fe7e9e548c9b9bdeb1a42c8ef43087ea58d4b64d72d0d561ba7c7477521444d1

Analysis

max time kernel
1762s
max time network
1772s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FiveM.exe
Size

5.0MB
MD5

8aa0a7309117d546a9672863016e65f9
SHA1

66ec74e4e5ce2238d6f5b68c9dda80bcda3b6a7e
SHA256

fe7e9e548c9b9bdeb1a42c8ef43087ea58d4b64d72d0d561ba7c7477521444d1
SHA512

dc13a536c005da210499d8dbefa3850cf238b4cf4428e8acadebdaf0ad3bf69e90afa2db0db097c903905614c42314c3c3ba6c5230484a5dc1f82fc9276eec28
SSDEEP

49152:7OjPW6H/UikolCdofyUS6cR7OPQksBH2BAl1mmReL9odoKklkEuFsO5f5B1w2jkC:yckvcR3fj3F7njSBwkChUNniNdh7

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631261954859516"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{ABCA7D63-15B7-4707-9542-6AC65FDB2D03}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeDebugPrivilege	3228	firefox.exe
Token: SeDebugPrivilege	3228	firefox.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeDebugPrivilege	6072	firefox.exe
Token: SeDebugPrivilege	6072	firefox.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
3228	firefox.exe
3228	firefox.exe
3228	firefox.exe
3228	firefox.exe
4644	chrome.exe
6072	firefox.exe
6072	firefox.exe
6072	firefox.exe
6072	firefox.exe
6072	firefox.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
3228	firefox.exe
3228	firefox.exe
3228	firefox.exe
6072	firefox.exe
6072	firefox.exe
6072	firefox.exe
6072	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3228	firefox.exe
5880	OpenWith.exe
6072	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 2188	4644	chrome.exe	89
PID 4644 wrote to memory of 2188	4644	chrome.exe	89
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 1416	4644	chrome.exe	90
PID 4644 wrote to memory of 3936	4644	chrome.exe	91
PID 4644 wrote to memory of 3936	4644	chrome.exe	91
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92
PID 4644 wrote to memory of 1920	4644	chrome.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FiveM.exe
"C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
1⤵
PID:3424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80ffeab58,0x7ff80ffeab68,0x7ff80ffeab78
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1968,i,7108748383858795643,6995399808678002471,131072 /prefetch:2
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=1968,i,7108748383858795643,6995399808678002471,131072 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2012 --field-trial-handle=1968,i,7108748383858795643,6995399808678002471,131072 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1968,i,7108748383858795643,6995399808678002471,131072 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1968,i,7108748383858795643,6995399808678002471,131072 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3596 --field-trial-handle=1968,i,7108748383858795643,6995399808678002471,131072 /prefetch:1
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4812 --field-trial-handle=1968,i,7108748383858795643,6995399808678002471,131072 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4984 --field-trial-handle=1968,i,7108748383858795643,6995399808678002471,131072 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3332 --field-trial-handle=1968,i,7108748383858795643,6995399808678002471,131072 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4216 --field-trial-handle=1968,i,7108748383858795643,6995399808678002471,131072 /prefetch:8
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1968,i,7108748383858795643,6995399808678002471,131072 /prefetch:8
  2⤵
  PID:4128

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2088
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.0.1952236984\1161378965" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7eaf276-7766-469b-adf0-e06ed1c72830} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 1848 28c8310dc58 gpu
    3⤵
    PID:1168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.1.116263567\1766763614" -parentBuildID 20230214051806 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d45a96c-fb3a-43b4-80f5-2a6fbbbbea53} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 2468 28c83668558 socket
    3⤵
    - Checks processor information in registry
    PID:3604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.2.707010874\2024267897" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ec5edd4-0e45-4c19-8ffe-4b760274fa07} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 2996 28c86008b58 tab
    3⤵
    PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.3.1594073460\904312599" -childID 2 -isForBrowser -prefsHandle 4236 -prefMapHandle 4232 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30afd7fd-c34c-4620-a5cb-7b677ce492a3} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 4240 28c884f0e58 tab
    3⤵
    PID:3180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.4.436882705\1189081923" -childID 3 -isForBrowser -prefsHandle 4952 -prefMapHandle 4948 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e1e1746-77a6-42a6-a7cc-0dae4784be5b} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 5016 28c89f4fa58 tab
    3⤵
    PID:2628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.5.1535721867\1291031726" -childID 4 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa999a1d-8a4a-463d-834c-a29d87cb006e} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 5152 28c89f50358 tab
    3⤵
    PID:2296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.6.2069556160\639741737" -childID 5 -isForBrowser -prefsHandle 5360 -prefMapHandle 5368 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7d64fe4-1abc-4fda-bf18-0d95dbdd75f2} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 5352 28c89f51858 tab
    3⤵
    PID:316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3228.7.55184403\111790547" -childID 6 -isForBrowser -prefsHandle 5836 -prefMapHandle 5832 -prefsLen 27771 -prefMapSize 235121 -jsInitHandle 1212 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e76f17e0-d379-4d07-97cc-c3f985f4f112} 3228 "\\.\pipe\gecko-crash-server-pipe.3228" 5848 28ceee76858 tab
    3⤵
    PID:5600

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:5848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:5944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3424
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:6072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6072.0.574459846\2004835681" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 22244 -prefMapSize 235208 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7d9e036-96ae-4b32-8038-c84c9f203738} 6072 "\\.\pipe\gecko-crash-server-pipe.6072" 1844 1ce8fb2f558 gpu
    3⤵
    PID:3080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6072.1.1608605006\1734371523" -parentBuildID 20230214051806 -prefsHandle 2300 -prefMapHandle 2296 -prefsLen 22244 -prefMapSize 235208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {193935d8-179c-482d-a9e1-3c62c6143ef1} 6072 "\\.\pipe\gecko-crash-server-pipe.6072" 2324 1ce8318a558 socket
    3⤵
    - Checks processor information in registry
    PID:1324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6072.2.326764487\1390436071" -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 3068 -prefsLen 22640 -prefMapSize 235208 -jsInitHandle 1404 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b0a650f-688b-49ce-9ad6-d5ddccd6580d} 6072 "\\.\pipe\gecko-crash-server-pipe.6072" 3084 1ce93812958 tab
    3⤵
    PID:2540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6072.3.1852267592\1248196948" -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 28014 -prefMapSize 235208 -jsInitHandle 1404 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb89f0d7-bbaa-43d5-8cf5-84cc5ed9c9ef} 6072 "\\.\pipe\gecko-crash-server-pipe.6072" 3688 1ce94d97258 tab
    3⤵
    PID:1788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6072.4.339321010\470055006" -childID 3 -isForBrowser -prefsHandle 4972 -prefMapHandle 4968 -prefsLen 28014 -prefMapSize 235208 -jsInitHandle 1404 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d098d7cd-afd7-41d1-be23-167fde3a99c3} 6072 "\\.\pipe\gecko-crash-server-pipe.6072" 4900 1ce83182258 tab
    3⤵
    PID:1852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6072.5.1390262204\1530914044" -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 4988 -prefsLen 28014 -prefMapSize 235208 -jsInitHandle 1404 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {415b6f68-d3b5-4c44-852e-55e989fc41af} 6072 "\\.\pipe\gecko-crash-server-pipe.6072" 5104 1ce96c61858 tab
    3⤵
    PID:1028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6072.6.333938461\788392806" -childID 5 -isForBrowser -prefsHandle 5304 -prefMapHandle 5312 -prefsLen 28014 -prefMapSize 235208 -jsInitHandle 1404 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2b20095-562b-4f02-94ca-4096619a9d2a} 6072 "\\.\pipe\gecko-crash-server-pipe.6072" 5296 1ce96c61258 tab
    3⤵
    PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
811B

MD5
f82d9f02cca5b4d0b983ed66514c5b5a

SHA1
8e76899847622ad00117fd286c5e23e961635883

SHA256
8130d95f171b79f079a8b4ae96e26aa924652e3e9d72782c219da3c40252bcb5

SHA512
7023184b457a4d89d2677643dd2f327724a8321593123b16c6d66166fabc1ee126b2dcbb73542622d24476dfbe032aa958b3736f26d43353b19ddbe9475d968d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bf7e93f1648a23c2fd148fe36f771d48

SHA1
cd48110fee7e46bcb0a187c214e0667927b7d0df

SHA256
6ad0a714e481091ba5227315803047377330717ebd2e432777157cabadcd417f

SHA512
a3eeaea3311f2cc0e960874e9d0741ec577b675b7831ede0f3489851f64f3ae195787feb35d46807e468529ed0716fb606da0fb949dfd746c39b5388b5fb99a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e950276c27aa03e363e07122eddbe80e

SHA1
733de1aa34fabbb6d80b5094aa2f4b49f55b06ea

SHA256
e29b73e5b65df80d5a0ec057aae05b1d4ee6a5973b4e277f2ce8786edeb447dd

SHA512
bf67c0eaab94b9069c66316f3bcb333e14b5a07b4c14585a36c86d98c804edb55c773a1591c265c26eab5d1cc153b9cce24c24795e2ce2cfd4d79feaf8f39206

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
ee553f155be0cf95485b5164f123a500

SHA1
cf487e3afdf35cca1e885ebe36fbd5f977c238df

SHA256
943c5142a0e972a256fa589945d14c2cd32b93df6c61f6df7c707caed9fa6914

SHA512
6a688d053b47810405f5ae047b8c9d9d0a334d35800aa7319ffb94769912a9aa4e775caf2f6c4d79ff365785566d0edfcdaa73658875183093a09f0af88b938d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
b8b7c861cd81f6fec9d1b4872b3bfebe

SHA1
3288ce6263ee44ed179c610f9ee2e1dc5873a337

SHA256
380472e278577e3e77204e41e2393475b74b581466ddbd722662bc9ac85750fe

SHA512
4937606494f0981058cb91a8132a73928d87415936ae10384a5e970b17981f029ee68a7cb2536471b9fa714a1bd494e915c795934335a224fc45502fd059edcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
5f0c853045ad9882216f2b8cb395b940

SHA1
3ec65d4267b96c96201d46f0711996a8b32be989

SHA256
b816dc49449148af1246b046aa524dc1e247a93c727495ce134de13ec3fe66d6

SHA512
05b88ca0ce0ad2271c083f361459b9ef5c47b8f7ae83c591f6282d58a9682fddd413d03c300ef8f7a626276782a122e2189a3e60a635f36d073ba022adadea47

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
3aed7e5b6703e6356c6d063364885705

SHA1
ac17f2118a5e904d66a4d4223e8ba62b6ef9f0bf

SHA256
7ba2fe7f1e4fdf238d8e68277b01ebcd9b04f89896605f70425c71db03b3c617

SHA512
b595686304493be2374514085d3bdd6b5216c852d7a490ff28e2f00295352aa288ddc6dbf4879c4eeeb0c0734468366c5f8470a4d23394e48b63697a019539e4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

Filesize
16KB

MD5
a270d076e9546cce34d82e07d4a7bb3d

SHA1
3fd235aa1a6b13446e4aa0b3543cdbfdb5dd02a1

SHA256
5854ed2b91a653973db3dd9984cb0ac1b5d569ff379b86ff1744da9efaffa99d

SHA512
eb738a1c8192d9237905067aa1629f81f4ba8109ac3b0e63517c2dec0df1bb6b25409adc93895249fc722e7b48ad8feb672f387b06316632f9808823190231d1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
5a3a8de7a55e6ff272ef9aaa195b4a1d

SHA1
2bc1fee6a7ea9d903c7cccdc56dc021f7998085e

SHA256
254b4f04fc438b5df33948408e0fad6f337ea10f36b89a48c6b2549f702b58ea

SHA512
550144096cc7fa2ef2a14e21bd596b6a0d0c599356057918db0c9a4fe310675bb71ccf8e6cb1dd8109bd3deb53095c082e1a4625f93ab0e9292b9fd093644b65

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
11KB

MD5
0cafb604d109d6c6ff3d044168146055

SHA1
39097dc832936c749b126a33e14d78720792d257

SHA256
750e491a93e7cf77080eae8e8f62922c6aecdc6dedcfd35919b696ecf4b59b74

SHA512
10af83b84aefbc8a3d0b59ca69e50121178b1392e2d82af157b4da35f03d35f2a7b1e9a71c151f4e68f46f2bc8958029d8416b54af919ba3aa0c6e94f0092c3c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\cache2\entries\CC9AFF3BE02AD27708D587AE49B3DC68644172BA

Filesize
13KB

MD5
85af387c11e67a8a21b096caa9c424aa

SHA1
cb89b3ce122170dd9a42bf6514c7cfbfbca943df

SHA256
502551b36e94ef23651d3e968203e54207c40d221cbc1619faf17e3d681daa63

SHA512
507b317c4fb791312314bcea1421f31aef58e541005fd1d4cc888342175c2f95d1df74aa8f30f9471a17e8e9dac067395ef8f18c0a224209cfd14458b5911b0e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
99204efbe36447464930032ca87bf45a

SHA1
628b3fbd0c4729476a9a2a0bb8e18c409a56b0ff

SHA256
830b00c199de5224c87e166362a36eb599ac9f9e3cf531367a70ca9a68df2350

SHA512
dc02a838bff037bf6168882a93c06e94b89eee77821cba824a088d4d6be5ba169409f1539705746211e49afe9849408bba3eb8e384c394fb38f50c6a1c6565a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\AlternateServices.txt

Filesize
317B

MD5
879d6768aabc431b3deaf98a7526efd8

SHA1
fb4cf0780f17c4f85f8bb055038946794e619f3b

SHA256
a7b3d50f048cd17c6a4ba179e6af99d636c966234e94430c1a8295b332e0bd89

SHA512
60b3067efe87bfd01252b0dbb2a2e72f63f88d09f969d97e70293c3ed879018da8a24f42bf3e771d7212a629ce9055586428bbbb6074f4a61c7a722cef7ce54a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
7d3d11283370585b060d50a12715851a

SHA1
3a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3

SHA256
86bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9

SHA512
a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
7KB

MD5
70ec65bc44d91f5acf2597464d896c8f

SHA1
0843ad12a64b082f2308377160e76a3dccf76cbe

SHA256
7bea30a4bc07269be719416988d0f91b830f5b666498bd0706e1d436f8006537

SHA512
ca621acbeab79776a79a52823a99ed3fe23ee969914f9bf2c1bc001683b36b8991fb419c8e667f02d620f875646452bcf6cd03098c3d45f1509b671e0190a0ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
7KB

MD5
f2d2fa64de173110268ddaf4828becf3

SHA1
9d2b4ff718654b42e2f4649fc4e017143b1db592

SHA256
5754e66623d6bfd981774d1642ea7eb7a1793da7f6d93c92937a9f2cbd863963

SHA512
096272f27e078f3d2ea6afb2f2b877edbb45fd651c55d4a40215777199e945563b8d55a7cf258faf99733909e316af3ffa23cdf8943fd829c996d68603f3edf7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js

Filesize
7KB

MD5
943d711269f46ce90e6b6ab1f9ad1e45

SHA1
24bdd506b748b4eb0c5f3074796c40c10165a854

SHA256
4cfbdde6258937e15cc7e0e983edb6545dd17782b8e8cc101dfe40b15eb5edf2

SHA512
dc8f43e9b240db4d24578e58b10b8a1a42ef228714b5cd9b07ebc10616da0ead7ebb8c4d1ae7a72abef49f46e753f9c824dbac879d94073f103d6a2d32a9d44a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\protections.sqlite

Filesize
64KB

MD5
49397db0486dc59d607907a086f40c9b

SHA1
08742ce9db9569062def08e99eea8470702feb7d

SHA256
890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4

SHA512
fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json.tmp

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json.tmp

Filesize
193B

MD5
2ad4fe43dc84c6adbdfd90aaba12703f

SHA1
28a6c7eff625a2da72b932aa00a63c31234f0e7f

SHA256
ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933

SHA512
2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e8fbfb8e1ac6a53249900f02917f42a2

SHA1
33e57ae8dcb4e8be7d29ff6b7bb6e604bc7693ae

SHA256
eea7f707cf0d7ca04a26dba37222edc2cf110e24295ae5affb52d3e50c6fea09

SHA512
b3f91247422e7e20526fff78edb0d871c166eb534c7ec07ad538b2576cc73d54cac79cf60adda1e21f3085c5b3d7f7135fd92f982c3ac33fc25dde717dd90102

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
11b4390791a31cc5ded708b0a749aa2b

SHA1
5c8f132298a07ee36756e6a78c1478fc0941b189

SHA256
a50edf83ca9d6c81cec4314ebb0282bef12646924816a24fd121ceadc6703ccb

SHA512
5aed75dd63365d2e6dabd6155fce49c096d8de39d6d907953a33167ed6280ee4ca997e9e2d279941a2d88807817cf0a3d47ae5ed0348fc5364c780c7b58f8d22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
c5b03ebc9085d540ce346c464cb74942

SHA1
468f9297150c70eeb10af599b7094f6a6fda47dd

SHA256
1f20fb89494bd743c6448e4ede685b14390f1dea9bfce68f26179af47efd4341

SHA512
1b2e2e24ea20680ff3d55f29d57878119ddc241abf3553097ad4beec13f416f51c377701ebb6915a84565c4fb36f8d4c5ac388722ae8160933bbf610f4642bdb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4

Filesize
902B

MD5
2bdb36702bcd4f6ce803569595d9b5a6

SHA1
972a8ce759a3e752ead8386bfae61811803e15fe

SHA256
47e3cbe94d3c7cb24c4b86fcbafb2d9a5da6d744ac7d4a3b17b9623ffde34063

SHA512
a0552a5e476cd8e17e9d3315fd3a97b1defcb24b816fc5be6717248a22116badaf13a18c2810e0d91fcdcc324c495f13d35d6a678f7fa72c5c6920892c5051e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage.sqlite

Filesize
4KB

MD5
db858fef453c04c336a6d40f9142908d

SHA1
090da158263e1afbfb6f4d7a9d6f719474f1c98e

SHA256
8895a1f1f40a15028eb2d9ddad037d745535b8fd54c9817a7d60b4c2a313863b

SHA512
6eb1c62a1aea8c21687655709fcd966a0f75af046a020620f8c9705d6e3575f93d8e2f8d674265e7fb261df3a77a5a6498932639926894f95d5151a1141c89bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
b10151f2fb4ca9f5880c3af32b9466f4

SHA1
84ebd40b5dc02e4954c9d9f90a11304bc406b49c

SHA256
a5ce0713f21a95ca1aeec06cedacfdb2aade1e2a839a31a7e90611eab1ff61c2

SHA512
cbf8e5ad01de8315bbf8bed297cdb13165f8267c1b0c49fa16bc000d73404e322474efabf73701a27a726e47c4884df4e6c43cf206d5ae8bc07c36e784a5c97e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
6a2f2dffb9e65e1b265878b9e8dc044d

SHA1
50771197e2d72a56cf37881efcf2118763462ad6

SHA256
bf9092bb963ee7b93317881fd3bbe3471aba96ec3a891659c350c966532a7163

SHA512
0de7282d4c61afe658b4ed1e8be38c69305c352409db6802620872f7a4ab3fcf51bd89ef752afef488aa7e7bbde94369cb0b2e46ee127c205d468be6e0f38ca4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\xulstore.json

Filesize
217B

MD5
5634755baffe7f3f75ecb7c8a6db95ef

SHA1
63d05637d653601eb8226feb546d71db6101ca7f

SHA256
4b126708b48df355ce6a537b048242d379babb14d4fc0957eaba593c61c1cec9

SHA512
8954296e17bf7fad70ae13244c8e1d036717ff83f5496f4deace89931f99728cfce42f64072aafaad5f1e032719d14f11659df4f5a1e7d583bbec4be84f3c723

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit