2afb5303e191dde688c5626c3ee545e32e52f09da3b35b20f5e0d29a418432f5

Analysis

max time kernel
1069s
max time network
1065s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
20-06-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x64/ProcessHacker.exe
Size

1.6MB
MD5

b365af317ae730a67c936f21432b9c71
SHA1

a0bdfac3ce1880b32ff9b696458327ce352e3b1d
SHA256

bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
SHA512

cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b
SSDEEP

24576:V7eokafnkAwgcU+29fR4PQviXq1pj3EDT5m+m8I:V6efnkdlUF92PGBOT3m8

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	ProcessHacker.exe
File opened (read-only)	\??\F:	ProcessHacker.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ProcessHacker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\license.rtf	WINWORD.EXE
File created	C:\Windows\System32\~$icense.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Control	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Control	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	ProcessHacker.exe

Checks processor information in registry 2 TTPs 41 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	ProcessHacker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessHacker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\TypedURLs	ProcessHacker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 = 8c00310000000000cb58cbb2110050524f4752417e310000740009000400efbec5525961d4583a012e0000003f0000000000010000000000000000004a0000000000daaf0901500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "9"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\NodeSlot = "8"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4916	WINWORD.EXE
4916	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3132	ProcessHacker.exe
1964	OpenWith.exe
3152	ProcessHacker.exe
4116	ProcessHacker.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	3132	ProcessHacker.exe
Token: 33	3132	ProcessHacker.exe
Token: SeLoadDriverPrivilege	3132	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	3132	ProcessHacker.exe
Token: SeRestorePrivilege	3132	ProcessHacker.exe
Token: SeShutdownPrivilege	3132	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	3132	ProcessHacker.exe
Token: SeBackupPrivilege	2812	svchost.exe
Token: SeRestorePrivilege	2812	svchost.exe
Token: SeSecurityPrivilege	2812	svchost.exe
Token: SeTakeOwnershipPrivilege	2812	svchost.exe
Token: 35	2812	svchost.exe
Token: SeDebugPrivilege	3152	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	3152	ProcessHacker.exe
Token: 33	3152	ProcessHacker.exe
Token: SeLoadDriverPrivilege	3152	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	3152	ProcessHacker.exe
Token: SeRestorePrivilege	3152	ProcessHacker.exe
Token: SeShutdownPrivilege	3152	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	3152	ProcessHacker.exe
Token: SeDebugPrivilege	4116	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	4116	ProcessHacker.exe
Token: 33	4116	ProcessHacker.exe
Token: SeLoadDriverPrivilege	4116	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	4116	ProcessHacker.exe
Token: SeRestorePrivilege	4116	ProcessHacker.exe
Token: SeShutdownPrivilege	4116	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	4116	ProcessHacker.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe
Token: SeDebugPrivilege	4828	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe
3132	ProcessHacker.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
3132	ProcessHacker.exe
4916	WINWORD.EXE
4916	WINWORD.EXE
4916	WINWORD.EXE
4916	WINWORD.EXE
4916	WINWORD.EXE
4916	WINWORD.EXE
4916	WINWORD.EXE
1964	OpenWith.exe
1964	OpenWith.exe
1964	OpenWith.exe
1964	OpenWith.exe
1964	OpenWith.exe
1964	OpenWith.exe
1964	OpenWith.exe
1964	OpenWith.exe
1964	OpenWith.exe
1964	OpenWith.exe
4828	firefox.exe
4828	firefox.exe
4828	firefox.exe
4828	firefox.exe
4828	firefox.exe
4828	firefox.exe
4828	firefox.exe
4828	firefox.exe
4828	firefox.exe
4828	firefox.exe
4828	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 2428	3132	ProcessHacker.exe	83
PID 3132 wrote to memory of 2428	3132	ProcessHacker.exe	83
PID 3132 wrote to memory of 1432	3132	ProcessHacker.exe	96
PID 3132 wrote to memory of 1432	3132	ProcessHacker.exe	96
PID 3132 wrote to memory of 3796	3132	ProcessHacker.exe	100
PID 3132 wrote to memory of 3796	3132	ProcessHacker.exe	100
PID 3400 wrote to memory of 4828	3400	firefox.exe	104
PID 3400 wrote to memory of 4828	3400	firefox.exe	104
PID 3400 wrote to memory of 4828	3400	firefox.exe	104
PID 3400 wrote to memory of 4828	3400	firefox.exe	104
PID 3400 wrote to memory of 4828	3400	firefox.exe	104
PID 3400 wrote to memory of 4828	3400	firefox.exe	104
PID 3400 wrote to memory of 4828	3400	firefox.exe	104
PID 3400 wrote to memory of 4828	3400	firefox.exe	104
PID 3400 wrote to memory of 4828	3400	firefox.exe	104
PID 3400 wrote to memory of 4828	3400	firefox.exe	104
PID 3400 wrote to memory of 4828	3400	firefox.exe	104
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 1136	4828	firefox.exe	105
PID 4828 wrote to memory of 2912	4828	firefox.exe	106
PID 4828 wrote to memory of 2912	4828	firefox.exe	106
PID 4828 wrote to memory of 2912	4828	firefox.exe	106
PID 4828 wrote to memory of 2912	4828	firefox.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\x64\ProcessHacker.exe
"C:\Users\Admin\AppData\Local\Temp\x64\ProcessHacker.exe"
1⤵
- Enumerates connected drives
- Checks system information in the registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:2428
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1432
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1992

C:\Windows\System32\t4cyprq3wej6q.exe
"C:\Windows\System32\t4cyprq3wej6q.exe"
1⤵
PID:2924

C:\Windows\System32\xoebkc.exe
"C:\Windows\System32\xoebkc.exe"
1⤵
PID:4160

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\System32\license.rtf" /o ""
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Users\Admin\AppData\Local\Temp\x64\ProcessHacker.exe
"C:\Users\Admin\AppData\Local\Temp\x64\ProcessHacker.exe"
1⤵
- Enumerates connected drives
- Checks system information in the registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Users\Admin\AppData\Local\Temp\x64\ProcessHacker.exe
"C:\Users\Admin\AppData\Local\Temp\x64\ProcessHacker.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.0.608051320\1024767522" -parentBuildID 20230214051806 -prefsHandle 1792 -prefMapHandle 1588 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41edc11c-c892-4099-93a1-4e3752aa1c64} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 1760 2097862aa58 gpu
    3⤵
    PID:1136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.1.734680773\65108743" -parentBuildID 20230214051806 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a97a5e-9eb6-42c9-bf9d-5dc89fab1d13} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 2384 2096428a258 socket
    3⤵
    PID:2912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.2.777962727\1199640536" -childID 1 -isForBrowser -prefsHandle 2796 -prefMapHandle 3256 -prefsLen 22213 -prefMapSize 235121 -jsInitHandle 1040 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c663432d-7573-4124-90ca-f5fb862db81e} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 3068 2097b41a658 tab
    3⤵
    PID:1976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.3.810732191\963810605" -childID 2 -isForBrowser -prefsHandle 1192 -prefMapHandle 1188 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1040 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aaca172b-3b4e-4070-a8cc-93d40be904b4} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 804 2096427ae58 tab
    3⤵
    PID:1808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.4.1279176175\437713029" -childID 3 -isForBrowser -prefsHandle 5228 -prefMapHandle 5224 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1040 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a794dbe-8d48-475c-8b4d-ca14daa99d10} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 5212 2097fb77a58 tab
    3⤵
    PID:3444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.5.793643931\190829934" -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5448 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1040 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d140bf4b-f6c6-4614-b079-93c5c16f0b84} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 5460 20980a99f58 tab
    3⤵
    PID:3704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.6.1330426412\1374538364" -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1040 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94888405-f1e8-4c04-bf12-947ab93ae4f7} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 5644 20980a9a558 tab
    3⤵
    PID:1224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.7.1368941864\1320266837" -childID 6 -isForBrowser -prefsHandle 3576 -prefMapHandle 3588 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1040 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfb92ae1-0647-4565-aef2-7bafabe9006e} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 4396 2097edfe558 tab
    3⤵
    PID:4800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.8.339090288\1060969328" -childID 7 -isForBrowser -prefsHandle 5972 -prefMapHandle 5968 -prefsLen 28039 -prefMapSize 235121 -jsInitHandle 1040 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04b1420e-d918-4632-97db-fe36147ef9bb} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 3672 2097dcbe458 tab
    3⤵
    PID:5328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.9.533217706\43563323" -childID 8 -isForBrowser -prefsHandle 7388 -prefMapHandle 7396 -prefsLen 28039 -prefMapSize 235121 -jsInitHandle 1040 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bdb7df9-f0fd-478f-9f34-ab53d35e4bb1} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 7380 20984c58c58 tab
    3⤵
    PID:5900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.10.280540951\1933339905" -childID 9 -isForBrowser -prefsHandle 6596 -prefMapHandle 6584 -prefsLen 28039 -prefMapSize 235121 -jsInitHandle 1040 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ad3a9ac-cc85-4933-9a8d-430a0bae4dae} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 6656 20984c56558 tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.11.1282972481\1282143881" -childID 10 -isForBrowser -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 31307 -prefMapSize 235121 -jsInitHandle 1040 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95cda463-06d1-4c02-888a-253ecd1c8e2f} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 4168 2097cd46958 tab
    3⤵
    PID:3336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.12.111695116\959827010" -childID 11 -isForBrowser -prefsHandle 4760 -prefMapHandle 7652 -prefsLen 31307 -prefMapSize 235121 -jsInitHandle 1040 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab46db3e-981f-4b07-b743-39e7e19b69bb} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 4676 20984c57458 tab
    3⤵
    PID:5688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
7e87fc84eb15445ef905407e1cdf7ff0

SHA1
7e7393712dca3f6873f15f11efee639bd42699be

SHA256
236f0003a75df6815dc66f6768619592cc589acca61de1a4b0ce980f49dec1ad

SHA512
23714d9568380e6c7ba72ee81a079f339dc007947f370e1b1403705f44c54ace2dde5f51a135ceba5df1588ed8a33d13c6c1a55fdf260fe5067b400cdd1f79de

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\cache2\doomed\22851

Filesize
11KB

MD5
4e24c935b48868f9f463bc49a4a7d920

SHA1
0c1553d27ddeeb4d23196db58c0f89a94c3f995a

SHA256
e4742ab577732bfe60f89459c5a0a1f6be1bdc6728f1d3d00b66b124e126f4f0

SHA512
b5101a82ff339558f999242dba86908a3a0e602ff03ff972a142e31f60dd44128dbe4c0047990fbd1492eac5d0e160db3e5013ba0526b3fb33ed998872c1e595

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263

Filesize
13KB

MD5
b3f24d8ae6361939f8d38537239669e1

SHA1
521d881ad41917c48aee76ca189c4337eb3a429c

SHA256
e10251fa0107ccac4ccf532bbe951e2f078d9aed035e6e0295a62ea4397de028

SHA512
0cab6b5c7a1a0bcf9761896f90dcbae06cfd29d905f4c7d2d1e6a8de7456cbadd7b199da24ab3586ea54324a9054e446efde5c47c95a2a449e87deaf10b7e557

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json

Filesize
67KB

MD5
6c651609d367b10d1b25ef4c5f2b3318

SHA1
0abcc756ea415abda969cd1e854e7e8ebeb6f2d4

SHA256
960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9

SHA512
3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json

Filesize
44KB

MD5
39b73a66581c5a481a64f4dedf5b4f5c

SHA1
90e4a0883bb3f050dba2fee218450390d46f35e2

SHA256
022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17

SHA512
cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json

Filesize
33KB

MD5
0ed0473b23b5a9e7d1116e8d4d5ca567

SHA1
4eb5e948ac28453c4b90607e223f9e7d901301c4

SHA256
eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b

SHA512
464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json

Filesize
33KB

MD5
c82700fcfcd9b5117176362d25f3e6f6

SHA1
a7ad40b40c7e8e5e11878f4702952a4014c5d22a

SHA256
c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780

SHA512
d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json

Filesize
67KB

MD5
df96946198f092c029fd6880e5e6c6ec

SHA1
9aee90b66b8f9656063f9476ff7b87d2d267dcda

SHA256
df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996

SHA512
43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json

Filesize
45KB

MD5
a92a0fffc831e6c20431b070a7d16d5a

SHA1
da5bbe65f10e5385cbe09db3630ae636413b4e39

SHA256
8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c

SHA512
31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json

Filesize
45KB

MD5
6ccd943214682ac8c4ec08b7ec6dbcbd

SHA1
18417647f7c76581d79b537a70bf64f614f60fa2

SHA256
ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b

SHA512
e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_finance.json

Filesize
33KB

MD5
e95c2d2fc654b87e77b0a8a37aaa7fcf

SHA1
b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc

SHA256
384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e

SHA512
9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json

Filesize
67KB

MD5
70ba02dedd216430894d29940fc627c2

SHA1
f0c9aa816c6b0e171525a984fd844d3a8cabd505

SHA256
905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34

SHA512
3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_games.json

Filesize
44KB

MD5
4182a69a05463f9c388527a7db4201de

SHA1
5a0044aed787086c0b79ff0f51368d78c36f76bc

SHA256
35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85

SHA512
40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_health.json

Filesize
33KB

MD5
11711337d2acc6c6a10e2fb79ac90187

SHA1
5583047c473c8045324519a4a432d06643de055d

SHA256
150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565

SHA512
c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json

Filesize
67KB

MD5
bb45971231bd3501aba1cd07715e4c95

SHA1
ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a

SHA256
47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d

SHA512
74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json

Filesize
33KB

MD5
250acc54f92176775d6bdd8412432d9f

SHA1
a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65

SHA256
19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54

SHA512
a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json

Filesize
67KB

MD5
36689de6804ca5af92224681ee9ea137

SHA1
729d590068e9c891939fc17921930630cd4938dd

SHA256
e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52

SHA512
1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json

Filesize
33KB

MD5
2d69892acde24ad6383082243efa3d37

SHA1
d8edc1c15739e34232012bb255872991edb72bc7

SHA256
29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a

SHA512
da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_law_and_government.json

Filesize
68KB

MD5
80c49b0f2d195f702e5707ba632ae188

SHA1
e65161da245318d1f6fdc001e8b97b4fd0bc50e7

SHA256
257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63

SHA512
972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_online_communities.json

Filesize
67KB

MD5
37a74ab20e8447abd6ca918b6b39bb04

SHA1
b50986e6bb542f5eca8b805328be51eaa77e6c39

SHA256
11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f

SHA512
49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_people_and_society.json

Filesize
45KB

MD5
b1bd26cf5575ebb7ca511a05ea13fbd2

SHA1
e83d7f64b2884ea73357b4a15d25902517e51da8

SHA256
4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0

SHA512
edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json

Filesize
44KB

MD5
5b26aca80818dd92509f6a9013c4c662

SHA1
31e322209ba7cc1abd55bbb72a3c15bc2e4a895f

SHA256
dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671

SHA512
29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_real_estate.json

Filesize
67KB

MD5
9899942e9cd28bcb9bf5074800eae2d0

SHA1
15e5071e5ed58001011652befc224aed06ee068f

SHA256
efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a

SHA512
9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_reference.json

Filesize
56KB

MD5
567eaa19be0963b28b000826e8dd6c77

SHA1
7e4524c36113bbbafee34e38367b919964649583

SHA256
3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49

SHA512
6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_science.json

Filesize
56KB

MD5
7a8fd079bb1aeb4710a285ec909c62b9

SHA1
8429335e5866c7c21d752a11f57f76399e5634b6

SHA256
9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32

SHA512
8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_shopping.json

Filesize
67KB

MD5
97d4a0fd003e123df601b5fd205e97f8

SHA1
a802a515d04442b6bde60614e3d515d2983d4c00

SHA256
bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6

SHA512
111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_sports.json

Filesize
56KB

MD5
ce4e75385300f9c03fdd52420e0f822f

SHA1
85c34648c253e4c88161d09dd1e25439b763628c

SHA256
44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14

SHA512
d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\nb_model_build_attachment_travel.json

Filesize
67KB

MD5
48139e5ba1c595568f59fe880d6e4e83

SHA1
5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78

SHA256
4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa

SHA512
57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\personality-provider\recipe_attachment.json

Filesize
1KB

MD5
be3d0f91b7957bbbf8a20859fd32d417

SHA1
fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10

SHA256
fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7

SHA512
8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\thumbnails\17abf5259517d604cc9599a00b7385d6.png

Filesize
4KB

MD5
fb95fac3592c79c3cf7d566422c97a1d

SHA1
b2fdf61a09739b27565653b75bc1bb544cacad27

SHA256
1d97434def66d449c2ae63766b5bd82f6757a8c1379037ed3782ed930624764b

SHA512
5381f4d07f83174a138b56a51596f0e33d26c5bedb20f5fe1d29c9a644d7afdbaa7cfc3df9d11c5745bae7f1750b8b143f0777cbe85b5fe89ded1ec45a953aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
249B

MD5
2c3fa58faa285466753b4ad7dd227894

SHA1
54775458df277de6a3840785d2ab1a5ca9b47d22

SHA256
4e303abae1760431e6501c599e8f3be1a665539bd65a883902d5acd235d93ace

SHA512
21870524296c2f473353d5600474beccc94faf739804137443e4dcb62717df39f0132f5d95382691c47399aa0784e743dd4c8a745a9f29623f6efa9f55a77c34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
92b0ab84668b0010eb62e99fb5af78db

SHA1
5930166e9f557a6fc193458bba0ce52ba5d41fc9

SHA256
cad1ea291f178fa3f1ba3981de7aa5e06764857685904dee33ebe2e39af409dc

SHA512
2fd8d9e93cc1b4c8489c05ac215c86430fb7df16ba8a9fa830c5c0235480c354e9b1896c83acb479967fc1338d0860b17e149bef0a259da02364a2f6b3687bd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
33660eb190cfbc55c137ff94dd970fc0

SHA1
71d040a398a3ccd9b439aa8ab789c393ee824f42

SHA256
72f36275a7978464308ba09458d5a113e4b05eb10cc1b513c1cc52a80e3ed401

SHA512
c6cb628f870fa9bb052955346212bd734c3833e4b756cf11597d4919a435f7e28a95cddea7310e4a35d03abe0365b91117792e3bf1d6155d2aa27efb9d721b84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
7d4b43fab76352858cab2ac127aa6a13

SHA1
34b61d15241d78fab114838b7a5fa6935227e82b

SHA256
a6137274a94d059057893dab734e32c148a5a7cb31ff2d176b32d61dbdabfacf

SHA512
3ea0c35d23165f98d236b5c947d28c9d6450de9bf45e99a5cbe941ba7e44523ad71d7eaf19321b0d436eedaf13fa52a03764ac44e35a7361b6fa4742819b76d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
85c4b9239afa55e666bcede7bf40045a

SHA1
b966e62c48302a71f5f24c76cfdff1594adabe35

SHA256
3f3acc622f4ecc0c1425b4b8d7ff2df3c2fdef706fa8d121fafa999cac840253

SHA512
7c7a49360529cc5830adb50a8af0968922f675056bcb9c9b796ce41d5d049e4e47605619c1c00c681c01e13503eb116fc37cb9eb5a4ab45bb495cbb814e4fb13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\broadcast-listeners.json

Filesize
216B

MD5
cdde668aae4beb745c9fdb00c23873e7

SHA1
f4c0759ebc95e244fbc5afea5c8bb2dc77ac55c3

SHA256
10f0fa14b8b9376c4667561c445821a6706d7610f1cd7a7a1e6fbecfd152c50e

SHA512
4f0b5390549bc9885006e849b65ffe60d3248fb2493bafec227ae6271aff4c943135b1465387290b086384f7d35b35810ea102439b0113db3c7a62079c0e06cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\prefs-1.js

Filesize
6KB

MD5
49d0350d4d79bc39d5271efc76c3d838

SHA1
097d07ae325c348837233505a092a0375f7de483

SHA256
00b107544130891b5f86e33cd37d138e38e037a046ffdbf6cd4f857e42115ea5

SHA512
9152d14d659d00017863a3fbc75b06486cc7a489098539c27eef117174c1f0c3edd31a2d0d82eb6a369a4b55c4d941255f40caea84d21647275799b602ea03ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\prefs-1.js

Filesize
10KB

MD5
6e8ff0cbfcfdfdf76726967e3068bedd

SHA1
34c22ccdc5bba7a29e79b0898b7f6d252026e7d1

SHA256
3258a5acf9a79d1dd2df1f279b67c9ad996c2b16a9dd28ba55d3afe323fa5c69

SHA512
b034b081b33105f43ea98b5cd74cc7ade6ec24ac900d67e4060bb885d0f3ed7392a7461f0db611316f937f0f269b363396a177a36172f0b40a12ab3b80c924ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\prefs-1.js

Filesize
7KB

MD5
deb267eb7c9a86825444c47bec776512

SHA1
92083abdc352102c9d15a0ec463a2ce30849235d

SHA256
8ee67d32f4e94c200dd0d5cc0b8d6ece3cca6c30f9a50be6f0de29ae265bf6aa

SHA512
77a96e0fe9f62893e7eb53c5b03815251e20dedbf1d7353ed8d5785fb15d82b93a580df3fd8e60d8620c4a20b2539606a58e1f59335d6fd475ad250a22166d72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\prefs.js

Filesize
6KB

MD5
a6ee2ec2783ff6961c86df86af1c6d99

SHA1
c538f8a0cd2d2866876c5c43ef6a7a4ffbec6fc8

SHA256
6607afde34dd60468ff9a895935f237580cf2f588e3958815819efdaad7ca480

SHA512
02cedd9f585175c096bdfd0f42417cbf328dcf1822cc477333d833bd1e852259906f2563b33938d0c13a550e8e7c61e17acdc6a4b390d90bd7afaf53f0157685

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\prefs.js

Filesize
7KB

MD5
e3c00f879aae4519b478abe16b3e6d84

SHA1
690f38dcedf0547e9ac8639ee6267bca640f93c8

SHA256
8e40021958ee5db7bd5290d7cfe17a3babb24b051cace7d51ae39d7be41226c0

SHA512
cd95cb1bca58e9ed5bd215d8a96e1ba5b6eb7411008a6b977191aded561f4e38dedb4404689c8638115a41e4b1d536cf1acd4817124c55f05875622f2a5ecda1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\prefs.js

Filesize
9KB

MD5
a22b8317c22e12931a8e0cd5e3eaf5f3

SHA1
e639d55cc62256aa1e020c58ad071e1df762a638

SHA256
3dd861affae771058bb525d0fbcb2a0166435285e6ea69ae4f098f6f45ecdb50

SHA512
6113a18cd40b1d3bff4a5ee767c531d8db108e77168db7869fc185bed11d8c15c87cc95fb9c0e280773aa8a9f74fae9e91e519a19b9af281fd0e381094302bc3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\prefs.js

Filesize
10KB

MD5
0a9fa02612e6cd5810248d880bcfbb46

SHA1
60f9ae67543500dbf6a740a0b8ecf1ea31004e08

SHA256
30176e9edfe7dcae2605fe21f1ecd0bd0f1bf447a63d6d9e634416b062e7755d

SHA512
6f0ee15aec465213a10ffef96cea8655bda176c056b5188d2eb7006ffb169dd1252051a7be084fe8f6b94d45bac7d11908f9c482ace256e017212a2a8c9f8a1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6db6f22b11d65f41ded9f3041f3a8844

SHA1
fb01c5256ea744a2a14a283ffd1e61bb476c5469

SHA256
5842b20a54e849213d7edf15f61afbfeea672af147520f5f30196870bbdddf61

SHA512
dd7ed8e20a172d3092509ebf4bfe4f67d37749d75b49517828001cee2c1e9c74be9eb20ad3f0801b957e650714b11ff74fc7afecb788e75251789c38921382f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
c155ca6bb1ea94e42e21d2d5a66b4ea0

SHA1
6722bb72f58f7c84ba17ee5e2b22fc0e40547ffa

SHA256
0676438fff6ac126918ac3e25441ab9db61bc7602e595a1956dff1be163964f8

SHA512
c3493d6af4a61b110403e35afc7ee44f223481e9a138fd7d62b471d7be67cb65f7d2169df85bbbbb8083c56905a85bee1946ecbf5184644685c6fcfa9cb9ebdb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
9a2bf2bcf27a2ba7268207bac233cd18

SHA1
65411f4fc38ac53fa45949eb9d5cf97ebacb5297

SHA256
e2783b50fdd2d6e75f1216c4dbdd321410d114461451d7547a649afb81c6a7dc

SHA512
663d7f0e8db9e363f2f088ff8becc5a6804dddbd2be39ffadf47efd9e045eb061778bb8a6ae0bff86b98f76531363d10a8013b3ed05834efe6fd7e465134cf8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
6027be21d3bfd8a5dafb5aacf0b257b0

SHA1
ac639432b1b6f70ec27842500428cef6e6672163

SHA256
ad95c014ca545140244e93bdcb6c26660c2792193301c42a46ef174e8fc05b88

SHA512
022776426f7628c83d28997e09752a619966f0c5261e6b676a703eead0de0b5f8dee4ed9ec6f5db1193296f9698f773989546b9bf2b7b90e883bf8c2fc7a0402

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
f7024bae58d21999eeaeeabfc7cd1876

SHA1
0d5b99e0260981e23f7f4fb9a7a6abf9da0a8f80

SHA256
07ad00662613a80dd808e42f5fd73db6618e24c913a2083f5100c9a31a65b48b

SHA512
2308929d69631ddb18e69163442a1e0923c26752a46112d28d753cdf3baca5a2632afad0de91b619f6cd79a8ed3feaf9d192306e400f0fe068431c018e4c0eb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
b65024e13b215d17134d5860a8f602c6

SHA1
33c55709f9b772d9644ce6e68007cb7d1735ee1e

SHA256
2a70fb89fc68ad8dadd2ff645541707fd55570f7b62d509e4193208e2cbcd6f1

SHA512
bb994353bfe8aa68ef4fdfda744415cd4fc2af8cb9d8f88e8ca8b2a75ab9530d33155e0518d783d54e64fbda6a148156bf26721453085122888aeb9f75a0304b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
397b30c2cec51ab7b23aba296a3a882a

SHA1
2a798568e6ec8367f03a23fb63ec42da57f99df7

SHA256
865e6c15a7d4ed37eb359058821350aaedd0fcf1b01f59b9a754837ea3e77483

SHA512
7b6148636e7a7d318a1fffa74d807fdca869298c1f3d4cacdb73f9e6bd81c2cd5ef3e728722f5a91a0f8d01f2a1ce700734ee7803784e03bc88899ad99505087

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
d053d392a41ba304aaa01365addf34ac

SHA1
78e3bbde321a285ddfd73d30aba378aea2eca2d9

SHA256
3ba7d276c3d262c843051a6f043849e15291712cf49add03aea71c9a5322f59c

SHA512
745e33f72e39a6793b1b4d3612749883260e873346d87e87337c9c8640077d1b4ce182031994f868f17e1cc3119d8d5c7d2dd1f6fc084a98abb362a9abc3e587

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
11765d7cf7f596dab09abc82e03c4802

SHA1
c1467f3faa0f90da16318ab702bd18be0a829032

SHA256
ae571915fb3ac16dbdd2536dc43069709e1c2454a787d14312298399cfb6107b

SHA512
275276ffd393e57daa7b38f950199a5ea8f65d92913b752eba920390bbe2bc5901c22be5e7027f831032de90c24da2a4e3e76b5f521fbfdc1ab5762296757c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
8240db408193013b93a49cf62ba2055a

SHA1
c71121282c50b3717e994bf5f175cfdd49a48659

SHA256
c6309d18acb18057374acd0be689f1154505559b5a398aff95ce57e4fe06948d

SHA512
817efae13ce71a3c4e0cb0681dabac5ebeb2d05bd1ddb82e5d648cd44476951785dbe60ca175840a5db64a0a091052a70db6603ef5e0a40d2cc14a4f243d86c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\targeting.snapshot.json

Filesize
4KB

MD5
59e8e75a50b835c624dd56fc42dd8864

SHA1
792738eb7f3e0882fb8acf65fc014c84f9b98fa7

SHA256
48b5fd0b13f852ad874dd5b09920f207c246053b8915d61d432526f32ae7fc61

SHA512
26d60c4af7749720364fa62d6b33470660d551c773ab3e4ebf932b6d7d02848e03a42227763352a85a0954e98ef04c50b105496b9491cc33d33939e47a1ee89f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\xulstore.json

Filesize
141B

MD5
b847f28acdec63348ea376efd4278d02

SHA1
da4ae0ce914885ad7fe1f89aef3aa4f324747091

SHA256
7e63f727108182d4afdf0ae5131c9e0692d857b934fe8d93a7d4a8cea58fb834

SHA512
07b89826d35c5b9f056c8556ed5dd0a961f779d1aa7639321b90c56ef65bf6706a653a22f7790543b1482414069d5587c1f1c28215e92a7ffdf0fa4a55537c08

Download Submit
C:\Users\Admin\AppData\Roaming\Process Hacker 2\settings.xml

Filesize
10KB

MD5
39cd0f9e43be8ec2272ccc43ff81fa98

SHA1
c3bc291727150a0186b4b15880884458b3f8af1a

SHA256
1a791f86d5eecc0222de0ae050051fe76794133cef43898834aded6b188019b0

SHA512
eb2275ac90021c30761fe8a6638e40237c0910e4dda831676d6c0c4c191bcd7044f38e69a567070a41f9455120c7f8ccc2142b1d00ac0b49540ec67f5beb6bab

Download Submit
C:\Users\Admin\AppData\Roaming\Process Hacker 2\usernotesdb.xml

Filesize
13B

MD5
b4f3f626702d390956221a950ca9a224

SHA1
21ffdacdf5d6fa922c88a029e3187967723e0029

SHA256
7a6d204eb0e51a9b3bdb6fceb3ca0e397b443170886695f1d981621b45a13739

SHA512
0f7e61d674cd2949f9eaad367927abbf17621b0fab6da25273a5eb6ecbe9640618744a2919f11b7a352facabc2773848416f9d04bea2de02449e6d028c553dfa

Download Submit
memory/4916-54-0x00007FFEF83D0000-0x00007FFEF83E0000-memory.dmp

Filesize
64KB

Download
memory/4916-1-0x00007FFEF83D0000-0x00007FFEF83E0000-memory.dmp

Filesize
64KB

Download
memory/4916-55-0x00007FFEF83D0000-0x00007FFEF83E0000-memory.dmp

Filesize
64KB

Download
memory/4916-56-0x00007FFEF83D0000-0x00007FFEF83E0000-memory.dmp

Filesize
64KB

Download
memory/4916-57-0x00007FFEF83D0000-0x00007FFEF83E0000-memory.dmp

Filesize
64KB

Download
memory/4916-6-0x00007FFEF5CC0000-0x00007FFEF5CD0000-memory.dmp

Filesize
64KB

Download
memory/4916-5-0x00007FFEF5CC0000-0x00007FFEF5CD0000-memory.dmp

Filesize
64KB

Download
memory/4916-0-0x00007FFEF83D0000-0x00007FFEF83E0000-memory.dmp

Filesize
64KB

Download
memory/4916-2-0x00007FFEF83D0000-0x00007FFEF83E0000-memory.dmp

Filesize
64KB

Download
memory/4916-3-0x00007FFEF83D0000-0x00007FFEF83E0000-memory.dmp

Filesize
64KB

Download
memory/4916-4-0x00007FFEF83D0000-0x00007FFEF83E0000-memory.dmp

Filesize
64KB

Download