
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
Filesize512KB
MD5719f454da0c9224afccd583ab93b16ab
SHA1b803f2647899d9f8ff5c58ec2daf65fa8880affd
SHA25674c4f4b9a81d46987fe9671682d4988855e50301f47463fd818b83dbfaa690fd
SHA5122692b881e418e16dbee29fbfc4fab93d62734431b060cd4143451100f485fc48defceb874e20caa012dfe5129dd5768102c80b98351fd7f8caa2cd987c2a5064
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
Filesize8KB
MD5bd01ac722c82ee062e1393b9c8b0c0f2
SHA19f4d2b0ed5bd1fef9b8dcdae06b5d8cbcfb6571d
SHA256be49b971cf6c580322a8079ff677b2385c75a9fa3c68dcb6fe41084b2e769a99
SHA5123142f019423c5e68a8f5ae90c45a86d0d44f36526332e820ebac2452b660e7e39dfc5b5eae5098ba03dab351df894682fd46ca0527c4c201aa36de82b445d3d7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
Filesize8KB
MD50523bab43d9466af2fe9c8c6a6766d46
SHA15b3ad67789e4d5015e51e99de3842759a790fb46
SHA2568777ef29433477eace85409191673a2d5585a3b6a9d77e7c307c44521eff3047
SHA5126a194aa71bf691ec76b9793ea2d23be7bd6b8841edbfa8dfab8ca74ea5ff140328be3fd250dbd6c8973e02d9175c6954f793ab941f24f38af05e3a4965da1b09
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
Filesize8KB
MD57d91d20f531438a7532820a10e3a6be5
SHA1cbeb808a38d0a3e2854f16b514649fad16f2ee2f
SHA2560c23d58d4cf74581bc7b4a6eb42916a711c18a23a322d4cb51c7a1d87f0c33c3
SHA51207750a9ed24b3fbdaa0975a684b3d16276599aaabe62f46088f0f1292c01859b8435ec8b160c21eba65deffb4e1f25d37565f01ca2a6d637e1a3b546440d7ab8
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
Filesize8KB
MD5c79e9949b316c4a4488bcd1c34350b83
SHA13931715d0346ea20715714526c41a30d659d97f1
SHA2569ba90b6e71288aa82de201e83cd5ca46713d9540a7df8cc79a1f5054d8ad1293
SHA5124fd4b882e06a7795fb26d47efbc0ddfa9f1d2dc17d263c51630b00581260c482ccbfe10d30886f6eebb1afba61cdf696cf0827bd06c14536d2a02dc379e21867
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
Filesize2.0MB
MD5beecd1bf71ce15ab9fa4238801864453
SHA1c0693a0c94d482791497fe7bfbace21368e16175
SHA2569c0c90a188bd7e719c6c75038c335f705f935497134f3fb9a75251bbb78c18c8
SHA512c51ef19352c4517cf1dd2bfa601dd5426a2ca89d956c536a6f651644afc599b4a826b4bbaacaa7bbdedef2d0abe8586671fe47f7dff46f1f0a9e1665ff1ee63a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
Filesize2.0MB
MD5cf55cb9e7c1c4d8b973ad1ebadf8c241
SHA1da1be5fb7cf6f36c0897426efb0b411bf5d0138c
SHA256673e220173199a5623f8b44086010256a1a32c4c1dbdf0d0efa9bac3eca81f80
SHA512e2f69dfb2345c8fcedb069e85a6c610f114d6f12756fb1d30a111cf60aea10b6c101c6426e2b58325820e5f55580c347fd9da98afb4e839c9cce0fc44d37c482
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
Filesize2.0MB
MD5d3f745047e48dd1706a607210d458ad6
SHA1f69cdc299ad8c67043739865a8c3e26964a26c6b
SHA256aabb88f8805b94ea8199ce8a5e722acdcb38d24f4a82d064a311f54ce9f34b45
SHA5128b547cfe7d8103def2e80c9023d3e09e19c1b1b61e9a807e06091ec5317f51f8bdf56f5385fa3a27dfb2f9108e11e390f0ac478c544a84790657b6a440b34b48
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
Filesize16KB
MD576c79d0c7ebf3a81345f7c8cfd1645b5
SHA1b6ba6f75a89adbb4fe95401be5472e669bfa60db
SHA25635a24ad8516ad334cda7cbc953938b3a2eee81a5d1e9e1aa4d48daec0cdfea16
SHA5125b292dddd00faa1130003deae8557b539b3387ef14b81dfcb1d4ff6b5482a39419f165a63b25de0a30749624b93f840cefc470f616e3ba2d9fc737877f6ed7e7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
Filesize16KB
MD538695bc5913878e88fb9c2516b4903ca
SHA1fde98669109fac2f4809e69df42909ecee3c8efb
SHA25676f7cc2b83ed76cfd2e924ab3efd303d8ed0ebf53b667ec99a0130151d8beaee
SHA5122cf558030a71f8062680f634d90a4bd8dd24c208fd31ae4c32e1c1ed7715e96f18b28fdd6f4369e814eb3d46fdea60199c93c5e9fde6a1b585df1a3fb7e3af73
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
Filesize16KB
MD549c490971cbcfaf5a1bbe85c15066631
SHA1f49478d8653d1ff56bc618659b0fe47411f15102
SHA2569cc6b9889f37dc9f1a9ad22d9d55081bb2d9fd068ceddd2673057b59193422e7
SHA512984c126d1846b31f4475f19697a78f25657942f894d707b588c8c18a92a005cc389e3ae0e070ae1f6186c375c8e7123e73df642c64fb2fc5ef7cea6346ed681f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\3lcf90e\imagestore.dat
Filesize6KB
MD51244bfbcc0b2076f0dd0d00eb5ea7bb2
SHA15000efe46cf42b4fb5700fdd3bcf1ef1fae83080
SHA256db1759f1aaedb0dc132e5c9cf7d06fa1150b39ada5ec4d185bbe5154bb3cede4
SHA512f73724f3ea9d449be6d24d2b04a2bd79cec61150f07fcc235b6ee5509596e5d8e73f65ea44fc72cc1772cdc336c18a7bf631a32acc47d52067a5083569c5ab35
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\3lcf90e\imagestore.dat
Filesize11KB
MD5af70861e97d1ca7386e5d5d6743491b4
SHA180506cbfb70a21a1c8d827130550691348494b33
SHA2561079eca91d68f524c16b21705d1c025dab4eee0bab2e648bbb5d7905ce6706b5
SHA512eecbf912364e2cd21d4e5d096ca4ca96890f3024b493c8a7a4998ad37e06edee72e4eaa88b04cd30905b5bd37a12896bdaf02e13639cfe57dc78d52f16e1845a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{49923839-2FB1-4D4D-98DA-19B7E363DE75}.dat
Filesize5KB
MD56da8637b774513e843e6dbf6602951ad
SHA1f9470e2fcadba961ac4aaa474a720e62e026710f
SHA256f87abaa6bd93c81fbe53acca0946ab36fbb567ba052597c13bcac4d0c3eb7358
SHA512b6dd1ef74af7c10ae8bbd98dab1321521cd6e3b52decbdaade7cdda838b49042a58d1dbc62866902fee58bb91d139c43af486f493e8d4cf62c0886df15e43bd9
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{976432A9-04AA-4B71-80DE-D408A4CF0970}.dat
Filesize4KB
MD50af159212bc4e1c571b2597df9b33153
SHA1def10106c5a0170a945177b47069ede63b1f2cae
SHA2568226059ab2182073fdeeba6650e458f736230cc1e2037fedc10bdd67331c5ef0
SHA512a057ffe8d63378407b927bc06ddd519bd7818d2991682b9e687571fa7daee162b56476a8395c1af967ab39fcadca462c515d368551f0b7c1085304490a43585d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{EE3CFD07-D4FF-4D50-AE34-332D7DF02CE0}.dat
Filesize4KB
MD561cda172bc1fda88075d379887bd7b3a
SHA1097567d470361404ba65ba50448f9214a4d559eb
SHA256fa20b328826fc3b07d6b2c5cf08dcfc4e18fe99c2f644e290d44a2ff68b787d0
SHA51222d602f928698ef6ca943738bbfe336b6bda39ef9a69c0673da1ffee61f7f6e3c5a9b6226cd128ecdbdcfb869dbb2b78284df601885acf513197ac7ae0c4293b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{099E7469-D943-4484-B22A-7ABB23916706}.dat
Filesize29KB
MD5f145c4db62aee02d73b1de097acd22d2
SHA1d71e050e32687c6bb4f15e4144867372784512e8
SHA2567751bbb5d7c4177514e9a2c37974928de95065c75590a0aa4130ac9fc6708a18
SHA512893f03768094423c6f02b0bccf14fc3b6ea9b5d2e2ac820e9222b910f88af7e6310e896bbdf9b02c2d66c5cff47056027de1a9b6c80e8b0e46cc483530ac6d77
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{1B4D61C6-526C-4E0B-9373-C1EFCD4E24AC}.dat
Filesize7KB
MD55320935c90f74ced113a2aa727ea86ae
SHA1e16223d253c4dd42443b850586395c74e95933d0
SHA256a40e91b18f75e56a7547fb8f3d2bdf2db2afbd9fc23567b7bca5e685e00a5893
SHA5120ecef51b58152d4a881b2da0e335cdb9cdb8bdb51d1866742f9acff8440e2be8cc15ff74e6ef06032b4d9e3ba8ae59b5f586d68ac764237d5a798177bd67c961
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{1EBC532C-FE3B-4329-952A-FA3AB59DDBAC}.dat
Filesize5KB
MD5449ba2f08a30fc9dea5b9f69704871d4
SHA1deae9d3eae0c0845396a356addcbdc97eec3ced4
SHA256ad6f852673c5abda9816f850f9ee1669225dbcb0c66912b4648da9dfa0d417ff
SHA5128ac9fb74a299dd65482b615d74257f416da0bca400265252c1534e1ae44b84aecbc78b0cbbf0962e23a4a1aecd8208cbff5302ddc52157b8e8245f2f7ca48e63
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{2BB5529A-C43B-41C2-8942-9127DC9C62C3}.dat
Filesize5KB
MD599c50e4d7526c5e4e23ca0434a3cc1ff
SHA164a535535ffc2b4328d2d9c47224a765053a1731
SHA2564a46a8d6e1a7b2bd0cf1543492e476224107fead628c78b4f117864efdfcb0ef
SHA512c873e3b4fb7bdc34e1df3df75dc45d5de3a17e3c3c265b6e4a3be0848fb2201707eebf35259bb960e80655b294c63a4455e5647f06928e4a393336e30e90699b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{8A93F331-1FDE-47F9-81DA-9893C351D70E}.dat
Filesize11KB
MD5e892deebbb7c8daf1d3503285ef0dad8
SHA15884f56022cec2b18a64fb931bdf98887cd8ffc5
SHA2564400cfdd781d589be8af29e912da11effca3b36eefbcc109a538f4bf7b753a91
SHA5120a0c80df9d28479704eff871ac3a9cde4e781e42e51025df845f0dbf158dbc45fb6b68d863af4e4632247b929673cafa2c4eb9830c44e79eb996c2ecfb3e418e
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{9D0188A9-89FB-4AD1-B14B-527785ACA21F}.dat
Filesize15KB
MD5da381bf7c67ad23f459d3b66b3f3f002
SHA1887f841c598a5a0ec86046195351270d65c059a6
SHA256f3a482d521f034d230ea4f42d3da9770ab140c98fcabf649352a33e996b7074c
SHA51238e6c5ca8c62951ca2ceda60f99016ed175810fd088bc387bf5691f8e2d17ff5674451c32d3621295f91b738d9917663f35f713b002e39162333a79bc4acf08b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{E7B753F2-BEF0-4F25-9A10-E64BB336C255}.dat
Filesize6KB
MD5dd51305e36bac51420506abd2d293f69
SHA1ac546dd38575070b2a0119c1e1dd0c91c2cb7af2
SHA25634e51553e58cd915b4e01acd2b7f66a1b4dbd803e497ac99ccda1a7eb9aad7ff
SHA51208a38382efe40fa2b5df51874d755626ca9f6ae77681cd3f46515da29fd76daaf6b43f3fbb1bc4ad9adf3d36a8d6a82062450fb0e814a95c104d30bce15b20b8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5053f6e158b092d6401ad0b8a112e8a1f
SHA1bedb4037b906b78aadc787b15d76b6558552aaef
SHA256ed04b7fbe6735dbc1b5ef3420e849ee93fb8900b84aa83db1a8e6ea4c811f3b0
SHA5126e57dc5baa60a61d93298c23e7d44c8165d68d62d1913b8a5ab010c229ef42d959dc10d736a11d9b3c738ec8791d196ad14b916cd0e58ec6bd4bced2b09d05b5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\93ecbd7c-67df-432d-b313-7c4658d1ad66
Filesize746B
MD56226cfe67c5ca79cd1e9f5f32d54e587
SHA159805ea585a6e0b8985dfcb06d349e9b7877b6c5
SHA256caaad8b73943365a429eff39c261620db6e29fd95403738dc27ab540c68cdd8c
SHA51254467e6a0e9c719500b62b45387f8fcc6c73f976e01389366d91f3bfa4e846748cf7d88be8af54788bdf44a8acfcb39245c0741ed6386c80ad3ec2115290c589
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\df39960d-59ed-4dad-90e3-79a6376c54c1
Filesize10KB
MD50cfd20d63c3f278271cd22052d4da776
SHA1e77b22a85b502926c87da5557b437270123fb0d7
SHA2564b0707979c233615e2edc7f5a68056e9e5e18676a0058d8d9656055ed52bc0cc
SHA512a042081b60d36055e6f64c125daa0b921d015a00314a5a4574d64ce101be862f5c9acd9575f8ab2202f6b4f72cda6b895c931fc610c709f103db060347da0ade
-
Filesize
6KB
MD5bb6d42697b3e5513380e5abcf088a882
SHA1ba7394ed1db7803b412110f6e9bbb29d9abb99cc
SHA256d95682ca96db91bf93765c4ecea50fa243ad768a1095b9ea929fe1c80a5e613a
SHA512f7c95a8aa22f68a119feef31d79c66a6fd9da61be6e06fa4cada93acfb9841e96fa3b974b667fe14cc2460657ae964356c4bc19ccabbdbabbf9feabd985b88d0
-
Filesize
6KB
MD53a1fd290c31688ddf6b008144423af32
SHA1f5c1cec11b8c0c95ad69985f32a4eec4cab1f67b
SHA2564010f482511c036e732be6ce3d30bf976e46a231e839c7466fa09592a210b807
SHA51277ba76297cb84c3119ced9ee80c6efb08a7c5eaa7af9a997c03e22a562be831ed22c0a8201d344640b5169f6a82372ea9d585461ea180887cea5339dc439f654
-
Filesize
6KB
MD5e47881cc860d03c1725a51abfff28c7d
SHA1a70882129652804bb4649b1bb8f3dc10a9fc2fb1
SHA256a0fa37599a77dc241546b47f90b72fd01d61cf6cdb9f38b25d71f7090ad8010b
SHA5121c0fb2b3a8f11d81ff3a301568c4da1aaa145242728001480794eac348465d18879e1d97cdcbbb3dd15fa1dc32096c0b047de87f77806d847d070ec0fd564629
-
Filesize
6KB
MD54791cb35401e54ee9422fd869ccedcb8
SHA1a7b28a19a29b3fe62ca15f4f01fc45999af1bdff
SHA2561cbf3a1edac5b03b6a98c268613d2c66b76a13cbdadf9b9703b09386b66ce5ed
SHA51205c2675a05a34511dd312a6b53da78c5e7d731451e4c1ea8bab7600a48fc852f5ff6f0d4fe1b57e6b86c8defa974927ddab7093e8dfb6387cb8b12295ec30e1f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json
Filesize259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5520e436c3a8ff64ede3767c19a96e154
SHA133895a23833102547208d7cbbb99d78c743f620c
SHA256a1d5cef544eac314c146ed64be3047bf49f2d728cb54a20174ed786232696d09
SHA5127543c9ff218ce03f1312495f43d6f07691e1ce66d84bffa49d6c480b77769df6ef41d4d92ce770e29d5315745f3f84cac10e82e27f4deedbc5a90b4eb141c679
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD56681a05a342c6bea9c670449943639bd
SHA17964aa1378f5aa5ae37d15427e697055dcfcb924
SHA25697e063048f87df0a3ba4965f4312d12592c55248f2024c9f7d72cd21aa34f202
SHA512d2f8c7ae3e6f8dfb4b79b100011d33995fd80344294e139fa8283ff6c27b105a4adefed553bf6afd030a09825012083cd49e9db1fb0580e2253ee692b36d5d82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD50c30e8bc2f41f59d2d82521c770d1805
SHA16ac7e24af7248d9cf401843be3435e172440331c
SHA256a1b0c577f4d31bb97fad930ee6e6e8e8bd2acae3d33e8c27a840fa7aef8a48a1
SHA51296bae94a849bfb959d06e1935b96159f1ec8fb0085c01205198cda5effd624d706bfad1477bb423614d3f778e952bc4625949b8e7658672cde9516f9989b29c9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD55a3697e4f72da4d938b9381acfa0ca0e
SHA11ec2abb9f25f85a96adff72dbb49503dd54cdb64
SHA256e5248db832b6a12c3477cf419cb87791402eb9639d9bd56b6164130b109ac5ba
SHA51212ceead63008ba3f5382b6737e8625f30f245a1cf202547ff49528efe7a7b50e4152c25c25d58f7bf3cf4e4585ba589ece53f13bd1cff996e22119d03544510a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4
Filesize4KB
MD51aa39b8424b290e2df9e68a3d319ded8
SHA13e5d006bea8cf842dbfbc305a83fbbe367f1b259
SHA2566a7b593fb6fc8e0d1199a9dea1f60332d1ee6718867270879be11fa95056e7fe
SHA512d8de80b618bf82028bd5c4fc8b2c5b7e7a3bf630512c1953ba4fc870080cb80c411d3ce15595c327b47cf34896da448b4a41ea58792a7e737ae636cf9805ac0c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD50ed2663971e8051b2bcb574926400fa8
SHA1467756bf41c377bdb07c8be10d5391f1df1d80a7
SHA2560c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c
SHA512e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898
-
Filesize
2KB
MD5882c6e1ee782e921cccb8c699eb26a90
SHA1303d08c4f3455ab2a62fe4ab4686bff06acb5c00
SHA2564c11bd26f55c3f667d520fa52649f6042e8d072676020f4fb7c70ea49a233aba
SHA512dab61f0d9d437f63efe99a53e9a2f83638b73a22798da4dcad6ac9788d365306ebaa3ad3accb7e2a6085c5f13582d09b675023d1d3d7f7e35e925dac2357a609
-
Filesize
8KB
MD569977a5d1c648976d47b69ea3aa8fcaa
SHA14630cc15000c0d3149350b9ecda6cfc8f402938a
SHA25661ca4d8dd992c763b47bebb9b5facb68a59ff0a594c2ff215aa4143b593ae9dc
SHA512ba0671c72cd4209fabe0ee241b71e95bd9d8e78d77a893c94f87de5735fd10ea8b389cf4c48462910042c312ddff2f527999cd2f845d0c19a8673dbceda369fd
-
Filesize
438KB
MD51bb4dd43a8aebc8f3b53acd05e31d5b5
SHA154cd1a4a505b301df636903b2293d995d560887e
SHA256a2380a5f503bc6f5fcfd4c72e5b807df0740a60a298e8686bf6454f92e5d3c02
SHA51294c70d592e806bb426760f61122b8321e8dc5cff7f793d51f9d5650821c502c43096f41d3e61207ca6989df5bfdbff57bc23328de16e99dd56e85efc90affdce
-
Filesize
153KB
MD5f33a4e991a11baf336a2324f700d874d
SHA19da1891a164f2fc0a88d0de1ba397585b455b0f4
SHA256a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7
SHA512edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20
-
Filesize
110KB
MD5ab648a0df4fe7a47fe9d980c545b065d
SHA1ce28ea7dd117289daf467467a592bc304c72d4e6
SHA256905a849721ec95ab08754aeee9a60b3ed435d36962466fcbe5cfca63dfc455cd
SHA5127ae99da55fbf1c31c5281e5f4e10ab2bc33b89effeee82b574eb4b60541c5ea2913d5d99836608873da372c78e75436ae7e535568f48d81cb9dd26d2cc1b3a8c
-
Filesize
3KB
MD5c92a1d4d0755c886dd137c6cab43c35e
SHA1fc16175e58ad1f67c57e7fdf55333fdd0e01d936
SHA2566ab1ee65e6c9c5e31fe3680fc92a2a0ae73f216e966f5582a2d9c265357238d4
SHA5120525880a1f4cc7dd912ca4006fe4bd02bf1218931fcb56489a0ec728a682fdf1ecd35e8797c665c63dc19d8236942d9b832a6a8c46e00df02afa2c65327dd9de
-
Filesize
22KB
MD580648b43d233468718d717d10187b68d
SHA1a1736e8f0e408ce705722ce097d1adb24ebffc45
SHA2568ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380
SHA512eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9
-
Filesize
6KB
MD501e21456e8000bab92907eec3b3aeea9
SHA139b34fe438352f7b095e24c89968fca48b8ce11c
SHA25635ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f
SHA5129d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf