hxxp://ohsoft[.]net/update/ohupdate[.]php?program=b2NhbV9lbg%3D%3D&q=QTRCNEI5ODMwOTkyMUQ0RUIxREFCQzMwNzY1M0M0ODQ%3D&hkey=NWQ0ODVmNjVlNDRiMWQwYjZiNWI0YTEwMDliNzcwMzI%3D&v=TlZJRElBK0dlRm9yY2UrUlRYKzIwNjArU1VQRVI%3D&o=TWljcm9zb2Z0K1dpbmRvd3MrMTArUHJvJTdDNjQlN0MxMDUx&ver=MjAyMzEyMTUwMQ%3D%3D

Analysis

max time kernel
142s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
09/07/2024, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ohsoft.net/update/ohupdate.php?program=b2NhbV9lbg%3D%3D&q=QTRCNEI5ODMwOTkyMUQ0RUIxREFCQzMwNzY1M0M0ODQ%3D&hkey=NWQ0ODVmNjVlNDRiMWQwYjZiNWI0YTEwMDliNzcwMzI%3D&v=TlZJRElBK0dlRm9yY2UrUlRYKzIwNjArU1VQRVI%3D&o=TWljcm9zb2Z0K1dpbmRvd3MrMTArUHJvJTdDNjQlN0MxMDUx&ver=MjAyMzEyMTUwMQ%3D%3D

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
6092	oCam_v515.0_sign.exe
3048	oCam_v515.0_sign.tmp
5368	oCamTask.exe
1384	oCamTask.exe
2616	oCam.exe

Loads dropped DLL 14 IoCs

pid	Process
2616	oCam.exe
2616	oCam.exe
2616	oCam.exe
2616	oCam.exe
2616	oCam.exe
2616	oCam.exe
2616	oCam.exe
2616	oCam.exe
2616	oCam.exe
2616	oCam.exe
2616	oCam.exe
2616	oCam.exe
2616	oCam.exe
2616	oCam.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
85	raw.githubusercontent.com
7	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\oCam\v515.0x64\is-R02IU.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-DCF4L.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-B5C3K.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-25S29.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-OGEUE.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-PGJL2.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x64\is-E4UVB.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-JCM4Q.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-S54LJ.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x86\is-3PSFO.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x64\is-G7ABF.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-BKR14.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-R7BIB.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-RGC1K.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\unins000.dat	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x86\is-VNVET.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x64\is-OR2QK.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x64\is-A8H8K.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\is-HMBIN.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\is-T4JCA.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x86\is-O0MKA.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x64\is-IUH4G.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-7S5OU.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-HQQDM.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-R7QEI.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-FMH1K.tmp	oCam_v515.0_sign.tmp
File opened for modification	C:\Program Files (x86)\oCam\unins000.dat	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x86\is-BU3UH.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x86\is-6B4NV.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x86\is-U4ATB.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x64\is-32VAG.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-K761B.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-7LJVO.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-N5JGP.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x86\is-RKLTT.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x86\is-FR6F1.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x86\is-K3KQS.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-4TCL2.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-FPLIE.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-S5MBE.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-G7VEV.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-NJ7IJ.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x64\is-178DU.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-G3DFR.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\is-95DSI.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-D4DKK.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x86\is-8Q124.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x64\is-U4PFO.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-8LIDQ.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-ORRDK.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\is-853CF.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x86\is-ESVCJ.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x86\is-SBE2N.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x64\is-SVFM2.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\LibSSL\is-8OPUS.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-I6VSI.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x86\is-U5SFG.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-NUI51.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\language\is-8UONJ.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\is-CUHPN.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x64\is-25U8U.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\v515.0x64\is-S8BJ8.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\is-85AFC.tmp	oCam_v515.0_sign.tmp
File created	C:\Program Files (x86)\oCam\is-EC5AA.tmp	oCam_v515.0_sign.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	oCam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\oCam.exe = "11000"	oCam.exe

Modifies registry class 58 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Key created	\Registry\User\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\NotificationData	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\oCam_v515.0_sign.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5368	oCamTask.exe
5368	oCamTask.exe
5428	msedge.exe
5428	msedge.exe
6064	msedge.exe
6064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
2172	firefox.exe
2172	firefox.exe
2172	firefox.exe
2172	firefox.exe
3048	oCam_v515.0_sign.tmp
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
2616	oCam.exe
2616	oCam.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
2172	firefox.exe
2172	firefox.exe
2172	firefox.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
2616	oCam.exe
2616	oCam.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2172	firefox.exe
2172	firefox.exe
2172	firefox.exe
2172	firefox.exe
2172	firefox.exe
2616	oCam.exe
2616	oCam.exe
2616	oCam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 2172	3248	firefox.exe	80
PID 3248 wrote to memory of 2172	3248	firefox.exe	80
PID 3248 wrote to memory of 2172	3248	firefox.exe	80
PID 3248 wrote to memory of 2172	3248	firefox.exe	80
PID 3248 wrote to memory of 2172	3248	firefox.exe	80
PID 3248 wrote to memory of 2172	3248	firefox.exe	80
PID 3248 wrote to memory of 2172	3248	firefox.exe	80
PID 3248 wrote to memory of 2172	3248	firefox.exe	80
PID 3248 wrote to memory of 2172	3248	firefox.exe	80
PID 3248 wrote to memory of 2172	3248	firefox.exe	80
PID 3248 wrote to memory of 2172	3248	firefox.exe	80
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 2188	2172	firefox.exe	81
PID 2172 wrote to memory of 4320	2172	firefox.exe	82
PID 2172 wrote to memory of 4320	2172	firefox.exe	82
PID 2172 wrote to memory of 4320	2172	firefox.exe	82
PID 2172 wrote to memory of 4320	2172	firefox.exe	82
PID 2172 wrote to memory of 4320	2172	firefox.exe	82
PID 2172 wrote to memory of 4320	2172	firefox.exe	82
PID 2172 wrote to memory of 4320	2172	firefox.exe	82
PID 2172 wrote to memory of 4320	2172	firefox.exe	82
PID 2172 wrote to memory of 4320	2172	firefox.exe	82
PID 2172 wrote to memory of 4320	2172	firefox.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://ohsoft.net/update/ohupdate.php?program=b2NhbV9lbg%3D%3D&q=QTRCNEI5ODMwOTkyMUQ0RUIxREFCQzMwNzY1M0M0ODQ%3D&hkey=NWQ0ODVmNjVlNDRiMWQwYjZiNWI0YTEwMDliNzcwMzI%3D&v=TlZJRElBK0dlRm9yY2UrUlRYKzIwNjArU1VQRVI%3D&o=TWljcm9zb2Z0K1dpbmRvd3MrMTArUHJvJTdDNjQlN0MxMDUx&ver=MjAyMzEyMTUwMQ%3D%3D"
1⤵
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://ohsoft.net/update/ohupdate.php?program=b2NhbV9lbg%3D%3D&q=QTRCNEI5ODMwOTkyMUQ0RUIxREFCQzMwNzY1M0M0ODQ%3D&hkey=NWQ0ODVmNjVlNDRiMWQwYjZiNWI0YTEwMDliNzcwMzI%3D&v=TlZJRElBK0dlRm9yY2UrUlRYKzIwNjArU1VQRVI%3D&o=TWljcm9zb2Z0K1dpbmRvd3MrMTArUHJvJTdDNjQlN0MxMDUx&ver=MjAyMzEyMTUwMQ%3D%3D
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.0.548011624\174697821" -parentBuildID 20230214051806 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 22035 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66c11bc3-1831-4e49-ae3a-2cca9addb707} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 1828 279fbaf5458 gpu
    3⤵
    PID:2188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.1.1211529571\1764477888" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2348 -prefsLen 22886 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bd7a88d-6de5-4772-a09d-5f289823b801} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 2372 279e8786b58 socket
    3⤵
    PID:4320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.2.2098966958\551838820" -childID 1 -isForBrowser -prefsHandle 3232 -prefMapHandle 3228 -prefsLen 22924 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b5674fd-cb5c-4446-a776-e73468382ff8} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 3244 279fd059c58 tab
    3⤵
    PID:2256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.3.1096069929\2129882297" -childID 2 -isForBrowser -prefsHandle 2968 -prefMapHandle 3260 -prefsLen 27575 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ef24905-024f-4365-955e-f8ae9fe97615} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 3676 27a027c8d58 tab
    3⤵
    PID:2368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.4.1772639991\1233330974" -childID 3 -isForBrowser -prefsHandle 5096 -prefMapHandle 5052 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a21fcf6-d2bc-4bdc-9b40-b4bf693c0fe3} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 5104 27a04476f58 tab
    3⤵
    PID:2152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.5.271459586\755565304" -childID 4 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06b323b3-af93-4eef-820e-4b054e663c25} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 5272 27a04477e58 tab
    3⤵
    PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.6.514084822\1046473539" -childID 5 -isForBrowser -prefsHandle 5456 -prefMapHandle 5460 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0a0be7b-9da4-40bf-b581-64e2560a469f} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 5444 27a04758e58 tab
    3⤵
    PID:3240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.7.1085436641\80330597" -childID 6 -isForBrowser -prefsHandle 4624 -prefMapHandle 4632 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7fda51b-fe4d-496b-b1a3-46fb91035aea} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 4232 279e8776b58 tab
    3⤵
    PID:2516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.8.1338596154\442028751" -childID 7 -isForBrowser -prefsHandle 5780 -prefMapHandle 5776 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f7d1b27-6adb-491c-9b4e-b36aba127644} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 5792 279e877b858 tab
    3⤵
    PID:3460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.9.242408211\621990683" -childID 8 -isForBrowser -prefsHandle 6416 -prefMapHandle 6388 -prefsLen 28215 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83e7e6b6-2dfb-4dc9-ab86-1cff0413068b} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 6428 27a05a4b258 tab
    3⤵
    PID:1212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.10.1169104850\1320350039" -childID 9 -isForBrowser -prefsHandle 6748 -prefMapHandle 6744 -prefsLen 28215 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5a8f630-b8a8-4743-aed5-061d8cf27c3b} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 6792 27a06a77258 tab
    3⤵
    PID:572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.11.547202105\1175822597" -childID 10 -isForBrowser -prefsHandle 6932 -prefMapHandle 6936 -prefsLen 28215 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3973aaf0-e87b-453e-b075-f745d842077c} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 6924 27a06b5bf58 tab
    3⤵
    PID:2864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5988

C:\Users\Admin\Downloads\oCam_v515.0_sign.exe
"C:\Users\Admin\Downloads\oCam_v515.0_sign.exe"
1⤵
- Executes dropped EXE
PID:6092
- C:\Users\Admin\AppData\Local\Temp\is-1PTDJ.tmp\oCam_v515.0_sign.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1PTDJ.tmp\oCam_v515.0_sign.tmp" /SL5="$8028C,8790369,243712,C:\Users\Admin\Downloads\oCam_v515.0_sign.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\is-HU7P2.tmp\oCamTask.exe
    "C:\Users\Admin\AppData\Local\Temp\is-HU7P2.tmp\oCamTask.exe" /Uninstall
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ohsoft.net/link.php?lang=en&product=ocam&page=install
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffeb94c3cb8,0x7ffeb94c3cc8,0x7ffeb94c3cd8
      4⤵
      PID:6076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,7992420426596694203,3087229458807653967,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:2
      4⤵
      PID:5380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,7992420426596694203,3087229458807653967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,7992420426596694203,3087229458807653967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
      4⤵
      PID:5480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7992420426596694203,3087229458807653967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
      4⤵
      PID:5636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7992420426596694203,3087229458807653967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
      4⤵
      PID:5644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7992420426596694203,3087229458807653967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
      4⤵
      PID:2352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,7992420426596694203,3087229458807653967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
      4⤵
      PID:2440
- - C:\Program Files (x86)\oCam\oCamTask.exe
    "C:\Program Files (x86)\oCam\oCamTask.exe" /Run /Register
    3⤵
    - Executes dropped EXE
    PID:1384
- - C:\Program Files (x86)\oCam\oCam.exe
    "C:\Program Files (x86)\oCam\oCam.exe" /Run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\oCam\LibSSL\ssleay32.dll

Filesize
330KB

MD5
9b3921b65e656fcd9d27423f8283033c

SHA1
09116270a301bfb387134e87a74bb12def259817

SHA256
89dccac92bc457b9180c0389b824aacebf4a934ee2f0b37f4a6e3865799ecc6a

SHA512
fa3c409faf9b23e89302f214d3f0376a293ba0b4c0ccb5acabb6a4044b233937e5b1fd73951a49edad5c30311eac9bf1c7e2e14174b33ac31642f70d6d61ecc3

Download Submit
C:\Program Files (x86)\oCam\language\English.ini

Filesize
44KB

MD5
9b84dc3a56146dbfe04d9c1dc11cea47

SHA1
45fac2a0d72365f9934b4035c4bf74a77e0b12a3

SHA256
b177892382b4b44dd29101b1ed45e4737faaaeb2ea6ea16a731693d27fce5814

SHA512
4d4b8f42e368fb9e6dca0693b5296108145a72fc4c0134f12c6cee3d91ccdc9d0ce559c57f1b46ba384743472e505162b16ed1fa9b6ed2e585ec1cf84f9ade92

Download Submit
C:\Program Files (x86)\oCam\libSSL\libeay32.dll

Filesize
1.3MB

MD5
abef7052e350db0c7882cfed969066e1

SHA1
0ba8fda273f2fd9900a6ddd926d7630c732d5aaa

SHA256
5b4e6e7ff551a2a48f1bab0ac27421930a6215a9f5e52e95297c8ba31484d1f5

SHA512
547edd7721f0927c3663f04d9af41a9241945a8dfa39611596d9fc0200e0efff0a992453dc2e8590aab9d943a2e7f1b20e586f860f240d74b124b4d4ef48d4ad

Download Submit
C:\Program Files (x86)\oCam\oCam.exe

Filesize
5.2MB

MD5
34a113f30b1b9f6180c428d540fe09be

SHA1
977d08f9a89bd7add8cf56790108b7833a988b93

SHA256
b6d15a8710a64ff158dde9e0ed73ceebbe98656084e90fb2ccb132270312ab49

SHA512
04cd46a631fb965a08a95a39629db4c2d92f83ab7d32091ba544ead4aa480f212c2734ce0d7b6cedc5f1f0a89c68bb31a74b9753bbdd9d6450634113e8569d86

Download Submit
C:\Program Files (x86)\oCam\v515.0x86\CaptureSoundLib.dll

Filesize
195KB

MD5
db107cdbd580d9fc4b1c590582dd5196

SHA1
95747c7862df2aefc53eb9d668239d0d65741575

SHA256
abea69c29c72865f0c996e399f8b9155c508bf59745905fa3c8e1a14daea0086

SHA512
cce1208a3c3ae80fe3b1d1d6f6003bb30e0a58dc3b7bb3fdcb115f0f8e26b6645279d470038ff4513cbffd7ddaaa4bdb827d4b9af31b40db61a5db281d8a1276

Download Submit
C:\Program Files (x86)\oCam\v515.0x86\DXGICapture.dll

Filesize
221KB

MD5
f379abb92e31472ed6355ba60f268855

SHA1
bdda75cac8d54599af594ae80e23c045c28c0a34

SHA256
0bb2437c21a40047d45f70010a7db0eeb236871f03eb16440333a69896a4b37b

SHA512
64075de33d680beaeaabf62611966d68659e40263e76a9b086de29cec3974888604996ac1d50112ddb40cb2e47eadd761c213c41214f714952b2d918ee5e1552

Download Submit
C:\Program Files (x86)\oCam\v515.0x86\FFMpegEncoder.dll

Filesize
1.6MB

MD5
18ef18497bfa2d0c24ec943bbe79b477

SHA1
012011808ddb725432fe9c2a20e64926abd60af6

SHA256
7795a782c9bb280211f0c3fd9337f112730d528db1d3a565ee29aae9b0176013

SHA512
2ccd0d37b5fd4c5d8fadfd9a8c495c35507da568220777636fc4e60b38e3c0803b2f9be5a9a62510dba90dff1770a731c3018da4eed69ae5ab98d73d5d9ac508

Download Submit
C:\Program Files (x86)\oCam\v515.0x86\ScreenCamcoder.dll

Filesize
2.3MB

MD5
d8a6c595219886d55278a0b26b71e8f8

SHA1
1747ad1b10e0f46aa6bd2a06ea7ea8115b8a888a

SHA256
1f9bf4a4a257b0ee82f19a787670220ce99a6bc925831a1901a3de0b4a60f4bb

SHA512
1736004639db16cd903f0abe8e9bc5cd0bb9d5f9f8aedafd1e29f5833acd845b3845654ea446c0e94d1562ef949d0072c1f8f6ce2ea9c7302696c8564a05ded2

Download Submit
C:\Program Files (x86)\oCam\v515.0x86\WASSoundLib.dll

Filesize
211KB

MD5
795738fa90a6ef5c443cf75c05c16f65

SHA1
02c28daea412af1c612350061fb770d6d651abf1

SHA256
f059142f6f8697399bb7b22db872ae2471be89cdd25da74415ca140853a712cc

SHA512
3bab79ae3ad4d6cf41e7ed40c97d7f5aa78b2cfaa9ff56867922beacfac362d2a34b3028ae21388f132d2e1df3c11bbeb93fa61f0e3779c1cd1a0208c75c5e37

Download Submit
C:\Program Files (x86)\oCam\v515.0x86\avcodec-ocam-57.dll

Filesize
2.1MB

MD5
4ab5829db4bdf8e1a6a5914b19b2fb6c

SHA1
2279cf6275f9c5584e0fc76b5aaa555123794228

SHA256
88709b569634f75a90e3b8910cd1ad1be8ddc2ea8bb9b3a9c135d91f875f498b

SHA512
63870fa1397d0b38478df621b113546c9c27fa64332158e404bb3409ea90eb471ebd2f448755916c152d3fe8179f89413a627c5dc9dcce3de4fd7a219ecae606

Download Submit
C:\Program Files (x86)\oCam\v515.0x86\avfilter-ocam-6.dll

Filesize
230KB

MD5
c5293c84f9f8dd468bb24556c27ac3ac

SHA1
b4d9e70c9289b77f1b3e00053e226a4ca7615de7

SHA256
7f982421771930e15c50cc3fc2adaf14c9b6f9f64a129c96a07a9afee29afd70

SHA512
5b1e70ad2a5408b1b8470c0134cab4b240385a81f4c099d43dee32f8bd7fcdda0b3782d960ab5d0d2ad1b2077c85ebd655d50ad8a8e0bd7c0ec01c87d656372b

Download Submit
C:\Program Files (x86)\oCam\v515.0x86\avformat-ocam-57.dll

Filesize
544KB

MD5
c54a2af8ecba419cb947055d7ae6231c

SHA1
1f0bca07390b6b264bcc871ba99047875078bc00

SHA256
9a1c657bf9dccf28d9fd58cc0286e69e81108b41deb45ec1f314a8cbd2c399f0

SHA512
3982f6699184ddb2ae0f9e123b5e4d2173af03e2e74b9360055f499a75541d8b987efabcff9955ccdf4f30b8c99af1b4b328cd9fad7603cf0e351a5cf71d4c42

Download Submit
C:\Program Files (x86)\oCam\v515.0x86\avutil-ocam-55.dll

Filesize
475KB

MD5
06f8cc87a8ef4e9f5de33989b7f8eadf

SHA1
a07b6da317139a6185d0b20c9834f4687da08f97

SHA256
fa3b52d90e6d018bbc526a3ca6f2b37232f9aa9637cedb109e9e738303c3eaa0

SHA512
d269728a9313d535b7bfbaaf100aec37218a32e36a0cd1adac3732ec69d8fb4982e92e4dbbb9abd4ceeebc5f5b16aca0f49ea62969d7fb63cfd2fa8197674f5b

Download Submit
C:\Program Files (x86)\oCam\v515.0x86\swresample-ocam-2.dll

Filesize
128KB

MD5
09dd1101c0131c0626dc1d2dbd5da821

SHA1
a45760b59c2764bc567b64350b2bd9e87af4c2a0

SHA256
e63f7941fcf7e556d4cb1171c12016c98d8ad844582908d336f20f12d6fbe63b

SHA512
3b56a6edae39b5667b55081c6e13e752b533eff852878d5df0f875d30b09ecd24f717532c4bfb425a318295b414dd2a37fec5a84d42e774adbd716b4603c35bb

Download Submit
C:\Program Files (x86)\oCam\v515.0x86\swscale-ocam-4.dll

Filesize
532KB

MD5
9001f08f06bcb07b592e0d1f3e3cbf3b

SHA1
49b10eb451b7046d06bda7285907c74c0a1d655d

SHA256
61473d76985e74bf991de7d9d351f5f7db46ddec6713b3069a796cf4de4ea5a5

SHA512
e61dd8c89f7e22550de08b29a1c55133174fd7bc8af30fc78c5616a5b3ada86742833b378570f89987e0b8c540be3d25fbb1c781df1a78c81766d04c1097ea2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
8d1040b12a663ca4ec7277cfc1ce44f0

SHA1
b27fd6bbde79ebdaee158211a71493e21838756b

SHA256
3086094d4198a5bbd12938b0d2d5f696c4dfc77e1eae820added346a59aa8727

SHA512
610c72970856ef7a316152253f7025ac11635078f1aea7b84641715813792374d2447b1002f1967d62b24073ee291b3e4f3da777b71216a30488a5d7b6103ac1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
b5cb610c294a6618c6043081054508f0

SHA1
5751c85ee092b7c30c93b1f1ea2baf890bd99d4a

SHA256
8040a50a5ab1e6859d1ae14b1a9f84cf0fc328a0d9face70ec27ac8e6abe8cef

SHA512
314a5c9e63275ab2d41b445f5b4cf1b9d17c06652c63ce44c0d7a25cc912a836bba7018e7d6efdbd7fb8350337f486cb56f463009cb52cf67fda28507bc2bf87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
5df57cb97fc59d190686201784d9b3a4

SHA1
310ab4b5de5649dd867b89bd1655441e3528589a

SHA256
feb06302650114dceb38c83fc3ad1dadb64e6c37a8268569cea791124c249b99

SHA512
45f12be0bc763a944851d846b6b6e01eb360b8edd94af7bc2b9a972445115f9ad31387990f816b5dca422d3a0945e1b62d85375a45976cd097859b40a60eff39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
a37777212af5547c397c10b34b4a6615

SHA1
6f5083338769083695232ba5c4bda4af152c0c31

SHA256
195d21ddb651f24feccd28d73330b543eab5ba0ced768f2c15ea3e4c23f72b20

SHA512
5f55a656ac9362cf3e9a48e09a1f366e8168bfc5803a4113e6ff682558dbe1197bc2d6f0c131ffc61b029ae5a4e1d2042b11d1e4f40bc30e3526f6775d2a2fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b88c419948b22d8f079311239c952096

SHA1
57bde0e55d3ad4c555f1dae4224a64a0d2375da9

SHA256
d424881e070ffbdcf8801a339813bcd5dbdd9c1d121d197e7924adceeed0ab4a

SHA512
76bcb75c16d21cb2f452f19562c2d311e3741c6aaf22128ec6b2c37159c9b28c3337ff6a57a38430b0c249d6d4eca7185a859ca32515dc44de106fb0a45d6c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f99c482b569e51ec044a39d33e5aa9d

SHA1
c4118d25e83679a64720b0c32ae30aa6fab0fe26

SHA256
cc73e826d62a46c84cc26263266fb7015c15180e3844062e35305875b1180895

SHA512
2693cc5e9b465a2296700d2563469b53460b82b87125793a638e9efd6b69b30fe232206b194b31fd07b85f9dc50b7aed92bf96845827d695088638b8574a8ab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
86fcd549895d837a3084fff91539644c

SHA1
d67c38733a6b8246826f6cb8a8b07b00f830e5bb

SHA256
68c325d0819b2fddb7f71fb4ef0163f10c60befa32198331f802c5baa70a7a60

SHA512
2148c28df5325bf43ecb37fec573188867c89281b4737e0f4648cf4caffa62f4ec26c7fe45a07b8b9df98f5a16cd8bf520ed8f7c771a2e42c99e704e53435437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae4f4219e658698913c14938776a16ac

SHA1
01c3811156e504e24cbe6e63b5fd785b30d9c6c3

SHA256
480b3671b1d52bcb06f3bbcd896c41436f8c6877a6962828bc866cd94cfb20c8

SHA512
d034c8d74802d863972a81c7570a736cb66c1e7f6b980d24c47d07204ab3c968805b0bfa262aac945d4ce04e4cf7de1ffe5145b1d87694ae1fbbe7809a5b71f8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
f698afbde7e1915bf91814d7a8319ec0

SHA1
cfd82b16228438aebac58c4bd7d4b8711cd4a6bc

SHA256
9182c4371dd06be97988594341265476c8f09771646cae021e97a0991b5a4476

SHA512
fa02f768a62fd509cea6c2c5f553a7368a0d23a62cca81f65bbda4da8fe96bb3a8a224bc34170c2f59041bc46d93e323568010ca90d10db2d349dd12551c9519

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
fba9eec75be80ac61d262cb2584a8564

SHA1
570964581317a6c6ba7fa6943116668b86dc8d59

SHA256
a58978742711f2095dd8c05fc5f511e712f7cbec5c0c11348a29e6b99c401a78

SHA512
06087efd9edf455476d2e2f47ae39e4148c42c32735486b545cb28f03d7a3832fd844f6c08a763b869310aaf8919235728d26b2fd8d1f886e4394a3055dfb32b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\10359

Filesize
92KB

MD5
84a4913b766b8a45563161d222d4a418

SHA1
ed8903aafa633e784cd143527b7e727e38176a3a

SHA256
ee5e30ebca6ac54ff4a011af8f1d14f03c5a0e4aaac2933987482af0091ff46b

SHA512
1b4983c1c6158a45b74a3c34430c141faff74de766ff2a6c0d83895af36ab583cf1b73b71c2e92054e421a92a8336b948a5b2ec0531e23c6c57cfeab56e07509

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\10990

Filesize
75KB

MD5
b4ca500479a7c007d5835a024e4c8209

SHA1
b91f77df1dbd4c27472e94c6c674adc61c2953a8

SHA256
bf7cf6bd24e1844ad156ef1b0921a1f1bf2b38a4a47944b7a95215b3ff0d5a58

SHA512
4106928ed1c26132ac7b84b7626251e1a5c8a05bf31f54d5a6fcada0e1e514f78e8ccab8728d3b30b8079f156547c28bc9bc9f74703620e81468c0c0f453ef98

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\11055

Filesize
17KB

MD5
869a62e6b07ca3dc33c72f2570cde05c

SHA1
4c488ca50211e95e6219e03a640fd2a4c02630ab

SHA256
9b6060bea30cbc65344533fbbe81e31e87fb874e7ea42629c697446be2c5cbb5

SHA512
937c89dfbc3594dd5054a8b925cdbbaaab507c9223ea2df10baf58c8d902df68deb529cb60d55143866f144f27ff52fe659ed1e5be8a8b381740a83be76949fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\11567

Filesize
10KB

MD5
00e10c5bfef940bb9554ad644ca23463

SHA1
77b48167ad1759667b1e6dc4c0b24b7fa8bda127

SHA256
d8604357b70d97011cca4df99e8619d0a754b4295edbbf7c62de698170244fb3

SHA512
01ab15e54a78a7ae894fe52d30ce93186a8fb5c5dc054b523259e27acd3746f3cc4e3698f893587d76061a125a4608db866f817348ffbc0b8094044cdef86c29

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\13334

Filesize
55KB

MD5
41bb214baf71803739f36a5388023305

SHA1
c805cbe9c737cce84ea4bea9649d4491fbe53e52

SHA256
f7fba2bcc029c1a4395e53c1062a6aca5a39e2d978a9f068624b9b95d4cbed2a

SHA512
029839e80b03ca86f91984a80e6fb3e6ce38291bc5ae872c2c0556c7e6160e58f1417914a1b64ee2ee6f79c40bd190e120638b4fcb88986d8be409f450cba0c2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\14039

Filesize
12KB

MD5
e00c057e2a7b541ef9de8eb9b2e9d97d

SHA1
989f38afb1c82f7393f11b560d936fca00e12eeb

SHA256
b75cb19da3ca470f872e4c46460255d7b61a7301a542c936b2ed71c69f97c79b

SHA512
8ef77423d8797cc2298c3991ad03fe5e5cadf9b85c04c4ff0855de51a16e96a55be6adc4bcef96321e7ee83633c531a5d96532807bcd326670bc9a538b2312e4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\14313

Filesize
11KB

MD5
3968e74b0cc9539b50c4be25af466481

SHA1
15da88b2d37e68de2bb0c29c6100c2cd9289b34d

SHA256
314f7733b432ec93c866419ea6beaa6ad4969e9809d8aecc542b674fa232abf6

SHA512
77598790037bc06ba3cd638fa5210133bb8dcf994be95692150d1a18d6021f0f61b9dfa82e0500069457d61ba4716288cb1dd1822d50ed97aad27b6d6b8e2a54

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\15464

Filesize
9KB

MD5
49c0d671cfbd65d12de5087d57563ebd

SHA1
beb842e149af0992e5df7f9686fc799f4daaa25e

SHA256
bda53490eec3cd2b2cd2759fd90556359e15682889bc8f3b1c764ee7e8fbaeb7

SHA512
f1a6f6dbbb166757276fe07d8fc84dbbc827d1d073ead4b29b17be67736d554f7d8028235f6e39e8f229516762cb17c7b47de521d8fe4458d8110623f234a144

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\16867

Filesize
9KB

MD5
58db5b74417a4cd1ae0b4bf23ac17ea7

SHA1
57bf6f74e9fcb40f1874bf91a49f393cc569a3d2

SHA256
fd7e0681f3407429da5da0d4bc90f6f0228cfcb0fd4f9dbab99fc60e91fb5424

SHA512
b0ba8933c7c917049aef78713be8f9040c477dae670019a324754bf6217b64aed8b228a5864cf170e45af45011a2d694ae75ef3d5e7cfe7fe86ce460207a6733

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\16996

Filesize
10KB

MD5
121602736a965120043848b74a44c566

SHA1
4f133cd32def44e5ac6e66b2383fbece59bcf1e6

SHA256
5ba591d379bce58ae92ac8b02171346896687e5476ebed5fb45e032010a401a6

SHA512
7c876b92873a4b7ec0ca3e2133aca6cde9397bb5002fe6f71155290993878cecc66909c9cb596dd47d2c2761908daf761791d0dc6faca95e3cb539490b3da864

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\17014

Filesize
33KB

MD5
9fb39d6de38a147fea1369520e6699a6

SHA1
fb7cda940325fd8fc1f6a8ac465d685f70d368f9

SHA256
7b56bf3d3776e02e6bbbcec470ffb875056c8484c3eefda3d4b32adadd339346

SHA512
48ea6ec60e7c429ce387e9c508e135e5fbbcc20debf4fe01d3580f7268c89d6ed0e9a33c861c542d3a3a1762cc016b8415fd48193e461e589f7899ff26e1844b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\17788

Filesize
77KB

MD5
bae11929c4a4fa3f607705637c3496bb

SHA1
9de2674e2f172f8382dc8299dfacc632544033f2

SHA256
d49d32f4818de144b3f2e176fa88bd0b54caab27a6ffbae228aeb0cb90c6bdef

SHA512
a63fb95e50c7f4849b1a99c3cda9450b1c439fa6a7887789182640147d973dad21a9c0117868f25244bed84178b379932f310bec92b0fa00e5ca7562aab4783c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\18640

Filesize
9KB

MD5
5b5dc0bc12852c7bd55c12dbd2811558

SHA1
ce5a991ba7100139ab42b2a11d24478444ff63e9

SHA256
73d46d69b5229d3a919f0ebf0df77f3df270f07919b0c0e5837e7a0d6de90d36

SHA512
8fe173a0115e76454905ae628561a91129f1466e2daf2bab61215b1fef6ec3121950a56cde52653f22acca68c6f45ae2e366ee7f06ae72f0d2a7d2c4ac692c91

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\20085

Filesize
10KB

MD5
eaa1e892e71bd24397219a6200a6e5cd

SHA1
1e0f556d486ea60d0318bf37439eb9ec81810856

SHA256
0d51b9d823cd63e0d1af9f6f2aa549ac0aa528fffa8e7b14cab104b826788fa2

SHA512
b9377675c1fc3574b0e9437a43b57ad3f532af3e17aea9ac662569ca7e29a0326f7e40f81de4f9080d0022cfeddb77fef5509aad88d9d3f80d7dda417a2f281e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\20639

Filesize
10KB

MD5
b75dd30336da92af75c22f470da46e6f

SHA1
ea687e66eca96c18b280407ff6e0901b9960afb7

SHA256
8d0125f252da4dd5c2eac120b1f04f06fbdd9e8afd8195618a7c79624e5a905a

SHA512
c0f1dd31f87682baefe7f3186911ec8a5174252f25a89a84a7a2ec3513b4727c40b1ab9609e4ae6ee7019490b4f6309e5d66739a917ca4011b8702a01b82dd79

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\22100

Filesize
12KB

MD5
aaec2b8ca15bef72098671a2ffe06b7c

SHA1
ec098ab46e6e852b565d54ec60cfcc482af50be9

SHA256
17ac04afa7ee7b8ebf34e335fc15943bcaae60f9432404db8f08f410347b39ce

SHA512
55d5542484d9176738afcb980aa730772b412991dfaae6db512f1506f6199690fe25008e656b790ff9002756cc8fff70cc50a518c760c70255256ccc706ba1ab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\22715

Filesize
78KB

MD5
43f61a4ed0290f9fbcb0595f643bb6ae

SHA1
66cbd869c0dbe4bf222a93beabfa90183c99d1eb

SHA256
63bcc21435aee936a5c8f7d4852484439e3869ac7c860450bfadb7d608249c06

SHA512
d889d95a0563f85ae13791f9cb2079c0c070784d6b58ce213678f3ac1fa29d52d21117a0ddcb9bd5fdf6d29027ea5c9e701027742b25042cb355adeca0148383

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\23186

Filesize
26KB

MD5
1748eb2be1dbc2786055b2e25bbbc5db

SHA1
46bed83ad46ef4044735b54149ee85b1d35b110a

SHA256
0afce25eece070db70deb39e71a7d0b7a366a54a38c7bb328f25a3e36c7d258f

SHA512
2eaafb1ac4673e5c5854531a025e0e577ef5cf52a4768107779bfbe1f22866f3135048a440a23f59dd8a276a34f071d9658a18fc2d430ccda97317d8da097087

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\24039

Filesize
11KB

MD5
3b074460478cc5f4f213d1988c1dc542

SHA1
e700cfa109b1c35f86c718b9a19c68ca32e66f48

SHA256
49099009e395bbdca41c181d076fe2f60f82e2e9224bf441767d13b144408b0d

SHA512
13a1692e1f966ca42b4d5fe9552d8869581e8381d71b5b2e3b5521d12ee8434071afedfc2c24dbcb2899314dcf6e84be7bbf592135c8bc243fb8df24917cc565

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\24420

Filesize
22KB

MD5
e83b1cdd280fea155d3a5aa69ab23c2c

SHA1
ba173810b11d3c4f5f96b8bb3826dd36b5d4642b

SHA256
3bf5e7a3c346e8db5d9d25af1300e4b407f858ec1fe2354e5665ae1e805d246e

SHA512
05c9aee18d5163bc87741f36097ff5eb431f8e3dffa97e3d1f933eb27c13045eca2cb62998638ef94623a07da0be85fd204ad3359e543b58df6420d495d21478

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\26392

Filesize
74KB

MD5
1abd17aa384916ab9927bbc9f0d660c8

SHA1
74c185562ec2ad06c162ad1a5c5347e18d737aff

SHA256
d7ed841f1d77fc5e62cf51557ab5a82c659247e247b32098a5ac1bbf18e61ec9

SHA512
3fd7bc199d5b726ad7598253125e27fb6fc15345fdc0e26348deae43d8040bb135527f72f0bee8c41676db9af7e025486df61af51b2c6084316176958a8c4c77

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\26754

Filesize
75KB

MD5
1c6e2244d3b04dfa51e5bbee6738fb11

SHA1
349ca94103fb19098f478c6f028da6ebf20cc924

SHA256
a1a39dde5e8ab7a7271ff79350a7f97daa8b6ef9c0fdcf0118b78da450e12478

SHA512
0429d830b1ddad390365cb9d0e126247013487578ad1a4bb9328c57e0b495e2dbe003b202d7d2aff3863f0aec812b0c78475cfb9f464c601253cc468527968ac

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\27372

Filesize
27KB

MD5
12be4a96459986454f1c828eb44b1c64

SHA1
a7d3d3643d824c4bed935c1b98e622b387ac7389

SHA256
74c7658b362e3ff0633221ae83250bbde95652f2d9f3ea20cbf5f252989a5acd

SHA512
bb9881c3a3d54e60b7635f335f54c8c904df72e748397bdcc6a788bb50adabc78a0e52f7189539f22d4b5ea82987c113602a123c0638fa91d3f75a0344c54594

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\29067

Filesize
9KB

MD5
dbf1ca160d3eff974f386c9b1dfa1308

SHA1
1e21a100ca9dd10aae66532006575435fe1b2609

SHA256
89d2942325fd863c83c433ded18d43d7a8916354fecb0780ad5d7bc39ebb2c36

SHA512
aaa0abc925fdd2c42a6dc4a5ce99b4f54acada0a73537e97477e027356c546c58e9abdfc493c0b249b70f6e3cbb461fe39cd964b1431a5dde37e89b773a4e371

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\30163

Filesize
78KB

MD5
ac0ee61e25d37b7f43316536e3901a8b

SHA1
cba23dd19b90feaeec3d80a8833911011305d61f

SHA256
bbf60919e78d7e91f2ebb7dbc3d49fd43b7775b44bf6a939595122c561b0cae8

SHA512
0cdfbe78be32da018acf1d80e4e5a5b485162db49566972d9a3ff8f6118f2eb13cced8c228be7131078e214b39f6f4b79f6fbbf99bc053c63b051fc8cd26195d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\3048

Filesize
12KB

MD5
501c38af426b01a034e8ace3330a714c

SHA1
3d6cbc841323e14deaab44b54b51e0f979354638

SHA256
e1dfa59ff796f15a760df1a8a376fd2b812482df5d48f30bbdd0ceb0921dc1ab

SHA512
803b262bc0c172f40ee4ffdf34a3edc5ce215c20ad84ff43ec23ebfbf495f76b0727d000b1f83f789d8fd1c249421bbf86c57731811fd2a27932652a8ff476a8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\315

Filesize
9KB

MD5
9242f93390f1366328dc91a2519b6e6c

SHA1
aa1b135ebcdd5011e48af9196d7cae8ae995f584

SHA256
1b9ad59e05a0d795fdfc79be56568153633e145ea19fa7515501fc7faaea0f4b

SHA512
aaf6b5e5c31006d48b2879e5550c840a4b073983d84cd83167cab03727af46183bdd98fba543b758a79f8f2319e55d0a70c2903180843098c587fd6e2580c18a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\4478

Filesize
17KB

MD5
da25b61465d0c838367e3fe18e593083

SHA1
f1f685016fe4028f9123a5d02bb85c1179682171

SHA256
94d3a54fe8cd4dc6954e6007cd18735b4fe0b24f33ea834a13fe85495f0e7e5f

SHA512
9980993131e2d488d463037214256fd7df8031ac71243919f2953aabe4d60808d7e229c0455771d56e7d198ce1e3c17ae26033e991f09b4db8988fc6d78d3600

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\485

Filesize
28KB

MD5
1a982ed5520445e4f19bda8a140711d1

SHA1
7c128f2beb22458932902dfb83ad816063399518

SHA256
ccdbf1ce5d1af9164647c4658ac4a241e17c1b1b0d5f6dc978c14c6c70501cde

SHA512
0c0b4f9bd4d432260d2d6d9637a57c62d4f42b5c5adf08d2d5893fea4b80874ec05634cad77051012c380acdb3c5e4a147fa4a2bf571a31fe583865dec359bd2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\5422

Filesize
66KB

MD5
cd8cf70c009e7096d8f996c0fe6ef4e1

SHA1
ed04f614c5adfca0b766ccaa540935af889101a9

SHA256
29776336f78e8bd36bc56b5b6800851f59067f70cf4aa3437dac6691b8bae069

SHA512
e294336bcb5dbb94f6b1fd08662173c7ab33d8586935ca36d15b786b6f343d7d061946639af10059a37f0f8501f255bf51fc2a46928f90de61ae904224a063b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\6362

Filesize
10KB

MD5
58212a93927aca38f2a91c06a26969a2

SHA1
b5a02a12b9f1a371c989672ee7d2df6ae9b140af

SHA256
27c0544fdefced349e0e2e1d2732a98a7e67467ba1a36df0a83efb19a420cec3

SHA512
27872fd6a9d3042ddb932e13e38668a6911895094d8f59ce98091d29fc3cf10a9d373698da99dd6dffc3aecda15b44ad9a6499379439a3ef09af92b28e56ec16

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\6510

Filesize
9KB

MD5
ef9c4bfb0fd59c9c22c1d946cc87fc2e

SHA1
7b6017ac31b08fee63479a9d431f8356d1a11928

SHA256
cd7a1aee809ea1d66318368e2b8ad0c2cac307db019c00d73beb8d1bdf778cc5

SHA512
98ffdeaba850a19a43570747166406d474439ce52997d41ec864576211595fb719da15024ce1fbddc33e847aa1674e32158f200b866891831e914e666a4d84ad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\6945

Filesize
11KB

MD5
1297fe2abb400ae72f1f2be506475495

SHA1
67a24344cd4903b8a1de8e4aeb8bf5917d0421b5

SHA256
5607c8d784b911feedd84accdc66f59f505393632a994c4733be4234308b330a

SHA512
34cf2de3e363ff178dc6364856d856950d4b2c0d895a7c3a2bbaccf57cc6de44bbbd65b213cc48d428376a55660ab2bbfcf86c745cbeb54fb3a3426c99d21f1b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\775

Filesize
9KB

MD5
840ed73afb32fe8c021063a618d8a8fc

SHA1
ee00c56a010981c0930bf1e7b0abb4d8938c62b1

SHA256
bdb53e3cbf4d6c21606a5e1f11fe6efb4e374a5284bb89bb32af621f13682fc3

SHA512
bd598d9bf2282b6b91632679f67efd4f6ffe15e3cd5993e18b5257128b51db12d5a5e3640eae2b219eac62aeed24c354f888a89ad914ebd936c43b78e6bf271e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\8222

Filesize
78KB

MD5
a50dc5e6abe432fd46b4ab503baf3761

SHA1
a1e0e43bb0681ca0ca949af80e7dc24d04091a98

SHA256
fb6bc4ebfb30af9a7f57a332f4249f9907d005193086b55c2d2dd403ca0ecc92

SHA512
0eb0fc9c0997ff0125c22ae306e5f65b313e85d695dd00559396f90dbd930967a4f05e14409a7af47746a9bb3a425d4e6a9ef5cc916cbdc157de829a17d19769

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\884

Filesize
12KB

MD5
c4066b28e004d112d721370b5092ece4

SHA1
450d7ba51fb2f1a093a3b83007107a8282eb93d7

SHA256
7fce03fef32d942887a41b3bbd72bedeb54b1e6ded36f3e1ef9de2cd30ade44d

SHA512
8be2a80dd5e704e22938be1d713f1a4444978c16e4b5b5828878029d1029cda9a2c87f32f5ea5e1929fdb1e969d17f4145d22163750350a6399e868a98fbc709

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\9061

Filesize
74KB

MD5
0258ae4952681296f198c49a1a712503

SHA1
37c50c72c17cab9c1114c29568fe622b11a189fe

SHA256
cdbc25a43aa8253a73924cf06b55ad612ea6d39e85dc06cd50cd4439b176b9c5

SHA512
89143a8dd59bea638a209e82d6ceffbb6b9f0c284f9b91655d7126c4da2d1d59b15dbee884a111413984198f55de41b1ba90448d84b8c5f27fe2ddd7071c1571

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\9811

Filesize
9KB

MD5
f7f1a587df6036863ecf2679cd7e2ecd

SHA1
141052a414f98c30968c475964f084d94182ee43

SHA256
77d62b401262d63e5eb7e0d94e52fc55678010330123845b1d68f53e33e81c21

SHA512
7e56af422ca7180dda3f99c41d11bb66e3133be9aa9e56b8f7a94e2beed466ad07105c172584b95f8d607339a4eaa954fbed07211bef48b8daa4846c13c0dbcd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\doomed\9899

Filesize
9KB

MD5
0f9e868a81b820b59e8af5a03c277a8f

SHA1
90ac2f600bdd23e4c8b31c13db905bec70c2cc13

SHA256
03f0695ea0853aa26ece345361e6a5091928c48667aaea8debff686961eb620d

SHA512
caf78b0115376ee0080f1a07e2a2f56381e6ef4fddda41cbb5242f75aa9efb764faf858fc8ab5bfc55f350e9f6f5be000dd85162953cd04fac709416d0cb58fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\jumpListCache\CO88kom1AjZ+ukzzumUW8w==.ico

Filesize
15KB

MD5
a3c1306e53848dce3a3c2fec6e1cdff2

SHA1
87f8463535c624202f9b6efe26e993b0b1f3157c

SHA256
d2d32f8573ccc7ad555d258c8362cfb0b699eb4b004f93dbeb171f3510df055f

SHA512
871e877c73990e372a7a41d9851e9dcf301efdc543696aa4dbc35b8a121e24b7fcdf76d426b5f90fa3a14253440697de01ffa0d82d417e5490560ce7d9740aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1PTDJ.tmp\oCam_v515.0_sign.tmp

Filesize
1.5MB

MD5
4c31eaeee92830c35cb7c8a7dcbb14fa

SHA1
ce566385db3a711806aa34700d2fc3e714e2cfbb

SHA256
efb7877be8b110b5af74b99dbf4f580d6ece6f83eef196120dff3a0220d96c72

SHA512
62b1b70dac5a98d4cac7df21362b45b7d78ea18c10bf0cd3bc0470c830401d7f93514f2502396db3e733f7c6e1ed6c647025669354d3cd4bcbeff273e1b3ea71

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HU7P2.tmp\oCamTask.exe

Filesize
145KB

MD5
3e44c79c2ef5b70a6592477fb140e945

SHA1
a92772ee80bba31d03062db66158c231a653be9b

SHA256
891a422e04c52ecb825e15fc15dee8a12b6e87399660e9fda680f86b7ac79017

SHA512
cd115394a1cc38f313e540de0bd82e16d0ea8695ce3659ea4d762e22b16e93a8b5a9616fc6a44c240bda59e691df72b3971fe001a50ccb760e8ebb60a4bbc3b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\prefs-1.js

Filesize
7KB

MD5
679743f60e9138278cac08c141524087

SHA1
4f68ddcdcc5b44025ed5abdbe87866a912eedb8d

SHA256
6b015b97e6a71e21e640bf8b1e99e5aa8796c29e9819e8931c86148e9ac0be23

SHA512
188f655a1c5beddb906b7dae04184a40759ef38030a86acd8c7935744ee4f94f77c0bde9eeac94f0f4105e4e52ec7f12ca73b26f4b514265e99bf1aeddde8082

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\prefs-1.js

Filesize
6KB

MD5
0962b92ca037796b587213340927d84f

SHA1
1e3a450a2a4076cf1f6c5b25bb10959994e0780e

SHA256
45beb36e6b1fab7900b5e9d0847a3ecaf41d344741d45fda9fd784570c1eb75d

SHA512
5eba15dbf659c934b54da2b0ea0086b229a98c9a9a8c0e133595c4fa96ad0d7eed16c9696d4980c897eaa06daf7f6f065a10e21763f22d768707efe93a47f3cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
f403bd07b910bd5cdac63d4cf4f3d3cc

SHA1
95d9145ed124733d134f5ec56194a123917de25d

SHA256
5366a5cabcc7391410d5bbf97d8f1bcde7556be1b684c33e36b71ef2e092df61

SHA512
4614eaefddd81cacf9b3eb2ff39cb657eab4dde0c559516fe3ab9acf0b60e5abe9fb755a7298806ac6debbd62693d1a90ad411776f6be74b3bd189d902f4a6ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
b8d15ab42208391bb789fb3852982adf

SHA1
58bc26885f90cdb440f25adf78171c2864846bef

SHA256
66fdc9ebd5f3dd5e44a6a82e653431bb36105ffb3a108253736a7c9a41424bf2

SHA512
2eeea4475edf65c6cdba5cf725f5145c316a5a7ffbca4eb1dc28cf74c4210af38e1315a57c4fff37705d3f80be9fefa45a71116eb71b15bc7b52c1921e8c11fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
842ceef51d9eba766094eb4cc6fcda0a

SHA1
11676abaf67692c5b5c22b04168613696ababd84

SHA256
b426d58cb49f5097127d0f37a8b6607998bec8e7f73554c3c14b875d435282d8

SHA512
387c8fe9f104cc11268d5e607ec000a44b58c2e9983a55ab662672053e0bf6eb84011641d3be0a4db36b043d0785b12398497d16f09d55bf9fc41eb568b82b40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
7d2c462f245b637fd52292e5897e90af

SHA1
b4e10a9729b886e4720e523f917a52eaf3cd57fb

SHA256
ca368f8b2971b3e54ebede798a910e15b0fd74a1f6eafe4994aa1fe120aa2c41

SHA512
f32d2e1723b86c1d0781589d15e0781b2df2dfb35d7e0058f2d7d819571ab48e448ce4df411ba29a848d32c37ca28991f6d7a566020695cbae361168ee889473

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
1ea742d404925e22e6d3d602f4d8ed7a

SHA1
16a5dde1e31cf4095e92724e9132a288d4ee9dcf

SHA256
4713594697cd42026dca0be00cf8870f3fec3cb56e0bc95b4087c119fad05529

SHA512
fe1cfdd83037fe36844116fe205cef950079ed701bb8e734d7750b6240f379c3c652b367b67493f948521001c0306dc42c68e97165c1e9c9107906af23bbe492

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
1d58ba60f2cff73bf1d3afe0a85dd9dd

SHA1
96b64c7cfc075c230239de9fe627049a07d303dd

SHA256
9672a44505a2c9d78e7ed36595c169cfb560353e8e4420908b5dabb105de5570

SHA512
56b50b5a36ec10f9bf2d1e6ede160f2443b3ac376dee10f6c1543b3741b9ebaeb6ac340009ffeec65e7870109de245c0bc2661c7e8712f4ab42eb6384092b31e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
a18dd3531ca21530ab2738653cf7391b

SHA1
7cee0799b5fab87923157106b010c62819cae79a

SHA256
6db5cd141c8de27a53d4f826fb707024ef389bdcdd71fd4a88c8a04aa6c12941

SHA512
0ad53419216be85af805195c066d1527bd394896b5c3c91ff450da432380e9242956bcb94a31815efa291ecac57b61a54a51bda5657362c1c9097df6a03dbb75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
ec786c3e7830844e26cb6d2843b62500

SHA1
f6806aedb9b260ad8ff44e0e85cbf65298accdff

SHA256
227ea252e43ab576cb7360af2e7e018833eb736f71d2411c2f02edb66f3b2d58

SHA512
ae5502b38d84b4b04fcded348084b461da299590127ea50d434831d4016c83619dbbec94dc5aba9287375246755f526b6c30ff1f41f890897e9e57a9a6400d01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
023f1815ab0984c19f2debd2a9af85ac

SHA1
b3ff573ec4762b06376dd3e7194259bbaf9cba75

SHA256
f175bc7f75a9991ff6da93a00fedb8aa63b183667dda5364fd06e45da6d7bc40

SHA512
67a24b05fc2a38ac45373785d0b771e85572e181d88c3184af8dc2df75282716890eb81c8a636e943cb0b7c1f2cd0fb4f5c4729bb04959466b06e6cff258ae0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\storage\default\https+++www.virustotal.com\cache\morgue\157\{4eab4cbf-5898-4078-9c67-6997b40fa09d}.final

Filesize
48KB

MD5
e460939bdc60477904411580aa888b01

SHA1
15d0db4d7cea0b4f6e2cb6f3f8137495ecd71fa4

SHA256
9e0aa54d7efdc74315c436a29f2afa2a12047354d9851dcc3c6c211612a332b6

SHA512
97f5f4bdfd776afee017aa496b3f89dcfb8af4a0cd1193715e2c17e9bc2dba51d5ebb969be8f6b6a2508a4469508cfcb2904cfec65b62568820f14653a67694a

Download Submit
C:\Users\Admin\AppData\Roaming\oCam\Config.ini

Filesize
31B

MD5
0d3ef46128eb93f36c4a2fb0e69e1672

SHA1
874efce5a95807421216bdf45c3b824cc6ced471

SHA256
f68b94094190cbeb7e5daa6bc8d7805308615bc7a5ffcc3a4ed9db5ebdd65dba

SHA512
4d6c03c4556422b0c835ad7ebcc6bcf9dcf91e345aa093eee984b23069a07d1399851e2a320e6725d80bd223f34cde8f0ae32149d46127e8ef7b54256f1d5079

Download Submit
C:\Users\Admin\AppData\Roaming\oCam\Config.ini

Filesize
83B

MD5
1342cdbe199e112ece45952fe8279d3e

SHA1
147c627813a8ed977bc57aba17e935309a8630fd

SHA256
e1ebb641bf04a4b75c2b635deee4ddb0b5b5153e166ef68da13e7ec4c95916cd

SHA512
28f38c17f2da2fc90543d0985138bcbd672f7feb798279214a503210df40a71dc2ca9ad363c28a5c20c02ac002b9bf04a2ec9aa99326f82a3fd63a534f955755

Download Submit
C:\Users\Admin\Downloads\oCam_v515.0_sign.exe

Filesize
9.0MB

MD5
c59184dd6105f541056b46ec8167f003

SHA1
7df5e1e79e07c7062e1e69474cc42fed6271000a

SHA256
b8b6448804b2bfbb7a95b249425dfec666e6f5a98e15e54d372b5446157ca084

SHA512
15ad870559415925cbc38f403191720b0561365f6edcb8117391a06bd4b7807d252baad15941b4743c78df6b3223ea3c70d7ff1c3cad7b0894037404645de653

Download Submit
C:\Users\Admin\Downloads\oCam_v515.Lh2VFuBt.0_sign.exe.part

Filesize
11KB

MD5
1b95cb8d4b44a9654ac6625483417194

SHA1
8587df415f17e38933780f861dc972bda553974e

SHA256
cf44962684f27d5eaf8cff61fa558fb723065f8e7ef258c51f2b02d63db2b6ff

SHA512
e94b39219fc68c68fe225c5c557ddc9a7b1e7d0340ab143d9a72fc2b34cf016073ac51b57000922cf8dc0358985e5b27fb0642d9492fe529925227d0cdae0a48

Download Submit
memory/2616-1265-0x00000000745A0000-0x00000000745C6000-memory.dmp

Filesize
152KB

Download
memory/2616-1261-0x00000000748C0000-0x000000007494D000-memory.dmp

Filesize
564KB

Download
memory/2616-1258-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2616-1259-0x0000000002F00000-0x000000000315A000-memory.dmp

Filesize
2.4MB

Download
memory/2616-1262-0x0000000074830000-0x00000000748C0000-memory.dmp

Filesize
576KB

Download
memory/2616-910-0x0000000002F00000-0x000000000315A000-memory.dmp

Filesize
2.4MB

Download
memory/2616-1264-0x00000000746E0000-0x000000007471E000-memory.dmp

Filesize
248KB

Download
memory/2616-1260-0x0000000074950000-0x0000000074D13000-memory.dmp

Filesize
3.8MB

Download
memory/2616-1263-0x0000000074790000-0x0000000074823000-memory.dmp

Filesize
588KB

Download
memory/3048-695-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/3048-901-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/6092-902-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/6092-690-0x0000000000401000-0x0000000000418000-memory.dmp

Filesize
92KB

Download
memory/6092-688-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download