Analysis
-
max time kernel
841s -
max time network
806s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 15:26
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Processes:
antivirus-platinum.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" antivirus-platinum.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
antivirus-platinum.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" antivirus-platinum.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
302746537.exeRegistrySmart.exeLauncher.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 302746537.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation RegistrySmart.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Launcher.exe -
Executes dropped EXE 9 IoCs
Processes:
usеrinit.exeusеrinit.exe302746537.exeantivirus-platinum.exe[email protected]is-PBFS8.tmpRegistrySmart.exeLauncher.exeRegistrySmart.exepid process 2680 usеrinit.exe 908 usеrinit.exe 3300 302746537.exe 2028 antivirus-platinum.exe 1912 [email protected] 756 is-PBFS8.tmp 5724 RegistrySmart.exe 2972 Launcher.exe 2544 RegistrySmart.exe -
Loads dropped DLL 3 IoCs
Processes:
regsvr32.exeregsvr32.exeantivirus-platinum.exepid process 3900 regsvr32.exe 4004 regsvr32.exe 2028 antivirus-platinum.exe -
Processes:
resource yara_rule C:\Windows\302746537.exe upx behavioral1/memory/3300-2715-0x0000000000400000-0x0000000000410000-memory.dmp upx C:\Windows\antivirus-platinum.exe upx behavioral1/memory/2028-2727-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/3300-2731-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2028-2742-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/2028-2751-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/2028-2937-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Processes:
antivirus-platinum.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" antivirus-platinum.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
[email protected]is-PBFS8.tmpdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Antivirus Pro 2017.zip\\[email protected]" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegistrySmart = "\"C:\\Program Files\\RegistrySmart\\RegistrySmart.exe\" -boot" is-PBFS8.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
description ioc process File opened (read-only) \??\P: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\E: [email protected] File opened (read-only) \??\G: [email protected] File opened (read-only) \??\H: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\S: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\Z: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\N: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\J: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\M: [email protected] -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
Processes:
flow ioc 182 raw.githubusercontent.com 186 raw.githubusercontent.com 307 raw.githubusercontent.com 259 raw.githubusercontent.com 146 camo.githubusercontent.com 148 camo.githubusercontent.com 181 raw.githubusercontent.com 183 raw.githubusercontent.com 184 raw.githubusercontent.com 150 camo.githubusercontent.com 157 camo.githubusercontent.com 180 raw.githubusercontent.com 273 raw.githubusercontent.com 306 raw.githubusercontent.com -
Maps connected drives based on registry 3 TTPs 5 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
RegistrySmart.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum RegistrySmart.exe Key security queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum RegistrySmart.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum RegistrySmart.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum RegistrySmart.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum RegistrySmart.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
description ioc process File opened for modification \??\PhysicalDrive0 [email protected] -
Suspicious use of SetThreadContext 2 IoCs
Processes:
description pid process target process PID 2636 set thread context of 1520 2636 [email protected] cmd.exe PID 3064 set thread context of 3564 3064 [email protected] cmd.exe -
Drops file in Program Files directory 7 IoCs
Processes:
is-PBFS8.tmpdescription ioc process File opened for modification C:\Program Files (x86)\RegistrySmart\unins000.dat is-PBFS8.tmp File created C:\Program Files (x86)\RegistrySmart\unins000.dat is-PBFS8.tmp File created C:\Program Files (x86)\RegistrySmart\is-PGRUJ.tmp is-PBFS8.tmp File created C:\Program Files (x86)\RegistrySmart\is-M7ELJ.tmp is-PBFS8.tmp File created C:\Program Files (x86)\RegistrySmart\is-CPK3U.tmp is-PBFS8.tmp File created C:\Program Files (x86)\RegistrySmart\is-NTUJT.tmp is-PBFS8.tmp File opened for modification C:\Program Files (x86)\RegistrySmart\RegistrySmart.url is-PBFS8.tmp -
Drops file in Windows directory 12 IoCs
Processes:
description ioc process File created C:\Windows\__tmp_rar_sfx_access_check_241004937 [email protected] File opened for modification C:\Windows\antivirus-platinum.exe [email protected] File opened for modification C:\Windows\302746537.exe [email protected] File created C:\Windows\Tasks\RegistrySmart Scheduled Scan.job RegistrySmart.exe File created C:\Windows\antivirus-platinum.exe [email protected] File created C:\Windows\COMCTL32.OCX [email protected] File opened for modification C:\Windows\COMCTL32.OCX [email protected] File created C:\Windows\MSCOMCTL.OCX [email protected] File opened for modification C:\Windows\MSCOMCTL.OCX [email protected] File created C:\Windows\302746537.exe [email protected] File opened for modification C:\windows\antivirus-platinum.exe attrib.exe File opened for modification C:\Windows\Tasks\RegistrySmart Scheduled Scan.job RegistrySmart.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Processes:
antivirus-platinum.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main antivirus-platinum.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main antivirus-platinum.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "YOUR PC MAY BE INFECTED WITH SPYWARE OR OTHER MALICIOUS ITEMS" antivirus-platinum.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
antivirus-platinum.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan" antivirus-platinum.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan" antivirus-platinum.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeregsvr32.exeRegistrySmart.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\ = "IListSubItem" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83600-895E-11D0-B0A6-000000000000}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E82-DF38-11CF-8E74-00A0C90F26F8}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\InprocServer32\ = "c:\\windows\\mscomctl.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C787A50-E01C-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}\ = "IButtons" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\ToolboxBitmap32\ = "c:\\windows\\comctl32.ocx, 10" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E6393-850A-101B-AFC0-4210102A8DA7}\ = "StatusBar General Property Page Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D8C-9D6A-101B-AFC0-4210102A8DA7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8B1-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\ToolboxBitmap32\ = "c:\\windows\\comctl32.ocx, 3" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE34-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "c:\\windows\\mscomctl.ocx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\ = "ITreeView" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\PersistentHandler RegistrySmart.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D8-850A-101B-AFC0-4210102A8DA7}\InprocServer32\ = "c:\\windows\\comctl32.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6E17E8A-DF38-11CF-8E74-00A0C90F26F8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider.2\CLSID\ = "{F08DF954-8592-11D1-B16A-00C0F0283628}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E1B5150-DB62-11D0-A0D8-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8A7-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl.2\CLSID\ = "{8E3867A3-8586-11D1-B16A-00C0F0283628}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.eml\PersistentHandler RegistrySmart.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D91-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D94-9D6A-101B-AFC0-4210102A8DA7}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Version\ = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.Slider.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.3" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8AE-850A-101B-AFC0-4210102A8DA7}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6E17E8E-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E1B5150-DB62-11D0-A0D8-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA60-E020-11CF-8E74-00A0C90F26F8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE34-8596-11D1-B16A-00C0F0283628}\ = "Tab Property Page Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\MiscStatus\ = "0" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E88-DF38-11CF-8E74-00A0C90F26F8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{612A8626-0FB3-11CE-8747-524153480004}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D90-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF877890-E026-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E86-DF38-11CF-8E74-00A0C90F26F8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\ = "IListView" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\ = "ISlider" regsvr32.exe -
NTFS ADS 5 IoCs
Processes:
firefox.exe7zFM.exedescription ioc process File created C:\Users\Admin\Downloads\Antivirus Platinum.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\RegistrySmart.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\AppData\Local\Temp\7zO8F4380B1\[email protected]:Zone.Identifier 7zFM.exe File created C:\Users\Admin\Downloads\Antivirus Pro 2017.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Antivirus 2010.zip:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
Processes:
pid process 2240 [email protected] 1612 taskmgr.exe 5368 7zFM.exe 2544 RegistrySmart.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exemsedge.exepid process 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 720 msedge.exe 5224 msedge.exe 5224 msedge.exe 5224 msedge.exe 5224 msedge.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
firefox.exetaskmgr.exe[email protected]usеrinit.exe[email protected]usеrinit.exe7zFM.exeRegistrySmart.exedescription pid process Token: SeDebugPrivilege 2728 firefox.exe Token: SeDebugPrivilege 2728 firefox.exe Token: SeDebugPrivilege 2728 firefox.exe Token: SeDebugPrivilege 1612 taskmgr.exe Token: SeSystemProfilePrivilege 1612 taskmgr.exe Token: SeCreateGlobalPrivilege 1612 taskmgr.exe Token: SeDebugPrivilege 2728 firefox.exe Token: SeDebugPrivilege 2728 firefox.exe Token: SeDebugPrivilege 2728 firefox.exe Token: SeDebugPrivilege 2728 firefox.exe Token: SeDebugPrivilege 2728 firefox.exe Token: SeDebugPrivilege 2636 [email protected] Token: SeSecurityPrivilege 2636 [email protected] Token: SeDebugPrivilege 2680 usеrinit.exe Token: SeDebugPrivilege 2728 firefox.exe Token: SeDebugPrivilege 3064 [email protected] Token: SeSecurityPrivilege 3064 [email protected] Token: SeDebugPrivilege 908 usеrinit.exe Token: SeDebugPrivilege 2728 firefox.exe Token: SeDebugPrivilege 2728 firefox.exe Token: SeDebugPrivilege 2728 firefox.exe Token: SeDebugPrivilege 2728 firefox.exe Token: SeRestorePrivilege 5368 7zFM.exe Token: 35 5368 7zFM.exe Token: SeSecurityPrivilege 5368 7zFM.exe Token: SeDebugPrivilege 2728 firefox.exe Token: SeBackupPrivilege 2544 RegistrySmart.exe Token: SeDebugPrivilege 2728 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
pid process 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2240 [email protected] 2240 [email protected] 2240 [email protected] 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 2240 [email protected] 2240 [email protected] 2240 [email protected] 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
pid process 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2240 [email protected] 2240 [email protected] 2240 [email protected] 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 2240 [email protected] 2240 [email protected] 2240 [email protected] 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
Processes:
pid process 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2240 [email protected] 2240 [email protected] 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 2028 antivirus-platinum.exe 2728 firefox.exe 2728 firefox.exe 2728 firefox.exe 5724 RegistrySmart.exe 5724 RegistrySmart.exe 2972 Launcher.exe 2544 RegistrySmart.exe 2544 RegistrySmart.exe 2544 RegistrySmart.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 4756 wrote to memory of 2728 4756 firefox.exe firefox.exe PID 4756 wrote to memory of 2728 4756 firefox.exe firefox.exe PID 4756 wrote to memory of 2728 4756 firefox.exe firefox.exe PID 4756 wrote to memory of 2728 4756 firefox.exe firefox.exe PID 4756 wrote to memory of 2728 4756 firefox.exe firefox.exe PID 4756 wrote to memory of 2728 4756 firefox.exe firefox.exe PID 4756 wrote to memory of 2728 4756 firefox.exe firefox.exe PID 4756 wrote to memory of 2728 4756 firefox.exe firefox.exe PID 4756 wrote to memory of 2728 4756 firefox.exe firefox.exe PID 4756 wrote to memory of 2728 4756 firefox.exe firefox.exe PID 4756 wrote to memory of 2728 4756 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 3388 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 1604 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 1604 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 1604 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 1604 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 1604 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 1604 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 1604 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 1604 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 1604 2728 firefox.exe firefox.exe PID 2728 wrote to memory of 1604 2728 firefox.exe firefox.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
antivirus-platinum.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" antivirus-platinum.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" antivirus-platinum.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://microsoft.com"1⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://microsoft.com2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.0.384260813\1697646964" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {580dbc1f-c2fd-4d20-89a6-53212c83c074} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 1864 22db0d27e58 gpu3⤵PID:3388
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.1.1935945637\56986728" -parentBuildID 20230214051806 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7489465-db27-4c88-af80-6044eedb43c2} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 2444 22d9ca88a58 socket3⤵PID:1604
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.2.756438430\2104874410" -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 2992 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {480eac80-8335-4416-bdaa-6d2804a5ec9f} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 3008 22db3b4ca58 tab3⤵PID:1176
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.3.1586455892\1877055616" -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24d11cc0-279b-4d98-b213-2da5f7943f4f} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 3680 22db57b6858 tab3⤵PID:988
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.4.820044386\1682448166" -childID 3 -isForBrowser -prefsHandle 4888 -prefMapHandle 5088 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b906bb8-c1b6-40c8-91a2-47d8896fac5e} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 4980 22db70ede58 tab3⤵PID:3064
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.5.315663095\1731846812" -childID 4 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ced08471-7edb-477e-95ce-6c1cfd041913} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 5228 22db70eea58 tab3⤵PID:3256
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.6.700827231\1525789719" -childID 5 -isForBrowser -prefsHandle 5508 -prefMapHandle 5436 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {413fa4a8-5021-4a6a-81c1-b4780e53a353} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 5516 22db70f0558 tab3⤵PID:3268
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.7.242511128\1976934753" -childID 6 -isForBrowser -prefsHandle 5316 -prefMapHandle 5388 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e93810ef-a9fb-48d0-b9a3-53fb6c18a937} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 5396 22db9807558 tab3⤵PID:3976
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.8.688482006\1645430092" -childID 7 -isForBrowser -prefsHandle 5356 -prefMapHandle 5344 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89bcce45-9248-43ef-a506-69201f21b76c} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 5352 22db77a1658 tab3⤵PID:2416
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.9.1680620613\687619758" -childID 8 -isForBrowser -prefsHandle 10032 -prefMapHandle 10024 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c44cfcd-c032-4fda-8501-5bfefb304891} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 10012 22db6c7a758 tab3⤵PID:2956
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus Pro 2017.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus Pro 2017.zip\[email protected]"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2240
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\d3fe1c5ad4204b2b818b0bada2794cac /t 3500 /p 22401⤵PID:828
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus 2010.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus 2010.zip\[email protected]"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:1520
-
\??\globalroot\systemroot\system32\usеrinit.exe/install2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
C:\Users\Admin\Downloads\Antivirus 2010\[email protected]"C:\Users\Admin\Downloads\Antivirus 2010\[email protected]"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:3564
-
\??\globalroot\systemroot\system32\usеrinit.exe/install2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:908
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus Platinum.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus Platinum.zip\[email protected]"1⤵
- Drops file in Windows directory
PID:1820 -
C:\WINDOWS\302746537.exe"C:\WINDOWS\302746537.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7216.tmp\302746537.bat" "3⤵PID:1040
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s c:\windows\comctl32.ocx4⤵
- Loads dropped DLL
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s c:\windows\mscomctl.ocx4⤵
- Loads dropped DLL
- Modifies registry class
PID:4004 -
\??\c:\windows\antivirus-platinum.exec:\windows\antivirus-platinum.exe4⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2028 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://secureservices2010.webs.com/update/update.txt5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:720 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff845c846f8,0x7ff845c84708,0x7ff845c847186⤵PID:940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,5377251951912933907,4383938754221448271,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:26⤵PID:4632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,5377251951912933907,4383938754221448271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:36⤵PID:2152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,5377251951912933907,4383938754221448271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:86⤵PID:4040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5377251951912933907,4383938754221448271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:16⤵PID:3324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5377251951912933907,4383938754221448271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:16⤵PID:4832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5377251951912933907,4383938754221448271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:16⤵PID:4216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5377251951912933907,4383938754221448271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:16⤵PID:5436
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,5377251951912933907,4383938754221448271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:86⤵PID:5476
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,5377251951912933907,4383938754221448271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:86⤵PID:5812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5377251951912933907,4383938754221448271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:16⤵PID:5976
-
C:\Windows\SysWOW64\attrib.exeattrib +h c:\windows\antivirus-platinum.exe4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3628
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:464
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3408
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\RegistrySmart.zip"1⤵
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5368 -
C:\Users\Admin\AppData\Local\Temp\7zO8F4380B1\[email protected]PID:1912
-
C:\Users\Admin\AppData\Local\Temp\is-5F4TA.tmp\is-PBFS8.tmp"C:\Users\Admin\AppData\Local\Temp\is-5F4TA.tmp\is-PBFS8.tmp" /SL4 $20800 "C:\Users\Admin\AppData\Local\Temp\7zO8F4380B1\[email protected]" 779923 558083⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:756 -
C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe"C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5724 -
C:\Program Files (x86)\RegistrySmart\Launcher.exe"C:\Program Files (x86)\RegistrySmart\Launcher.exe" 0:5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2972 -
C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe"C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe" launch6⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2544 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.registrysmart.com/register.php7⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5224 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ff845c846f8,0x7ff845c84708,0x7ff845c847188⤵PID:2896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,14687589859639111328,4417396499146735274,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:28⤵PID:1488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,14687589859639111328,4417396499146735274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:38⤵PID:5196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,14687589859639111328,4417396499146735274,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:88⤵PID:2020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14687589859639111328,4417396499146735274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:18⤵PID:5312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14687589859639111328,4417396499146735274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:18⤵PID:5544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14687589859639111328,4417396499146735274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:18⤵PID:1032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14687589859639111328,4417396499146735274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:18⤵PID:2400
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,14687589859639111328,4417396499146735274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 /prefetch:88⤵PID:5788
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,14687589859639111328,4417396499146735274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 /prefetch:88⤵PID:876
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5308
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5416
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
653KB
MD5412a943768c74c06db9955d8cba40ed4
SHA1e75a8b91bc28187edfb847c46a3d763bdb89b2cf
SHA2568537ad8b3b76f4852c3402592e7b5b7b6d39f3477e9bc5fbe7d8af3c94d3865c
SHA512c924dff545961ddcbd4e5ca56af1a6862e5e9f596c1f830edc2c022947cecc5c59ce72f60b7a38c3f3d32503ae349565419daa5164bd2e96d13f19736b17c4b4
-
Filesize
7.3MB
MD5b13f9d8e3d5c88f0ddad896d7fe33a88
SHA1e6d7dd65a85a4f97baa56ae8eb810918ff4d84fd
SHA2566d6bd6a03387c3f3900b4b5fc1264c73b362698bf42b668b99d0e9b65f1d7663
SHA5123319c68b7eebe4fe5d4e385cd91226c827668d87751c5b94a2f1aac24b588e83390a349185fc9d430d1eea2e356fbcaa6543b4a5f8e25d875da7deec30c56164
-
Filesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
Filesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
Filesize
152B
MD5a110c551b09a6093d0700e4faad46fcf
SHA1c6c8bb93945dee02b8cbb57cd69b430cfb41289b
SHA2569e6713ce7eb9fd0dd8abf440e7b8a3c1ace63fc74630faa32554520391a89aa9
SHA5120b7a75399edaaf9d34a313a82d5c1bbbdc66b6849a9a3ea276803e9beaa0c4a375096d9336db516eaa77af370c61c95753ba04ed3ed8e280cce5eeae9ecd7559
-
Filesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
Filesize
331B
MD5ec00fe2e0a6f3721be99c0cfe55989cc
SHA143fe3b022658c74083ecbe7bbc114d6659084fff
SHA256cc3f81baf47c8a2f78515b37837bfdfa5e28380d8b96271ef850ce1e23637e3a
SHA512107073b10d377a2d816d2ee64131244c4d1aaa3ecd6d14b8cd0b8044e35ca235666cdb1bbf20a932e482c858ff5aba1bc45a56d85499c20650275a218463a3cf
-
Filesize
5KB
MD5ee829b5242827c1e5c4c8c6438a41712
SHA1cdb41e7dfacdf65f1a1dbe3caaff8405fc4121ef
SHA25697656b2448544cb7c97ee961a370afb87c582cabea6b7d3de4a9ab40a71b7b82
SHA51222795da640c011fdd9cd96a2969ed7780a8ca1e92d3e16c20bc6c7fb09253bca2e7048e02648ae6fd588d8820650561940a135ffd4dd090c83c076e4eace32cd
-
Filesize
6KB
MD510b4ca504b64f3fe937d89997d0f859c
SHA1697fbffd7c8ea7153f4b465b3fb27fc744cb75d2
SHA25670b05f84f15698a0d5fe4971d7b8c49311dc4dab4112758d54e273c4c5f84c96
SHA512b449c6ed68c7421ad077a6be533efcabe077d433d98e2c001655fd787863419b010e33ac4ec3dcc9561798696809ea73783a87911e5ec766a42c5ee57efde318
-
Filesize
6KB
MD53b20f2846f26ea97c050251a2ef2f22d
SHA1c5497f7b8dcf832e5a6cdcd51016b7a57723508b
SHA2569efeedc8bb66c657d5bd2abbf145a5d78884257afd2f42ac0d835f9d2e6a39bc
SHA5129a6ccceb22525391851228258448d06ea3d67c57c42677f5f4fa52aac93dbb3353bb95a27ee3bfdd1b32b62f47bbb359b50aa903deb58a35f6eafbda52237d3a
-
Filesize
319B
MD568a93a988be3e59474c056dc330630ca
SHA1662b26d796fd80635ffe562ce506bf5744a0e09b
SHA2561fc1f9aa36852ba3e274184aa731531c7322e5059fb61ea11174c0d3214f4f52
SHA512343e794347b68ebfd4bbeadfdce165609347c1532f874c413fb1cb15e450ebbd00fa2b6382df21387ed6814488c959c8deb195f3816a964982d6f9a108428ee2
-
Filesize
1KB
MD50743e569ac471896236d1936562bb205
SHA1af5eb28e943287bae65c2d51c3a5b12947db5465
SHA25664397a737bb6f8be1463cc93f3cb15ea404946a9e9a76701aaf2f68c11df14be
SHA512eae73bf7c905bd9220d861827874001186e801afc3106ea6b7682a5101420f55f2199cfb0cdaedbb665536af59e9612e806d45f47d56a648844dcdedb33704a3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize112B
MD5e0b0839768861696c054d129d6be3fbe
SHA1ad8b4687d365057c2eef2db03f497081cd5bcc4a
SHA256285e9be687cfa76943acdeabd5af136090a6e7a028cdac348599fe43143cbe08
SHA512e022d878995e652997f8068df8f1224a439d6b5d4933670e00f1e65427572db5289ec5570a1b3c70a0e91866a1979d53ba0393173b9aa736966521374cc1eb9d
-
Filesize
350B
MD545d090deb4f625e9e9ead5e31e0c80c6
SHA10a816422da2df56abfe112d94d41d39f3682f0c6
SHA256e74c44b7cf913c06d8feef6ee865d1385ac585954b4b4f07111249890ff30141
SHA5124cb431c7c6d191780ddb4fe4fe7b8d79eb33d7375f5157effa9ff6a28896fa920e71f0e3df9745921c5b876ed2620a4af124f9161aea42c0be1dbabac5eaed49
-
Filesize
326B
MD54af8ce4c8878131f1656c607daa1319d
SHA1c7493985fa5ed8ba9b9ed24c0a167d7815c76edd
SHA25612aeb379fe63bc228a2dc9a77a71e7321d1f91af15f06005c58785c6f1a06a33
SHA5120df9ae33db20050c61d173051f61ab3db23fe7d6325e45d75aa5e28a4e00a0bc6fc3c5e2234e336b68f1a9c8632a0e45e5d6a31f8a5625343cb31f9e4c5c3f11
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
44KB
MD5ca54a244e1b79cddb025761feb45fb62
SHA19c12673824faadfb378368df65b348c4ed6f9092
SHA256fb710716ce036dd41439cacfece25a0d21661ad8481467bbefa8adcd3ddb5bc7
SHA512e614afb3de0b760fcb5e359e21456e8f7bafcd2d57adc35c34447a361e1ed31427defae9aed47d412d8cca692f22abaf89422128ced39efd24b68ef841ddcc49
-
Filesize
187B
MD5057edfeea949b819687171f3d87f4671
SHA1806b5d29574bffa70c76fbfc72bc659cc4cb7b38
SHA25696c2a6ccc2be9767fafe292666218c8e038ce4aa560ffb6b67a37cf5cef5af42
SHA51287b9a1bb80bb622d2ed55c0a3be43720356aca9034e7dbdb2ba8eb51504ed8732a55429a6ecf3468f6b256556abe070f2ffd1b76c2dfbd2edc25aefb8ddc955f
-
Filesize
319B
MD5c25be602e94358c7f38f693358a3ee46
SHA15f229e38a9077f3630184e2b751e9e4cb85ece05
SHA25627c4d0d7e18daf55e503e024f58885ec7050b27defa9f4197edbea39ae631969
SHA512b080b5ffe4dd560aa599a0e1c84bff6ce2f87f6a5403152d9b5f88bdb76bf5297a7d1c7ced7fd30b5ad376350b2b813b5bfbd0cf7f317caea7422f7a41a9b172
-
Filesize
594B
MD5fc502f22fc3a22b3f20cf5e842eb162c
SHA11586d3f30cb82dfb017f157a93acdad7924fb389
SHA2560fa562c7419fc0d981aef39241af2653135d5fce342143288dfb684d0054333a
SHA512022800dfe60d281fe42a1063ab3438ec63f85327c1724e6b390b225933da06d79c3f6aae3c970e347b52550092d2912128e604ac830450ba2d03e3f1b0ff875a
-
Filesize
337B
MD59e21cc57b48668924ed30c9e18646d7b
SHA1e03b30a5ad05b5b6b216ebcf109fcc518ec818f4
SHA256ea9441d5e3a43799087236422691ac403767e1452cc084e520aaa2524e3b8530
SHA512d5ecccb20e9cabcf3ade6b5dcae0a378d53c0b31e64c13809cad80772bd064dd12865afd01ea4dbde9d05fe41f1baa8fbfeb32a53f3f7849ce9937e2e801cbdc
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
10KB
MD59503b7271103218128042c81d1ce315a
SHA103d9294cc05df982c588308ed5b6708c785bfc49
SHA2563d484f172d2e3ffeff9e1cf4a0c5c39e334b53a04e729947e59a2209105c7d52
SHA5125f93b89f972eaa8d75c0c7c03870da40cc80d460fde23da937cbba45d75adddad83dfc5d3f42fd741e3c883a14523177f7fb618b2b1f124a226556660f1ef352
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
10KB
MD5c1c114de9f2234fb285dd242436992f6
SHA12395a45d617dfe35539d23371a698ff7682fbce8
SHA256c1f15fcd56b194eabb5e90a914383b20937f11be7f579f0c28b5a6cb84bf009d
SHA512d39020141795d1c38d9b3be86f5de116e44ce01ad68def323423c5856d071a64c3cee05254b5853fb9353536ae366df1061ee0aab34efd895f49f1885a9a52ac
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD52b6a874b1c7f46ae1888cde77e42f145
SHA141833512cd0e5a2dc00f52877aa2e8fbb6148001
SHA256264a3867c8293c02bce23cb07b0afd39d12fb9f621967e09b71de1c0089d127c
SHA51225ec73bd2cad2da37b54c5df00d87df21953642dd4cf0d7e459b3513f8c4c83fa07b2bdf427f83031cb132070f277359040cccec97f07489004f96b21ddb0bb8
-
Filesize
46KB
MD5b3246525b4988174aecc93f492dd3811
SHA11c9ef737de2ec305e4bcd9dbd70be2642461334f
SHA2569c4574d238b3eb86c79c9755c4ec25cb5a9f0636442eb680886346540f520823
SHA51278cfc0fd4e1b09690ed35a82d1962bb9e13c63aa1270e2ca75ce434ff7ef83d537a21431a0a0920733ed51b2032e42cbe07afacaf3c2743717146421de4fc4b2
-
Filesize
11KB
MD52aae511abd0c78bbb5a2f10cecee476c
SHA1f949af6e6dd5b9f038b82a53518fb55cd6038eb5
SHA256748f0874f3a62fe4fb486d4d4b2a5161259d3c4941239becfcc236ab250d2e61
SHA512b92e5dd4588455aa5d86a21e434970761e217b87e4c6b2d848d6b72dc40846e9805f1cfef553afbfc3394c47a0e0806a32b123dab5e34528c0d3b2fb64b05313
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263
Filesize13KB
MD5e48c8e3cc531a2944069d489ba842c67
SHA141624fe9653c4257bf4d03cc9d6d3f8a2dfcd57e
SHA256365842c46d7e671ccd995e5ff01ca39885aad0aeec9ba0d38bd15bc0fc642d0e
SHA512e0042bfe3e44a231ec533484f636f20c81c2439b9da09acda6841903ee85b2b5738243ce084dc8b8052a5688d263202d4cab58dd7b2f61489e4b29321664acdc
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
Filesize9KB
MD54aa98a2acd52d8150066ecdba40def6a
SHA14ba559c824fc0524883653f5261607f23aaa38c4
SHA2569acb06ae3189baf7d06b30dda71345f509611b96043fe80e8d46f83db6967271
SHA512f9c71b43f5b0749367260b92bde49e407cc3c0cfa70c11e833b668a53bf9f67a74b777a43abeb96a1e408a136e3229c3ed609e176380dbe77852d4215cd55df9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\jumpListCache\uCSVJX35gwub+JcbfnlOfg==.ico
Filesize25KB
MD56b120367fa9e50d6f91f30601ee58bb3
SHA19a32726e2496f78ef54f91954836b31b9a0faa50
SHA25692c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f
-
Filesize
348B
MD57d8beb22dfcfacbbc2609f88a41c1458
SHA152ec2b10489736b963d39a9f84b66bafbf15685f
SHA2564aa9ed4b38514f117e6e4f326cb0a1be7f7b96199e21305e2bd6dce289d7baa2
SHA512a26cf9168cf7450435a9fe8942445511f6fda1087db52bd73e335d6f5b544fc892999019d9291d9dcc60c3656de49688f6d63282c97706e2db286f988e44fd94
-
C:\Users\Admin\AppData\Local\Temp\7zO8F4380B1\[email protected]
Filesize1.0MB
MD50002dddba512e20c3f82aaab8bad8b4d
SHA1493286b108822ba636cc0e53b8259e4f06ecf900
SHA2562d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b
-
Filesize
661KB
MD519672882daf21174647509b74a406a8c
SHA1e3313b8741bd9bbe212fe53fcc55b342af5ae849
SHA25634e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8
SHA512eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize15KB
MD5d5016126caaecbfc6f8e1ce2cb013615
SHA141145f3bc65a9091e0948d543c1b4e8cc4103c77
SHA25688517ee5ee7002dff4953e5eee9b16570b3f30b0a8a087ddbcfac9197c706e15
SHA51206f57d5907e237449533c3c8406405e5523ea4a94b26a8ef5a01a1fbad65177fdfad3f9118c76c1a08947215eca937d61cd70eac584c79f5ec71da3a1c513902
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\datareporting\glean\db\data.safe.bin
Filesize182B
MD57d3d11283370585b060d50a12715851a
SHA13a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3
SHA25686bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9
SHA512a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\datareporting\glean\db\data.safe.bin
Filesize182B
MD51c3c58f7838dde7f753614d170f110fc
SHA1c17e5a486cecaddd6ced7217d298306850a87f48
SHA25681c14432135b2a50dc505904e87781864ca561efef9e94baeca3704d04e6db3d
SHA5129f6e9bcb0bba9e2ce3d7dabe03b061e3fda3f6d7b0249ecf4dbc145dc78844386d047ee2ac95656a025ef808cd0fc451204dc98a1981cf2729091761661a3b49
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\datareporting\glean\db\data.safe.bin
Filesize182B
MD5c58234a092f9d899f0a623e28a4ab9db
SHA17398261b70453661c8b84df12e2bde7cbc07474b
SHA256eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c
SHA512ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\datareporting\glean\db\data.safe.bin
Filesize182B
MD57fba44cb533472c1e260d1f28892d86b
SHA1727dce051fc511e000053952d568f77b538107bb
SHA25614fb5cda1708000576f35c39c15f80a0c653afaf42ed137a3d31678f94b6e8bf
SHA5121330b0f39614a3af2a6f5e1ea558b3f5451a7af20b6f7a704784b139a0ec17a20c8d7b903424cb8020a003319a3d75794e9fe8bc0aeb39e81721b9b2fdb9e031
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD573791d2b8c3094f7cf782fdef08b468c
SHA10e4f64d247c6f3e9b27c5f36ca446f0a8aa55720
SHA256b138e33cd2de1f800b8820b777f0aa70849273263d10661b0aa7a9e35d2700d3
SHA512409a6c0496312ea46da14d16e29a97aab298e0c665bc0f7d56b5a9375e3924b34b7e8f174019f10b0ef514a9441cd1cb35c44ceba94f162b34fac1b35dd99f84
-
Filesize
6KB
MD5b135d5de08f768a43438bc7db45696bc
SHA1093271f2b4c18de36c072636a51b3bbe7887d26c
SHA25684ec5d5e441a72eeaec45e90765a495e3850d9dbfec8f1b8e4d1e8d7a3899900
SHA5123001f286ace110e8baadfd89d22f8c9fdccb76f390b7567afffadca77b5a75770bec8e25a06b21065967aa53c798c1a56dffed87983b98dae3b00465b61e8d37
-
Filesize
8KB
MD584597523b232a0d6e1167aad2fabbb90
SHA1e15114d915a7385d38107f464e111ca7a0036e77
SHA256bd533a7f4e91445de8d568a2d4b9b76aae66eb5bb83e8824d3026754941ad42d
SHA512c9ef4d5955e1d51ab4fefa9339b4f24e4a8095d0ecbddc73048cdc025b9cfcd47f4d4e3a7a9afa86ff502940cb081851a7810818ab8f075a41d717a1c83b87b0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5638d427587c0c4587a7f9fb66021ff88
SHA14991b62226e845f5f52288d52099bd5ea4a78e78
SHA25601aca85cc5b3c242c443cabe722c8bc377c914446b5ab74ce67209bda27b287f
SHA51232e3b0bc510cc573773fd9558c7f8cdb010d352eeb498aea9491e0e61b1919eea29e5114d1c33383003c78753e3ca0effe9ba777e3089c771b264d74a636af25
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD501f54b9d5832ca4f920129a3ed3a6ae6
SHA14568d416478b9e4d6a67ea1a9fbbd681768fc89c
SHA256e6ce73ce9ac42b29caa5e9d68188ab165c50b0b169aceca0f02b170c3964fc33
SHA512f34ec9f82efdb75dc6f40c2e4f3cf9be0e8b6c75e266d32b94d66c6b71d43b99e5c8c06016604f7e35c60efab324c3f76ee1e5005bb3fb91fe50c560715ab945
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5430cfbbe951e3025bbae1c3606f8e4df
SHA12c9cd0e04e982c6eeb24a61fe74b17e1aa988845
SHA256e4cad76f9dbce2b7adb3ef329a8efbb21d530ecb67466d4be2eda443b5148644
SHA51204217ed68facd5d23b20b2232d826824aa84574368073dada52abde47023c43372881b95f56cd26620080643a4470cadbccb9c5940ecc10ea9324864167e92dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD51829d6ba5529e4d9e0b3e2ca0d3dc609
SHA15e9199292a30b4153fbbfc96e0fcee9200284172
SHA256251fc019f78e089d1b3a91a56a1be1fb70145789ccb9a77d9538f1e80a1555ce
SHA51287f0fa8f47e83e1ecd14de8bf2313514bfc0d4d601196dba8690696f308e6f8dd9abf672c823371c345384b77bd3c7c46598726a1e1645d28c301ece4bd85c55
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5def009d41ff7ad962c212cc902a5d287
SHA17f95e60acca09d1541564a02e9392b973dc5d134
SHA2567303e5b4920f0714dd3923ec0047fe7adb312bf19e2f62349c80ce7d4687f6dc
SHA512c83f4147e2a7df296e7048fa7b86aef323606c1a93666867d426660077408c62c2b5b59c144e4649cf9b8414594c7a586af3afb0090d0df466e040488d5f2ef2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5a43c8de30d74dfdb0aa5e015b4cf5b51
SHA1ae951a764b7340c45199e30c2369e790a3e0ef0f
SHA256be8bd9546f41dc3b74061ca514da3717214d6ef33595f4b59087b92a71e8ed6d
SHA5124768377a52e35d0063ac9090e7576f3f06a76a861d3111297da4858e8308598a240961e4c55cc4c330a458c6f28f7340f61c26351c45c1be481990e8989f3e13
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD57dbc6b5a893901b430473bd0ea4223ac
SHA19b58639a3f868d1c8a1de999c1dfaae785c5d0b0
SHA256a05a6ec766bf80743e0797b38917ccee53a885a2ab8899a7e37a0eb2a9993f7d
SHA51221703fc917ef30d12399979ec67135088fd9ab85e48a96734d8a42a75e4c7bfc5545c1a0fc6ce8230b832be9fe82ce41a264d2d37d3b725f6b0bd1a358cfdad8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5fe388fb8d6578d90b43eb61e3feaca2b
SHA1bf48e643161e09d25a073a27867f059fe4304e17
SHA25672c39bf07becc2627197d2641e4f7eda8fab894d2a742e62b2aca0428de90f1d
SHA5125410e49a41dd0dfef2713d74d60dfd0ef25dd0890e3ecda1ca8bf511173091e8b5a143074279c49af68e5c4398a0d7c7366c6cb2484353ef6ae3e0bfd2e20ffd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5fb0f301b1f89164d4954b743ef9f14ed
SHA1b03c097d7c570463252dd02f8da4181951fbb2e3
SHA256517eff82ce39ec0f481ce74fc1e71788cd7c0f0676b298d37bd788bf417ab83f
SHA512e91edb7de89ed9763d42d237819d41b4876c17d03172496c158f4fbd5d587e04a249b237233c55d48c3f961173944719bf503a46a7a2f84f27d209a190df7b74
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5b5f025911826b14fa06fc6619344d5b1
SHA1b5767e5d22f798966100144d66fa979b84aae611
SHA2569368d6445894ae710cb346da250fdf15a33b866350d5337ce342131ff695512e
SHA512aea0a826ffe05832963bb4ac08eabb9d183c32c436bf2c5e4f08c84b97e89b3738c351ac7e3098cca1a317a6b4bfd6b03cee377a2c659e5896af27ea12ff3616
-
Filesize
46B
MD59d6c4929675523e8aaa55c93779e2333
SHA18a7c765c653379c773ab8db835a597902f2c6d6c
SHA256c193a3e852abdfadfaf745a204d1975a636301c0681478b954d351d56e8aeb9c
SHA5122ad7e1721557a1d42bc64ed4d5a767cc6356b094d03aceefb0f1d63c71179eb1c506e4ecd9f275167ec381b688e04f3382e004219a2c8bf20e41ac26d23050ed
-
Filesize
1KB
MD590a969c42dc56a40d93a5b0e25f306cc
SHA19dfafa2bef58776dc1d0520c54cf0236a65de375
SHA256ac51fd56025c90a7e6e6371c553a0cecfa2c0dded5d5b6277eee734961f43834
SHA51279640a85d1ed43ac48f6af83dbfc8d01d97e8897a39a2a6c8eafcdc3b3e0c822c74ccee86cb3ce0aa00477054507bfb2fa5652f1eb1fd14458ec5557df329c19
-
Filesize
1KB
MD5cb4547c3ac00f1e8092f4625a1e6f153
SHA1be417b016fd3e8f8e7b214736bcf80e01a7eaf78
SHA2568437af0ef1261979e9689760696767fe24bef3ba307598030f91e973926df064
SHA5127a2cd6e8eb4ada3731587bbc8614d0c14d58dd33d9a12a5d865e9056fbc9bc2b1b333be948248380b97f4d3d788967c64eeb7f46f4c6d7e1055c2ad5ae104750
-
Filesize
1KB
MD51d8e68dae0d6876b229b12dc00cfb34b
SHA123fc52561c471501cd31de53aa878dd6b8f6fbe1
SHA256af25c4a4b32805f7a8dac1c57290096ccf58082719b38f1570013b355d24ebaa
SHA512813a564730aeb9d3ea95dacbc786ef869f860a72ad144be10a58a3fdab2c1346e0183fc1878b7e06db0df8f84d7283ede48077a4f5973882c0094b53779933bb
-
Filesize
688KB
MD51876b2d886ec392d71f37423dfef0c11
SHA1af78db6206cada4f780f030d45fcaa881f892a99
SHA25661ff034c476d4060fbea6debc5f84494cf02f337a9a897ddb6b3eb3a28c16406
SHA5129070d1c35ddc045c7d5aa7938d231d139437c0b363c72a71d1edf3b77ea40484869c92e3dc9b021c2897d224d3f2b6bcf64b4dcf44149da9d6cc15d4dfa9951e
-
Filesize
46KB
MD5674e0c6a043592ec387055d9b338887e
SHA1e9ba87cdb49a7a4285d003b31ce9fccbd7eec279
SHA256faa9a82958f380ef30b3b0b9f9b4f796e9467e16b50c1041bfe6287cabdbf239
SHA512950175621961c1e585a5ce52ed51fc52e8ba3f91dc5c8f879a69513259ec22cfc9daed0ca50aa956eb2173b0127b3e33b31c03c8971a8ac087433eb6e5179d35
-
Filesize
32KB
MD5772b00045d725c7365d6a8884db56f3f
SHA164fe4b2edd277fbe40e9db58eff671ff0370ae36
SHA25643ae1262f82fe7a0e2169361bfa4fc5a6567c95d3257ad958fb61096452ffbeb
SHA512ae5a506b162033ab2d8d396321d810289a311a56125ed5c419f7388ac0c1119f8ce82fb57bc7395f97d452b54af7feb6f4df59762613ac5ab95af04281dd9caf
-
Filesize
1.0MB
MD57958e5251e5e6f9c3b7752ff1543e28a
SHA186f6a8439ce6a6b30e6347c5bde7e091e5fad0ac
SHA256b31c3f9d08337314050552a7dfdceaf42bb6d22baee287cde6238a6d965d87cd
SHA512aec50b136792aebbd5aa8e5d316c39b728ff28e411dd54db99a18d5c7b9447f25629c4220800ee8dd8cd2b24a98a11d46f32b45a62bda5135c2ff0a731e032ee
-
Filesize
22KB
MD58703ff2e53c6fd3bc91294ef9204baca
SHA13dbb8f7f5dfe6b235486ab867a2844b1c2143733
SHA2563028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035
SHA512d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204
-
Filesize
468B
MD56783cd663caac190617a42e8fa74edbb
SHA11bb362f57149bc5fa36a88ef4ede5a75ce39d1b8
SHA256378cffb3c4aa568c4e008dd3931385fd7cb880ef8e20218938db5a421701d8a9
SHA51254c86818846d9095d457641b88b03375e1f3d825bab57435b9cbbf84e52ad58d817d8be27cd8f0b34149f34105a8ac99ea3bc2c29d403ae84d34e7c2a2affac5
-
Filesize
9KB
MD5cd1800322ccfc425014a8394b01a4b3d
SHA1171073975effde1c712dfd86309457fd457aed33
SHA2568115de4ad0b7e589852f521eb4260c127f8afeaa3b0021bfc98e4928a4929ac0
SHA51292c22c025fd3a61979fa718bf2e89a86e51bf7e69c421a9534fbf9c2d5b23b7a9224d0e9f3e0501992038837015214d1ef73b532a68b7d19de559c9ab9c6e5f6
-
Filesize
595KB
MD5821511549e2aaf29889c7b812674d59b
SHA13b2fd80f634a3d62277e0508bedca9aae0c5a0d6
SHA256f59cdf89f0f522ce3662e09fa847bca9b277b006c415dcc0029b416c347db9c4
SHA5128b2e805b916e5fbfcccb0f4189372aea006789b3847b51018075187135e9b5db9098f704c1932623f356db0ee327e1539a9bf3729947e92844a26db46555e8cd
-
Filesize
1.0MB
MD5714cf24fc19a20ae0dc701b48ded2cf6
SHA1d904d2fa7639c38ffb6e69f1ef779ca1001b8c18
SHA25609f126e65d90026c3f659ff41b1287671b8cc1aa16240fc75dae91079a6b9712
SHA512d375fd9b509e58c43355263753634368fa711f02a2235f31f7fa420d1ff77504d9a29bb70ae31c87671d50bd75d6b459379a1550907fbe5c37c60da835c60bc1
-
Filesize
139KB
MD54acd14244d2cd76d06939163127cfb10
SHA175f3e3c764f7d20c9950f5410f753f3210bcc2e7
SHA25629b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb
SHA512001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
115KB
MD572178bb0f9674f0ce0b6b188d1219266
SHA1ae3c43c7846c0ef977fa90991e1c366e34ab671c
SHA25609cd3c864182b703a1384a15e60424c0ee8c82c3fd19f197c391a0e3ec5bd16e
SHA512d9004c1b8402375c92690525f06ae83198bb929bb18dfc46fda9036a4054ed9c38637438b13ecc2566f98f2a8ac297ec7f0151b63a59c4f7bbc2ab8f7b6d779e
-
Filesize
718KB
MD58736c2a37ff0adf6f03d94bb34d1f784
SHA1e4867b136e100c9d45f6adea593c9a636134f308
SHA256dbe318e7c72f9558f836c920510a5245ae5af29996b62f661399ce3724458ec3
SHA5122bbb22540e6ae0ebdd7c5303f67fb3911025a9f8f68c1c192edf5247a66bff885e292dded093d4522488b9a98f5bb00f24b00374e8eeb219184faacc95818848