xmrig | a923d8121f36eb7f81efdf2331e4cefe9034453071b80215f93b56e55a19ccaa

Analysis

max time kernel
209s
max time network
212s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
12-07-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

5.1MB
MD5

4fe98ba44e242b415dd4a8b8ce3f8e27
SHA1

26b410ddefb59a478c7f61d6177ac7e917a98087
SHA256

a923d8121f36eb7f81efdf2331e4cefe9034453071b80215f93b56e55a19ccaa
SHA512

175b4635f26d3d7427a4c49dc14b10dd050cb11998a069b731f182b4acc0778f0bbee797f1d5763eb2f88c17a012bbfae5fe3b5995367b3a7bbd10b774cdb497
SSDEEP

98304:UQ1N+4GEmF1sYAbLC+MZHTL3wufv6wrreMUj1iy4x74/bAV6Io:BHAsYAb2+KL3aWrv6Qy4F4cV69

Score

10^/10

xmrig evasion execution miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/3396-217-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3396-218-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3396-223-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3396-220-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3396-222-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3396-224-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3396-221-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2188	powershell.exe
2160	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
4792	lhhsgwktkatl.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3396-214-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3396-213-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3396-216-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3396-217-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3396-218-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3396-223-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3396-220-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3396-222-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3396-224-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3396-221-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3396-215-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3396-212-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	pastebin.com
17	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5008	powercfg.exe
3080	powercfg.exe
4180	powercfg.exe
304	powercfg.exe
3520	powercfg.exe
2580	powercfg.exe
2780	powercfg.exe
2776	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Launcher.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4792 set thread context of 3656	4792	lhhsgwktkatl.exe	101
PID 4792 set thread context of 3396	4792	lhhsgwktkatl.exe	105

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4100	sc.exe
4580	sc.exe
4552	sc.exe
2184	sc.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9216A914-405F-11EF-9650-DE050A9AF883} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4816	WINWORD.EXE
4816	WINWORD.EXE
5068	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1644	Launcher.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
1644	Launcher.exe
1644	Launcher.exe
1644	Launcher.exe
1644	Launcher.exe
1644	Launcher.exe
1644	Launcher.exe
1644	Launcher.exe
1644	Launcher.exe
1644	Launcher.exe
4792	lhhsgwktkatl.exe
2160	powershell.exe
2160	powershell.exe
2160	powershell.exe
4792	lhhsgwktkatl.exe
4792	lhhsgwktkatl.exe
4792	lhhsgwktkatl.exe
4792	lhhsgwktkatl.exe
4792	lhhsgwktkatl.exe
4792	lhhsgwktkatl.exe
4792	lhhsgwktkatl.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5068	vlc.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
644	Process not Found

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeIncreaseQuotaPrivilege	2188	powershell.exe
Token: SeSecurityPrivilege	2188	powershell.exe
Token: SeTakeOwnershipPrivilege	2188	powershell.exe
Token: SeLoadDriverPrivilege	2188	powershell.exe
Token: SeSystemProfilePrivilege	2188	powershell.exe
Token: SeSystemtimePrivilege	2188	powershell.exe
Token: SeProfSingleProcessPrivilege	2188	powershell.exe
Token: SeIncBasePriorityPrivilege	2188	powershell.exe
Token: SeCreatePagefilePrivilege	2188	powershell.exe
Token: SeBackupPrivilege	2188	powershell.exe
Token: SeRestorePrivilege	2188	powershell.exe
Token: SeShutdownPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeSystemEnvironmentPrivilege	2188	powershell.exe
Token: SeRemoteShutdownPrivilege	2188	powershell.exe
Token: SeUndockPrivilege	2188	powershell.exe
Token: SeManageVolumePrivilege	2188	powershell.exe
Token: 33	2188	powershell.exe
Token: 34	2188	powershell.exe
Token: 35	2188	powershell.exe
Token: 36	2188	powershell.exe
Token: SeShutdownPrivilege	4180	powercfg.exe
Token: SeCreatePagefilePrivilege	4180	powercfg.exe
Token: SeShutdownPrivilege	304	powercfg.exe
Token: SeCreatePagefilePrivilege	304	powercfg.exe
Token: SeShutdownPrivilege	3080	powercfg.exe
Token: SeCreatePagefilePrivilege	3080	powercfg.exe
Token: SeShutdownPrivilege	3520	powercfg.exe
Token: SeCreatePagefilePrivilege	3520	powercfg.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2160	powershell.exe
Token: SeIncreaseQuotaPrivilege	2160	powershell.exe
Token: SeSecurityPrivilege	2160	powershell.exe
Token: SeTakeOwnershipPrivilege	2160	powershell.exe
Token: SeLoadDriverPrivilege	2160	powershell.exe
Token: SeSystemtimePrivilege	2160	powershell.exe
Token: SeBackupPrivilege	2160	powershell.exe
Token: SeRestorePrivilege	2160	powershell.exe
Token: SeShutdownPrivilege	2160	powershell.exe
Token: SeSystemEnvironmentPrivilege	2160	powershell.exe
Token: SeUndockPrivilege	2160	powershell.exe
Token: SeManageVolumePrivilege	2160	powershell.exe
Token: SeShutdownPrivilege	5008	powercfg.exe
Token: SeCreatePagefilePrivilege	5008	powercfg.exe
Token: SeShutdownPrivilege	2580	powercfg.exe
Token: SeCreatePagefilePrivilege	2580	powercfg.exe
Token: SeShutdownPrivilege	2776	powercfg.exe
Token: SeCreatePagefilePrivilege	2776	powercfg.exe
Token: SeShutdownPrivilege	2780	powercfg.exe
Token: SeCreatePagefilePrivilege	2780	powercfg.exe
Token: SeLockMemoryPrivilege	3396	explorer.exe
Token: SeDebugPrivilege	4104	firefox.exe
Token: SeDebugPrivilege	4104	firefox.exe
Token: SeDebugPrivilege	3820	firefox.exe
Token: SeDebugPrivilege	3820	firefox.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
5068	vlc.exe
5068	vlc.exe
5068	vlc.exe
3464	iexplore.exe
5068	vlc.exe
5068	vlc.exe
5068	vlc.exe
5068	vlc.exe
5068	vlc.exe
4104	firefox.exe
4104	firefox.exe
4104	firefox.exe
4104	firefox.exe
5068	vlc.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
5068	vlc.exe
5068	vlc.exe
5068	vlc.exe
5068	vlc.exe
5068	vlc.exe
5068	vlc.exe
5068	vlc.exe
4104	firefox.exe
4104	firefox.exe
4104	firefox.exe
5068	vlc.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe
3820	firefox.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4816	WINWORD.EXE
4816	WINWORD.EXE
4816	WINWORD.EXE
4816	WINWORD.EXE
5068	vlc.exe
4816	WINWORD.EXE
4816	WINWORD.EXE
3464	iexplore.exe
3464	iexplore.exe
8	IEXPLORE.EXE
8	IEXPLORE.EXE
4104	firefox.exe
3820	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 3060	4576	cmd.exe	86
PID 4576 wrote to memory of 3060	4576	cmd.exe	86
PID 4792 wrote to memory of 3656	4792	lhhsgwktkatl.exe	101
PID 4792 wrote to memory of 3656	4792	lhhsgwktkatl.exe	101
PID 4792 wrote to memory of 3656	4792	lhhsgwktkatl.exe	101
PID 4792 wrote to memory of 3656	4792	lhhsgwktkatl.exe	101
PID 4792 wrote to memory of 3656	4792	lhhsgwktkatl.exe	101
PID 4792 wrote to memory of 3656	4792	lhhsgwktkatl.exe	101
PID 4792 wrote to memory of 3656	4792	lhhsgwktkatl.exe	101
PID 4792 wrote to memory of 3656	4792	lhhsgwktkatl.exe	101
PID 4792 wrote to memory of 3656	4792	lhhsgwktkatl.exe	101
PID 4792 wrote to memory of 3396	4792	lhhsgwktkatl.exe	105
PID 4792 wrote to memory of 3396	4792	lhhsgwktkatl.exe	105
PID 4792 wrote to memory of 3396	4792	lhhsgwktkatl.exe	105
PID 4792 wrote to memory of 3396	4792	lhhsgwktkatl.exe	105
PID 4792 wrote to memory of 3396	4792	lhhsgwktkatl.exe	105
PID 4628 wrote to memory of 208	4628	cmd.exe	108
PID 4628 wrote to memory of 208	4628	cmd.exe	108
PID 3464 wrote to memory of 8	3464	iexplore.exe	118
PID 3464 wrote to memory of 8	3464	iexplore.exe	118
PID 3464 wrote to memory of 8	3464	iexplore.exe	118
PID 3060 wrote to memory of 4104	3060	firefox.exe	120
PID 3060 wrote to memory of 4104	3060	firefox.exe	120
PID 3060 wrote to memory of 4104	3060	firefox.exe	120
PID 3060 wrote to memory of 4104	3060	firefox.exe	120
PID 3060 wrote to memory of 4104	3060	firefox.exe	120
PID 3060 wrote to memory of 4104	3060	firefox.exe	120
PID 3060 wrote to memory of 4104	3060	firefox.exe	120
PID 3060 wrote to memory of 4104	3060	firefox.exe	120
PID 3060 wrote to memory of 4104	3060	firefox.exe	120
PID 3060 wrote to memory of 4104	3060	firefox.exe	120
PID 3060 wrote to memory of 4104	3060	firefox.exe	120
PID 4104 wrote to memory of 4904	4104	firefox.exe	121
PID 4104 wrote to memory of 4904	4104	firefox.exe	121
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122
PID 4104 wrote to memory of 964	4104	firefox.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1644
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3060
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3080
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:304
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4180
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "QHRAJGDI"
  2⤵
  - Launches sc.exe
  PID:4100
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:4580
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:4552
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "QHRAJGDI"
  2⤵
  - Launches sc.exe
  PID:2184

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:208
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3656
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:304

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\SearchGrant.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\RedoClear.M2T"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5068

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:8

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.0.702738269\548083473" -parentBuildID 20221007134813 -prefsHandle 1660 -prefMapHandle 1652 -prefsLen 20767 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a5d1989-96b7-4037-9e31-09d3a47953bb} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 1752 2484bfd8d58 gpu
    3⤵
    PID:4904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.1.564228155\1875528376" -parentBuildID 20221007134813 -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 20848 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f25557b1-b718-4679-84c6-9fc9a5ba355e} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 2132 2484baf0358 socket
    3⤵
    - Checks processor information in registry
    PID:964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.2.1605329661\962569151" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 20951 -prefMapSize 233414 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afb63414-b42a-4f86-bb15-b53c8902c7a4} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 2452 2484fbaca58 tab
    3⤵
    PID:1572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.3.1819416122\221075846" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 26136 -prefMapSize 233414 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66271cb3-6d73-4981-93b0-8fc151893833} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 3504 24850b1a858 tab
    3⤵
    PID:3536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.4.1216129037\1914359276" -childID 3 -isForBrowser -prefsHandle 4496 -prefMapHandle 4492 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cd27ceb-be9a-4533-8135-a6926451dbff} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 4508 24851ac4c58 tab
    3⤵
    PID:2896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.5.601205255\1432119897" -childID 4 -isForBrowser -prefsHandle 4988 -prefMapHandle 1472 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc5d8d94-b18d-4bb7-8172-08e68f59ccd3} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 2556 24852720858 tab
    3⤵
    PID:640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.6.1425868130\185596133" -childID 5 -isForBrowser -prefsHandle 5292 -prefMapHandle 5288 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c677b9e6-0b4f-4013-b4b4-64911e2a30c4} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 2644 24852e76858 tab
    3⤵
    PID:1420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.7.1579909389\2014897245" -childID 6 -isForBrowser -prefsHandle 5508 -prefMapHandle 5504 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd825fc2-9603-4a61-9c48-6b08689d9b2c} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 5424 24850b06d58 tab
    3⤵
    PID:208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.8.681004937\1429784310" -childID 7 -isForBrowser -prefsHandle 5716 -prefMapHandle 5408 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f914581-aa6e-43a6-b997-dc49b23f9c22} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 5724 24850b06a58 tab
    3⤵
    PID:4788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.9.245318283\273098687" -childID 8 -isForBrowser -prefsHandle 3904 -prefMapHandle 3068 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93df26e8-56fb-4fe1-b37b-afcbcfab6735} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 3948 2484e7ac258 tab
    3⤵
    PID:5188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.10.1970951003\1580302764" -parentBuildID 20221007134813 -prefsHandle 5672 -prefMapHandle 5724 -prefsLen 26274 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9bcbb87-83ea-4630-a097-294a4afab0cf} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 5828 24853b33758 rdd
    3⤵
    PID:5568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.11.1887498375\472569395" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5976 -prefMapHandle 6112 -prefsLen 26274 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a65bf19-2497-4fd4-9c5d-b5baed034150} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 5696 2484f1f8258 utility
    3⤵
    PID:5720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4104.12.947436551\945898229" -childID 9 -isForBrowser -prefsHandle 6236 -prefMapHandle 6108 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8217cf84-1766-4db6-9472-3a12969046a7} 4104 "\\.\pipe\gecko-crash-server-pipe.4104" 6248 248529e0f58 tab
    3⤵
    PID:5960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2772
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.0.754683607\1409479038" -parentBuildID 20221007134813 -prefsHandle 1736 -prefMapHandle 1724 -prefsLen 20891 -prefMapSize 233513 -appDir "C:\Program Files\Mozilla Firefox\browser" - {958e38b8-be05-425d-a5e6-6de4ffcc275c} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 1828 1ecf4dd8658 gpu
    3⤵
    PID:2860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.1.1621565334\334599458" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20972 -prefMapSize 233513 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {249fd222-d7c5-4e7d-8fc2-bcb35ee750f7} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 2184 1ece9d6fe58 socket
    3⤵
    - Checks processor information in registry
    PID:5428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.2.426300128\423066457" -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 21075 -prefMapSize 233513 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed429ef3-976d-4b08-9c60-15dbe37f2f63} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 3036 1ecf8c7a558 tab
    3⤵
    PID:4788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.3.501737805\7456371" -childID 2 -isForBrowser -prefsHandle 3328 -prefMapHandle 3324 -prefsLen 26260 -prefMapSize 233513 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1317d45-6203-4f56-a905-4efe9c552630} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 3316 1ecf95eb558 tab
    3⤵
    PID:3460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.4.43237177\428863522" -childID 3 -isForBrowser -prefsHandle 3964 -prefMapHandle 3960 -prefsLen 26336 -prefMapSize 233513 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b119e791-d3ec-40c1-aa99-f55731286458} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 3972 1ecfa5fc058 tab
    3⤵
    PID:4888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.5.205324997\622252270" -childID 4 -isForBrowser -prefsHandle 4384 -prefMapHandle 4436 -prefsLen 26260 -prefMapSize 233513 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {036a341b-24cb-45eb-9110-f95764da067e} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 4408 1ecfaf6c858 tab
    3⤵
    PID:5728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.6.823909744\852591936" -childID 5 -isForBrowser -prefsHandle 4476 -prefMapHandle 4480 -prefsLen 26260 -prefMapSize 233513 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4665813-d8b1-4176-8485-ed0973ff172b} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 4392 1ecfaf6c258 tab
    3⤵
    PID:6088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.7.415068317\1712064392" -childID 6 -isForBrowser -prefsHandle 4776 -prefMapHandle 4780 -prefsLen 26260 -prefMapSize 233513 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5024a114-b51b-4f2a-bfd9-46657eed0665} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 4372 1ecfaf6e658 tab
    3⤵
    PID:6104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.8.329349398\602469768" -childID 7 -isForBrowser -prefsHandle 5376 -prefMapHandle 5372 -prefsLen 26260 -prefMapSize 233513 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a78caad5-03b2-4acd-b6bf-9a7e43860a63} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 5384 1ecfc9cae58 tab
    3⤵
    PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffdeea39758,0x7ffdeea39768,0x7ffdeea39778
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1796,i,3214311972493510776,982781554920293361,131072 /prefetch:2
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1796,i,3214311972493510776,982781554920293361,131072 /prefetch:8
  2⤵
  PID:5128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1736 --field-trial-handle=1796,i,3214311972493510776,982781554920293361,131072 /prefetch:8
  2⤵
  PID:5168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1796,i,3214311972493510776,982781554920293361,131072 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1796,i,3214311972493510776,982781554920293361,131072 /prefetch:1
  2⤵
  PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe

Filesize
5.1MB

MD5
4fe98ba44e242b415dd4a8b8ce3f8e27

SHA1
26b410ddefb59a478c7f61d6177ac7e917a98087

SHA256
a923d8121f36eb7f81efdf2331e4cefe9034453071b80215f93b56e55a19ccaa

SHA512
175b4635f26d3d7427a4c49dc14b10dd050cb11998a069b731f182b4acc0778f0bbee797f1d5763eb2f88c17a012bbfae5fe3b5995367b3a7bbd10b774cdb497

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
8369a84cecd71aee2747ecf3443c1a9c

SHA1
6fa6986e774380a1d806d78f35347a102541d4f8

SHA256
f5491ed77b9ddbfd242f198c746e8cef40bddb18d9b1f6a948a21f917b5803d7

SHA512
5600753c2b99e95d1eeabe357c8a2e61ee8c020ed6c74bfeafe0b93146775c11acc358bd833f0bcf2e1752840034c170e2ef78ba7b9646770302353fa4b86f36

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
f2a85eae008e0e0d37022947e3e49730

SHA1
cdef12f834c5e483947ce82936f5bb7535ce47fb

SHA256
ee7e595a5adf5016a5b939cae5a45fae7acf6a341d0466e6748b16bdee94c607

SHA512
0e39856795c848f090c901a75e734c09ee9e89dc15170baf73894fdca00d11c790f29210f4f5fac4c00c38ee78d69f514fd9362bf831eb855c2a7eac4724f9a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\030EB42C8FD0ACBF8C67AE9711CBC86ED32E7B7A

Filesize
10KB

MD5
c43d66555e1bc18b3c973e0bf3269ebb

SHA1
72d262dab90e33e778d4d341f4f922db694f8816

SHA256
333c6a27e0e0542bbcc03bd43eb729fc3035dbbe45d7deab8a0fd2c4a28a6954

SHA512
f7ff0fe1d6689b48c309b41a78063f7ee6d3acaf5f8f29725503692014cfc21ec046348e769fed04c20735595be4d61e872630c557d78bf38aafb6c9682705d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\0353AD8756D2C09A0CDCB0B6499A5441F4BDB720

Filesize
129KB

MD5
32b355a10d31a1b7aab9483a13ba9f62

SHA1
fb6eb8f265a66d179681fa23536448644988e030

SHA256
97dee020c9c05c3812f684de885dc97aa4e3307f50225bb6c7f6f1b5d5fdc74d

SHA512
f499f655db79f0d3921a3001b1d0243f73d64e8d213f310e5235f02a0321f9415ec712f0dad518878b0642a9789c815f54c93e0b8c0d59dcc790e451e079389f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

Filesize
9KB

MD5
84f77550dbb8247d5c0e04e2bc0ec89f

SHA1
35f9ec94e9b2f4d2f63f6f64cdb835e93d17076d

SHA256
44938bffaba97743afbeda0a695ddd1d18c1391d4dc7da0bbefa2a3c553fa6a7

SHA512
55b48106c853f19c90e32fbe50a56c53f5e67957a92ec3dd87f2495634cade8ad02d56c1e24a76d098df501bee9469612db2d884fcd4721e066b9f53a28e3725

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\061777DB515B99E67A47AD8E57A622897F27A045

Filesize
11KB

MD5
ecc0ab45af2f2b458944fa638d5c5145

SHA1
1cea22d37e2f6be3f370106bb0eb2de51fce3c63

SHA256
dfd4e09a174770c85fab0a29472ae381de6cba83b0a32d05b9a7163e4c90112a

SHA512
6138c350f2836de67010459b53ebb0055f789fef98fde60b41040b50b706e110f83ec04c8ef812654202c0e39f2ffeaef72e93205870bce82db5f9bc0e25e8c7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\0834C0AA15DDCA5496BB30877DB298D42A86D45D

Filesize
11KB

MD5
930d97ed94e8f35296dbf33bbebecc54

SHA1
353ed2da85fc21f7dee365f04fc2dc4c7fabf775

SHA256
64109561b2156c53c923c2f54cebd69dd19cdc6df807c2e7ac9707ede031d984

SHA512
afde0eff26bc07d31b7a806490956d1f95fb5d20393c8d4a1cac14682b379c449413f4857d384055e6d87bf308cb28224ebc5c00e49bee60438e5a4c39685536

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

Filesize
15KB

MD5
026d9703827c761022e12e7b0ad93df6

SHA1
18a1f51173d715db8b245b1a5f334a0ffaf6d8e5

SHA256
9e3ef615af2377b566accb778139c938236b0755156f97d0cd8dc8c28bc918ca

SHA512
9fef3f966be528b8bceee82d9e9c06485716cac3bd2c989d344d38f439930d61d248878d7e9ec4105c6ca1520c769f072bd33972bea1106c407ce343a6924542

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\09A291E0B056425B58BB19F3CD7141F8BFAF3BBC

Filesize
11KB

MD5
7b8a1fd5e52301642491397a33a69204

SHA1
34a20bc109bd6fe131073b645e4a27b41c409eb2

SHA256
bd8715bb87d5b75c0da9f69a352237be973751cb213c0d11fbe31030b7388982

SHA512
b06030fc5b2ced3fca92cd01b4be15f59be35e47e7f280cf6cc0e11262d432d644a1ce84fdee6b98f8ef20323d49118a1f334ef66f9f782904b23fde422e279a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\0BF00A73F9F223915DF7B54FB9405A6413A1FEAA

Filesize
11KB

MD5
1c8fd295edd50d3112d44dbe8bbdf7a3

SHA1
ce445c59495f0238d5d9ad82e77cdf50221eb9b9

SHA256
f8447aedec7fc780c4e69ac3099343536831ac4f502300a670f1761681b5d9c8

SHA512
d0fcfb2b63e570d84867f8ab57ff067f6a2e1db611be0d49c882e3dac9de13752b4637d41269ef63d77c6ac2e4566c6ba593d93739a12f85fe3ef1f15b4f288b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\0C46720F2B531372238A307B53D44AB9E3C57904

Filesize
13KB

MD5
88ffbdd610d5d4f247f60138eb213826

SHA1
0d6df4be16be75e52b013f3690d52aabb58882b7

SHA256
278ba3eb826ae2b7d0ed1a0947dc8a392c680df908d5fed6d63a064692d3ac70

SHA512
78437dc04c7008f2c0bf5ad3fb84d8d25b7ebf8d58d575d765fd05adc2dc4182445d640fed8d534649cbd02eb5723e93a927d0d74b0cd9c1f904b88533c0414e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\0C4A0C874FE7CF6C658DB9E4A3811B8F2C139968

Filesize
11KB

MD5
dffd7b341c62d8dad51b636c903e387d

SHA1
75e6906de8135ef4b93cd42ff864b353972ae05e

SHA256
8922121a984e7974717334076d48f3ceec80afc254368e133df4978eacf9836c

SHA512
54d7abdcd8670cceb7c93db32a5669286e9c23170b613093b07470205dd5fefa9d2d93eb60c9af3acdcea2e65bfbde8e7665b07b0d99bd1750edc481b2f10911

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\0C6032D0FF540C77306DC90910C6B51CE58327C4

Filesize
12KB

MD5
3d0dbc305f497c417eaaca14e3866d71

SHA1
5ec4e1412ca630488b21ff21fcba0aa45dbb5e18

SHA256
eb406a734ab0fdd357c3f8eddbd0699aeb9f25eda58d22e628436ca6b2b00a72

SHA512
24a14bdf665f92c2cbd66f04ddde2dad251d3714f8353ac091f86998490d58905ff8831106567e1a89b9bef4ec57e35c9be7c5b584006beb8d8adeff624a5d7b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\0CE3F89DBAB38AE6AA3BE57EB898491B81D71BDA

Filesize
14KB

MD5
74e44ff7dcdd66c47344013fa1f20259

SHA1
0042fdc082554cd23ab8fe06fe0fbcdafe2f0bed

SHA256
b968416064a692a9c50d17dc2885e98a9d69d5fe1c309ab98891d39fbfec0749

SHA512
43842305d1874922b2447e118397d38253050abc650a5e83437819e233d28d778cc2ae8762144078c7d5bc6b8f370a04eac4eb0c64d3fcfde2b7c139c72e960f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\0D846FAB4E1856663158D33FEE512C0AFC2F9270

Filesize
11KB

MD5
8b7c027742fd90e9105ab60df1b8b440

SHA1
606a9bac7d8c6d7a17a813b5a1bc5f7c862a64f3

SHA256
ba8d27e14e4b22d8269332d49c353ea4b49b2fe3c830a72dab7f2fa7017d5a92

SHA512
9b02f864539c9721f4a5398a11665165530e8fec466d98529680fed570a3a691126fc677f4fabc1951d1a4d8e72358f67d8c30e5ecad29ba64b2d4542dcf0679

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\113066A1CFC9CE08D4F70DFAD63DB4C866929A04

Filesize
10KB

MD5
f7a9e4e5779d83da3a978479ccd9f5dd

SHA1
ec240285ac922f7a4b40c3e6104ca2b137a1c330

SHA256
4acc10f9f497443c25b20758f0987358e52c8e7c758342178021f0bd85771afc

SHA512
46464593d606fb7b3ab7e331fe2530b44e4d68c01498e99050ddf38e0b55e52ed0048e77e518bc8b969a0e08ea30737dda08d23672370a9c0f4e8cd324e37d1d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\11E2123899A900A1167BE98E8E9B087A3C4D2002

Filesize
11KB

MD5
6a9f0372e60e39e2e9a48d6d7232d3e6

SHA1
41f5e0b4710dc871e4a6a91d697fe3ea6d7927a1

SHA256
023e9b1fa41a294d3f066495caeeadb5bdc82dfbd50be887d62317e259cec988

SHA512
c6ca79d1f3fd81a9108f3bd49f9e690419de8889ba1bb745897f53796021fb995a45f27d35c8a63db7d82bb0e2ff4e9217781f51a4cb4b40dd0c0f12485d30b5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\125B16B3B92BC0071013E2F551DD12234F545832

Filesize
11KB

MD5
b88bab60f4d4af51cca83432cc84f82e

SHA1
dd05d0376529a7d9b43c629cad54b2f554733344

SHA256
c8e7ca46cebea57f53c24d204e63e8754abfe10f5ec90db93f16d6dda64ae13d

SHA512
3c14b27bbe4f2dd4f4b34ab0698a5698eca252ca23c718b4de1fbb4065bfe63172b83236e912995995b0472a12b66f2ec6f29ab82e0dc59e2692be2d0b53ad46

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\12628BA6346F8D3BCFC0BE23BC856676F4F9BD85

Filesize
10KB

MD5
1a5d61ec9def81f1d7c95d1a4133a4cb

SHA1
9104e9837acce88e3cd2b315da4221666b99ff5b

SHA256
3274468dd3d6f680e2d8bd529ac9711b08fb0fef954d37186abdfa45d639bf7f

SHA512
ec2cf7f479a490bf0d8a1336e3cbcce659130eff164647da1a348077a52da265bd0c64bad67e3b06a22d4b0f746f98d010b322d91250e357991f6a36f6625fd6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\12BAC26A2CF666EB11E6881475338EA712B2EC37

Filesize
11KB

MD5
2c4458f23a57cfef8f0b5dfc39648a6c

SHA1
53d4a2599285632a1e5533c1ab714aa2be431afa

SHA256
f1ae34b591af4acb99f53f18deba489a448bc6d8755131b086ed8f635e7c5987

SHA512
349505fa8186f5b35e72f0c90ab63047b18e80a634f9c163d8a346aed67821d0db36a44b8f5fbcd50f86db06be1451880e7300509bfaab19a3386fe9c7f2c612

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\136A31112CFF9A5589004D12DB0354BF42D3D26D

Filesize
19KB

MD5
8dded44c4373e90cfad49c9f71740871

SHA1
1bdae7498b79dadeb6a4ad699a372f3882b61de3

SHA256
b6f90fe0d9aae5eead074b91d2e73fe1c0bdee989c9bb637fdb99e25efa0ef03

SHA512
afc2adc496a4afb97a2b59e745fbb39360289412a11b8db1d1d1fbf9ac14bf6e88bf30d47e8d07efdbd406bb9e82250baa8167c73b94c385e95996633bd2e819

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\14D97D570ED7A05445CEC4DF7C72EB93935B1DB5

Filesize
15KB

MD5
0b5791387a0ce7f3197adcb38f090001

SHA1
14fcfb22c324bd9004c77fb193a082569fb4d68a

SHA256
f263391169ee7f3e5fa820378044f23888cad54eb28f36855ac2b7ae0c64305d

SHA512
efacf5351003a11c4d0539aa6f660c8b378b653b61e54d3753db6524ad3b8da6a04c472872bdffadd737fa801889b4aa397d246c238f38d04587ef60c878ca52

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\166E2625C4B1D313A8A22151AA00B5993D29BE12

Filesize
13KB

MD5
d44ec560ae1942598a5d61c7f41f6e4c

SHA1
1740fa1d74b7ebbade51fb4057c14a768b76c4d4

SHA256
930edb7b7ae7e16f3b43fce4970a61ac076be1667734113e965418032c1518f6

SHA512
33c63521cbe10f2773cb88ec7d3b32fff00059561cc55b667793bb85f9b3c4b2f70780a6ccec62ed7fb6e9a2c213f280388ba277a2046acc655457224d0fe597

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\167164285609C0950304CAAEEEEE9EED74566E4F

Filesize
11KB

MD5
917c267880d76c0ec27d525f81fb1130

SHA1
f57a95d389fef245670c3c5cfd2571209bca46ce

SHA256
1e4f35b04983d4f6f3585ecbc0cd229e9cd721ac6775df9f3efe6b98d9771ee5

SHA512
e732fc9ee1e4175a96c1ae5e96368127ab718bb28cdfd2095b4a6c820dc8dceb2db39b6a1feca777d02b6bbcdb35abe578c874bc24c468ef42dbea9b709bf90c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\169F38A3FD0637DFD533FEB7EA73A18D215298D0

Filesize
11KB

MD5
037a2cfd62d48dde486d280dbafc7a9f

SHA1
65f4fe59d644877533610f3aa385fddc27c3717e

SHA256
483936b89a705d88baa62866a8fbbfd4ff1c7b45542f7cef5311fc490eaf6252

SHA512
260619c2cc3ce69cb819b6d60dcaa6d34b75767694536e6e92ee67db5c1e73b8043061644eee02e9b9e9f0cab2ebfbda9fe9bde7cca431dce41a041119978f09

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\4DABAF7EFACD377F68614B900873860C74399618

Filesize
220KB

MD5
04c5a55982c698d5c098df4c41e685fc

SHA1
07a780f4230412adb4c4875a315abb11fdda90cd

SHA256
d51d5e6142150e02e87991af8a38517933f9b424e51ba73cd328abd744ba4712

SHA512
d27312b0de935c67c36645dce0a838294b77b7aaead65c9224128a369adb741cd8ee40c76a679a43cc2bfd2f756cf531b166b905271f28a8556228d215e6fe56

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
15KB

MD5
d0958b4449d3334b660f40c7163ec256

SHA1
95fec14906d2cf36419fee74288442f028981947

SHA256
97e7df76b0b9d3cf2b1e1f192088a63ddf1fdde1b405a49c0d3a5d331579daf8

SHA512
c333d8c86b012dd57a97eb042fdf7cb2411e9268b13336e0944eaa5ab96b61d32c47e205a0e451e5b0a4ae75eaedf5067d3d74aa2dddc2d46e35407307f5d71e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\8FE62B3DE243D41B99575D7049B709DEABDE78D1

Filesize
22KB

MD5
5a5b3e1895e34c9e6e88c683460a8b86

SHA1
4412f1f816bd8ee795ed14ecc30cb7ed30812e71

SHA256
359dde229aae54d06875bdba963ab0da53d483f06f67285149bb1bb64d8f4d55

SHA512
27ccb72b611611c17ac0e11aa1feadec1136a8f25caeeb7adff0bc896ca7e88ccdc3eb2822537da258a3ba52c6ef85c2a15896bbfe4ada465b145108dade7265

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\F18D85F52EBBBA2AB081EF739ED0D6E8A76D497C

Filesize
298B

MD5
344fdc896ffd8c98cc7df8eea45a3d3a

SHA1
0d3c3fb1540cdd742f8ecb03d28f536bbfa795be

SHA256
aa96b04307f89e43b51018b197db5c225d7e895b1aa9f876e70addd40d86ce5b

SHA512
bd20525d229a2ebe53a67ad174af0300ba137d45d5adb8086dcf55240f5ab779ee2c2758c94ab2a22bd84ce5144a4326377aa49d04b55c75b5b9de69c9bbaa09

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\startupCache\scriptCache-child.bin

Filesize
464KB

MD5
b1c0b3951a7abee30fb0ab72941beba3

SHA1
3d996cedee1d6eb87d144f8e220d41740978247e

SHA256
41edcec5320de0978c90cc2563ad07fd3e1e39b00be164ec27a299885b71299f

SHA512
dc2f9b4b5e4a81d9537d47372763b7570e8dee1b25e80131548ad816c8823424e9e2e298975932ea2d36e680922312cab5e65ee6c5715ba078a4c28d11b8829f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
92dd77539f6e2ac5e010ea2ac1cb9442

SHA1
391546122b2ca47fb4d8868117ed6c29f0152998

SHA256
bc26dc0b7805e045c41f1eef9f74d38fb21ebbbe53da507d8a5b1d9fa65fc879

SHA512
29dc0240ed8ae7927aa8ecac0ffb75eaa857e8d48f59890551e43583a67f273003b9d4ee5ea74091495797a28182e59daac4299bc011b5460d49203be95dcf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cosg5puh.nfm.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\AlternateServices.txt

Filesize
1KB

MD5
2430f26001c69d565b337098865ff93d

SHA1
e4f4b62a1d5b48919fea58bd66b5cc9f57b31371

SHA256
4e97bdfea0d4c08c4bd21c57711e164775b9ff1044933895e6443c4cd57bd3cb

SHA512
43ed2c1516fdf9d7ce08520267892cc77dc7dee8f1e74a57a09b20e9701928cd1abec8fe83176de0c19c48228424657a306dd32a4c72282a86ad49a343db5abf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\SiteSecurityServiceState.txt

Filesize
439B

MD5
7a168d58a8da983621416e14cad745e0

SHA1
e1e63f13d6d67d06d94d6277ecf2fb64197f01db

SHA256
72950117f47db52e3283d51271770c838c84ffd67385c0a863c93bebb8a55160

SHA512
e7bb6a7d9d99dc1c214cd043fd92238d4399ff3b8c730be0d7605914a2f1ec48f91b498492a02a4d4680fcc2bbcddbac006c57ab77485183f0d96da98368611d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cert9.db

Filesize
224KB

MD5
2f0a74d8b65543d28de55c6fa10c01e9

SHA1
2db331dc75f4e8783b3197a017b96efeb2d33625

SHA256
90a38f313fc44b96ebc223b8c8a3223128e648297d1d292dec5409017d6fe5ea

SHA512
e6381bc8d4a893a0c3d8eb9ea4c15556b7fead076a8b8b7c7bc68acef196002f2e1ed39dc59eaa311bc7ed4e27c1382dc89bcd915705514a1f70d692144265ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cookies.sqlite

Filesize
512KB

MD5
392ad6494b48efa3d451f2e69161bf34

SHA1
5fb0371c08b6b2b3ee6b9f5139256705c532e2a1

SHA256
61fac473ddf0edafced2d44bfd3f9fca0c53b7b6f5d9c2d43fbd7abf4c0e041e

SHA512
b2dbb683f1014ec97e998e792ac47e0c0ada8666a0300aa4415f0d209ef3f6974e868bdf130d4a3890a284a71bb6642e1b69ab3173cef7f29ad34a934c3cb723

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

Filesize
13KB

MD5
bfcb4199abbdef708d9c285b32a92a8c

SHA1
1d0606516cf6f09dad28b0ae2ddf3ed3e3357ab6

SHA256
7064657d3c278110abe674bec8cd4d8991043757cea9f16595b69057483b2844

SHA512
3ed98a184e30815637493a7da82db00f702df4cbcc4f28cb7af07902331c7300755d465f53a2feb2cd7ef4a3df8874ab6e0b0dd8d10cb9f6fc7405e8de08d655

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
980682b1798bbb4ffbf61737abfd18df

SHA1
754df5273e614d8b42872ef4409cbe6f16112e69

SHA256
0d1e23276cf64fbdd6a3ddd8a1a62018c0d8568ab31ca6abd12517b9ca113639

SHA512
6ec41e939599ffcd23c3e974db5f6ac45511d0f01702e69ffe3fe5a476252fbe6473b683b19e7e6f6826148c94418cbbf79a99e403f62f16a47cebe066edc817

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\events\events

Filesize
166B

MD5
fab80fb3232d9c34212363da0a2df191

SHA1
8e77ab51d0b7232a9fdbe91b44f096b129136407

SHA256
e9e567bef6c83b16eaa9839489e22e0a698df9662a27fcb1f37e9c6965bf004c

SHA512
eb60d2f06dce124b4b3c372b6c422a41623157ff5bbe5f57cec6459c542058cc5a11274d8c20f768cbae661acfcaead91a120aa9db767490f202aef3ae706c9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\5081be2f-5687-4283-9483-468f43676a7a

Filesize
746B

MD5
c24bd93f646556faee368d36038d4f23

SHA1
81b5d633c3359bc44d910909cb52053623b0bb17

SHA256
84f326e335e224b5441dca5c91f04044e5d07960040b75e0f02468efa0db1dc6

SHA512
1ec4615c1803aafd0529fdb8b877cbce65bc4af4a2cd9b326beaa75c3f339663c57048b58697c03cdb8cfaf398279a9c49086f5e57ab8404a66830d0fd65234b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\87e67f65-7941-4900-bd33-4b9fb06518f2

Filesize
10KB

MD5
e15f387fee1817ad7681057a50953eef

SHA1
9a00d84f7cca171a0c019b9ff1c86290ce3a19b6

SHA256
1100225f9495b68521611ff326b070e95f928f2d89b02c471fc1425c1293703c

SHA512
94228998cf9398978f28ce5dd233eb6fce9ad5a5c88764e7430935546c125b3dedfdb8a40c27c488e57feed37186274643aeeb9e6b1fe0e170de6d29815d843d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\944220ca-236c-477d-bed8-d6a8a28a3e4a

Filesize
790B

MD5
4b4580622d54ba937f9cbd58d46d307f

SHA1
8d0cf456ba1ea35f34161f39dcb4e4267ded42db

SHA256
3bf192b16682ce47b3886f09eccad1b43954ca8642f40ef1ab64c36210e53a3f

SHA512
13af8970b6acbb1f76951477d26fabda5afee2bd4b5673329b537dbbc4c081b009bccdb45e3dc14a38aa12c03b104467f2eb40c25251fd9125a104f5b77ecd77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\cb5352da-4312-4e78-8a6d-0bf0380e0be5

Filesize
771B

MD5
a3b23f1d277698cd377332e779b2ab55

SHA1
2263fb630a8d2e85e3c05210216a333b492c55c7

SHA256
53d38af5d0be86567db954c1c76abb8a3074f1b04a7c49baaa9a729150ad6247

SHA512
a7607b835fb30759ee7e6b2d197046505fd5fbc0edb350f1e8decc6e55883744f9dd8d31dd8d8dd0b5a1ec3abe3c8c0bdcf90270169e3e83c0fb055af4d314f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\favicons.sqlite

Filesize
5.0MB

MD5
c4f49bed06386cdec3d164aad50f06e4

SHA1
ddebee2ab219f1fd71eeab0a2d96824290861f9b

SHA256
845ac84b3f65f3c41883c808cd505bce3d5f98e160a0b79513057c7a48b093f0

SHA512
5cc8a82fb913656edc85cb76a5aacc236885430402ffcb1aa372dc735fa970615cd36c16bf2822cbde10b28d0c1b794a2b8007c74c2970691aae20cfadb8fb33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\places.sqlite

Filesize
5.0MB

MD5
3227e4e4451bd7cb75e01f67358597dc

SHA1
b6d99956a03b4b0a8dd1a65ea28877dfbe37fa28

SHA256
d9f1e6bba08f30bf0b0394ac55011ce9ef57d7f8e90a03d4a1f16e9e25e4a41a

SHA512
66c0f0be8c70b9f1d8797189f046bd304017ce199b3321391a74e252ff5a8791c14a232bd5b729c2d82ab220c6a597510ed464c8fd0b9f23266f8cc366482d0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
2015bf5df16acf887db89e69da713e4b

SHA1
256b6d63abb529717355526988d4432fa351e9c6

SHA256
3f221f3f4c51d91a64971aa35cae51c4c5ca4069adb0d2f315872f4cd00fd3b2

SHA512
0ff0e78dac180eb1d14e72cd9a7149bf86de36c069f3410db8951933c8af734d0709293de2f4440930e0cb89a6146f9220016a8532c09aaa0a449a7ea37e13c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
1575d7cd4de64fe206eaf33585d1216c

SHA1
0b14f3774f482130e2f470411dff289bf7685fb5

SHA256
9c2f93a58cbe9e28d0c9572471dacb52d81ca721a37f6aeb7dd74e2d8c051f2f

SHA512
55c7f1de9e045986d123581fd912f9554a815eceb8ea2f74db4f6fbd7c335d574874d1f6c86f33ddc7bec84b0e8f6bb23895b9956d2f2ee6a55e01d35c4098e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
df465375ac4463a1a9949c86b46d2f82

SHA1
14e3d019a1df5c2aabf6427254b1f720da95703f

SHA256
3ac1a74f8a99014dccaad18f29dbde23a2dd445aa1d8aef5092fb8fa567d55f9

SHA512
d0c4d88bfd5de60841289becccf999c04bff47c98e582afedc583a8028bfa954b0ad69af5248cf770c3da82c8035d0d5591bf16d0ebae10c2448b4cf6670ec25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
200a2e8787b7418633b9b93f806ac6c3

SHA1
b4081c65cbb064dde37885b9a92b61fbd9e29034

SHA256
c9b645dd9ba14368d6156deb0b8e6e75f8c853f48f23a3cbdbc1a61d8c3e8934

SHA512
56ec7474d6ec3a32c666913ade99f2acc8c3d18eb71fc1638a6f6751741375a360c7c9d308183b65f0c706aae1ecff612199f239b1a5dc63ff7f45b2d0a699c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
2b765c51ba2707e4130a61ef834ae985

SHA1
4aac4230be9c7d14a7b16b592d757d54f475f385

SHA256
1cfddced25d7a99d542b9b62ee521c2e5e4f88e6f38fe099d99563f6872352b6

SHA512
afd1cf0021046a448f9e41cba2da09be4455900dbd89eb1e0bad7bce3b3140ae5e0f5470a60d634c7b4d582c8f4d542b5441e32e742e1ce90d92808c2079e3ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\protections.sqlite

Filesize
64KB

MD5
49397db0486dc59d607907a086f40c9b

SHA1
08742ce9db9569062def08e99eea8470702feb7d

SHA256
890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4

SHA512
fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\serviceworker.txt

Filesize
162B

MD5
2c28bb7d023b5b914fb060eef0527e88

SHA1
a81cc21ad55e856507fb4656c0266897ed0e5112

SHA256
706c7a78b1ab7ec2fa7b807833892c6f24e595e694536c20ca7ae86bacb657e8

SHA512
d0a4499bd9f4e5b3a1c4ff8cec5cbe472d2e9efb6381217ada7c2f5c34b2f145c8ba12874062e3a0de7b8ac7071a96015c311c07c034b3cb427d30735fd45f84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json

Filesize
193B

MD5
2ad4fe43dc84c6adbdfd90aaba12703f

SHA1
28a6c7eff625a2da72b932aa00a63c31234f0e7f

SHA256
ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933

SHA512
2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json.tmp

Filesize
193B

MD5
d4e0a58220b9ea82cc0b358cab1b54e8

SHA1
78ce9a8adb5a00c5cdac1eef5263119ab6c3e203

SHA256
a093c1949c8b356e5b9d7043a2560ee38862886941cda034d212a8e48e155a0b

SHA512
3baa40d6f63574cfba3b5149f19b0dceb037ed1a80c5277074a24aa5749429a45c4646ecd4c450034fe7a9cab771bf19ef1adcb39522a14004f3b12d41067c0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json.tmp

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
4cf827ac0830194d2dd5e6e7944bc908

SHA1
d7a428623dc4a2f57aa686c1244f87c30510204b

SHA256
568b1e0290d4c69534698831b885d44a677fbb279c00af48f1fef395a67c27ef

SHA512
a0eb7ea3f9f7269fbfd25be2fc1d678f27304a0eec4084c8095aef17b3b12eb1ff224a8c2d4725a03fdf7698a7a1fba359326b5175eb446efa7b38f9b776df9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
6c4c472a6804e8c4dd6699fce50db194

SHA1
f6e9e1feb60929c78a355333d92304e119f0bed9

SHA256
3f0e85de7cc46abe8f062ddc2ce0847702df5f596a1d39bbb240d3099a3f4ee0

SHA512
02954f10ad54e20b0d3049fb4a8ca791d8ed53fd5b2e0d1ebb77a8c73039bba16da2b965f0f1173de6e1f7de98b7ee0afbd97c5f2462490aaabed8811c9f09e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
923505df92a96d66e820a033e6d6fc26

SHA1
e7bb3d4b1644f72b161e6ff82bbb3c83b2792b31

SHA256
d50a7373ae41ecc187457006541435d3d02313fef3883c16d7d14260b75cc736

SHA512
3f6283c8974bf263013a01cc35cff9a67af5df41d760721e7f8f9f9a408f5dd99d5ef95abe6b14b436ce18b316bdbe30c1814b1ce6e5635a4e07b95ed4d79bf5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e245f8f4370ea067f5cdf11acf5c7fe1

SHA1
562f509629109fc797d9506873d7d08cc876ad9b

SHA256
3047451238d2aec28ccb92c032e277cd56a31cdba03098c00f19277723ed8ec8

SHA512
714d9727ff44618788d0a89b68e04179e3d6fffdf48345a060e259f049b70984f0d2f2c8f973ffa58a7332ee1a59221d63bb45c7a2eb85f16c8bf0d2a4b432d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
2661d197e77a630fbb50ab9835d7331f

SHA1
9e64456e9dbcb9e8480c9ace15d551406975c37c

SHA256
430fc6698fb6c7a0fc3e00a75f8b8b16363d27f582c660002b1c9ba28a74df50

SHA512
6bcd5fe8e565d1ef2adc2db39c5267972fb936e97ae48d61f47e96b2489c75f474fc7b78c0f5eb1512e2f2166efb6287d7afcd55a373e0e21cd88aec4ab04da0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore.jsonlz4

Filesize
9KB

MD5
f925f9f78f91d5d1f7185f8821b1f5ad

SHA1
b31cbe02028cc2b4bad0f97ab8f5b40501176aa4

SHA256
c06b01f92d8ecda23948444bfae0843fb7f04f3b266a45a335174d584f5a0364

SHA512
d40d59027b43a154d199a2fb883d4b06b7742f08b17fd4f635d2d799e47634ba32ce79778d3d685affe087767612f8281a85201504c55d39c737c3135bd42dce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
c913170ab21450d13f6badc27dd7c675

SHA1
fa051f2f5e27c7df802b176ad9d4ce64887f3fff

SHA256
5ebd4a1b9f75a8c7a128084cf26eff2c24f49f5a85b618f50003ff02f3f93e15

SHA512
2e82d96dc813ce26818959dbb137e33f1be4ee4cee01c54ca58875519133e221b85db54a4a2d3cddbdd257d76c449986c4961231b59341c883386acefd21b51d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage.sqlite

Filesize
4KB

MD5
7a1c3b4f5b3331dab6a826a38c3df83d

SHA1
f97a4bd447b959ef0fa22aef38edc92b63e6b909

SHA256
1c9521aab390201d6e169a10936e48ad6dfe9862e61e7515148ff7e16ff02807

SHA512
9ea25b876751758e1a0a5e069a0d8cf6fe0fa55064904a9f2f32bb278428e3e06aff3703da1f2f128b44681aae332d4eaeba980438675501d659975acf0cfbd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\default\https+++www.google.com^partitionKey=%28https%2Creddit.com%29\.metadata-v2

Filesize
176B

MD5
09b4a1f6c4c274e71cc228c8f86daf8b

SHA1
58fb921502a515c3f508bd7a21622bd8b0763e72

SHA256
9c4bede15bfee50d476515cc7c22c856a9d6a2df4b7a33bf9a9a59cfc7019d1a

SHA512
ce04ed117472a7c6baba827fe8f43d7840ffa31c8457e8c470be316c801635c199a187261c209689a3c6ee34c0868b64e1413ec1722f312ec61b81b94fe2c577

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\default\https+++www.google.com^partitionKey=%28https%2Creddit.com%29\ls\usage

Filesize
12B

MD5
4c428e195a2fad0b912480f1aaa48bf3

SHA1
52a8ec75e9ebe26a80438cfa5b234ccd96f24621

SHA256
330e0baa0683f9a1187cfcee449c80c8d142c70ed58f6ed5bff634f23f399a8d

SHA512
795d309afb1c8bd2bb3ffa40ad5632fca3a1a8926143a1592a051ec8667bddcb21d0540fd33a898e4f28bfd65e13ae96693d96b11c13adcae09ff1f415a13ef2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\default\https+++www.reddit.com\.metadata-v2

Filesize
62B

MD5
68f851def2690b01e448d1aad071e6dc

SHA1
f8dca6f47d0a127466afea2b6b2ef17a4a9bbb6a

SHA256
db2037ba2072bbfdbb435e82c3ad13ef8b555560d3e8c5ce4eedf7928b330834

SHA512
c4b20c64bc6ab0b08ceebf979c8f68a8b8e374a4810e7284f2c41b2c57e549fd417eb8dc812a8a70a390bc485800261661df82c9734e3427f7086a557daf18e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\default\https+++www.reddit.com\cache\.padding

Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\default\https+++www.reddit.com\cache\morgue\40\{dae5ea21-cf5d-4e81-855c-168f8b5df128}.final

Filesize
2KB

MD5
d106e9d73e807ce0916ac3fa51d1461b

SHA1
a1138b90f539ebe70efe33fa35f96f237fc2c059

SHA256
1ddaf57a54e90c2f53b0f3479651a124f56d1ea3ade097cd0bfa0157de62f942

SHA512
28a0a450cb47d9dbdc743a5ff5e472ace7ffcdac7644d155378e9a848563b58061110f7fd1e2006c4baf1229efc138f6f3ddda847f1191557765529a8e3517ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
0dde88768d152bea3ba02621f473aada

SHA1
3259a780af87ba7d0e079eec0b02bf3e4f7cac9a

SHA256
3fe08ac3fd47364c4fc0ecc2aa7fadaf37ac6013e14b8fc9e7993782505af714

SHA512
f5e50cdb8d00e0398fc291c4b8709178e2822709e6cdde7ed460b34edccf6eb8122ec61bc03a9fbe665c91044e42681e862a3864e268e8d920141d25bd11a2cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\xulstore.json

Filesize
120B

MD5
05e1ddb4298be4c948c3ae839859c3e9

SHA1
ea9195602eeed8d06644026809e07b3ad29335e5

SHA256
1c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be

SHA512
3177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e

Download Submit
C:\Users\Admin\Downloads\LimitResize.vst

Filesize
460KB

MD5
b1fcc3c20d026fd465eac8ad81e912ae

SHA1
e4e31f8f861c544fa09427b06f3a12cc5774c80b

SHA256
68f1f6eefe6a83a999e04f9f9080a050c79af2d5103761db11340107b5d2fa35

SHA512
4db7d8f3b7b2aaa750516fa8170cca86c15d1c53a9a0b0c95c57666e98249672fb31aeb95e8b41231d83dc3482ef89d6b0bb4c25584ffbed0194b785c4fb024d

Download Submit
C:\Users\Admin\Downloads\PopSearch.ocx

Filesize
604KB

MD5
230f287f54ebf90083dc0a904c1a2836

SHA1
d904c2006a7d5d3f3f66887ef9b63c8f7526f5a7

SHA256
6fbd8eff2ead7865d124e4b144a91e2aa6e06e445678c7fcf68d4e323bcba278

SHA512
062fef82af55e24f78dca47437827003941d7b44c62dd70fe166ebda88d7adfb570d30bc10a137ed5a3a92d6a6016c4faf62a06a64d14a1438fbc5a6ddb2f08a

Download Submit
C:\Users\Admin\Downloads\PushBlock.gif

Filesize
293KB

MD5
cc767670ae121a20fe804e0e4244239e

SHA1
aa2da26d973910f6b1757b15cc46faccc60f7c2f

SHA256
e8236dd76600def3894651a54cf6bce0b896d03f0efa46b80c71b98c7e2116e7

SHA512
655741cfff57a2820048f2d13ff7225bca72f559cb2ae348225c431fc80240ee6975e62881a87d31fb9316e093214c955fad866517b3e7a119818acc9c5917d7

Download Submit
C:\Users\Admin\Downloads\ReceiveConfirm.xps

Filesize
616KB

MD5
69c6b1dd0e697da6c5049c671b445274

SHA1
46859ffd0eba2812e04844fdb8cb0436529b7391

SHA256
439a90034d92782421053a826e2096d9664c3fbfeef5d1396a06940fc3646567

SHA512
84e418e0ad255b0b9e2bcbc105a4ea5a2923ac52c7eff82c132005f93d034bf8ff84c426f2f2e1fff99793c3a80aba14ce2f25c35f8d8b6e0d54f72c75bdad00

Download Submit
C:\Users\Admin\Downloads\RedoClear.M2T

Filesize
329KB

MD5
5075355ce998445c651ce5b3b0711336

SHA1
8d0a067d0296ce3fde06da9b858be63a6bc9a5d8

SHA256
b22d3a5775282c09e41faf7e0a7b30a1a33bf1c94d585c55ed835a3ea5734e42

SHA512
a77ab32f09a0b8ce033f0519a6640d24bc3852245efd3353b4a924d186d31cac6e3ceca1398af9ca2776b58324d2579163e219f1eccd0284ed13fd2cdd1376b0

Download Submit
C:\Users\Admin\Downloads\RemoveInstall.ogg

Filesize
508KB

MD5
7de907244a5cc24d5da658efc4ab75b7

SHA1
ba0a9ab94071ff49541dd987713c431b80dd5059

SHA256
8e7588f4142de4e2aa5ee92ca9b7439e824839fc6911c96874b12c3c3d968c34

SHA512
075dbe98dcf6b844e4f7cffcdff51a7d02d176d23c1fde3f7e01092fd0005fffded685c066fefec49df80535931ce62030ca4a71384528aa04d899726262a6ef

Download Submit
C:\Users\Admin\Downloads\SearchGrant.doc

Filesize
496KB

MD5
dae630ca5aca8c7af0fd491db7dd847b

SHA1
289f946200193ac5f053c69adc285098482ce263

SHA256
8dfe786b4f747891ce0de4f07255c966e5a4c3ef4a9d9ff7cc39b80999d09fa3

SHA512
faefea38fa092f5e6d076e673b7152320e273f40afd23303294f4646ed4b70ffb5417fda75625f0d6d9c70c8c6d9d778768688e5c1c5f43efbe16cd227db456e

Download Submit
memory/2160-76-0x0000023421700000-0x000002342171C000-memory.dmp

Filesize
112KB

Download
memory/2160-115-0x0000023421720000-0x000002342172A000-memory.dmp

Filesize
40KB

Download
memory/2160-82-0x00000234218D0000-0x0000023421989000-memory.dmp

Filesize
740KB

Download
memory/2188-50-0x00007FFDFC070000-0x00007FFDFC24B000-memory.dmp

Filesize
1.9MB

Download
memory/2188-6-0x00007FFDFC070000-0x00007FFDFC24B000-memory.dmp

Filesize
1.9MB

Download
memory/2188-4-0x00007FFDFC070000-0x00007FFDFC24B000-memory.dmp

Filesize
1.9MB

Download
memory/2188-5-0x00007FFDFC070000-0x00007FFDFC24B000-memory.dmp

Filesize
1.9MB

Download
memory/2188-7-0x0000020BC8530000-0x0000020BC8552000-memory.dmp

Filesize
136KB

Download
memory/2188-10-0x0000020BC86E0000-0x0000020BC8756000-memory.dmp

Filesize
472KB

Download
memory/2188-23-0x00007FFDFC070000-0x00007FFDFC24B000-memory.dmp

Filesize
1.9MB

Download
memory/2188-46-0x00007FFDFC070000-0x00007FFDFC24B000-memory.dmp

Filesize
1.9MB

Download
memory/3396-218-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3396-217-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3396-213-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3396-214-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3396-222-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3396-216-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3396-224-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3396-221-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3396-219-0x0000000000760000-0x0000000000780000-memory.dmp

Filesize
128KB

Download
memory/3396-220-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3396-215-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3396-212-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3396-223-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3656-205-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3656-207-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3656-211-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3656-208-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3656-206-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3656-204-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4816-230-0x00007FFDBC100000-0x00007FFDBC110000-memory.dmp

Filesize
64KB

Download
memory/4816-229-0x00007FFDBC100000-0x00007FFDBC110000-memory.dmp

Filesize
64KB

Download
memory/4816-231-0x00007FFDBC100000-0x00007FFDBC110000-memory.dmp

Filesize
64KB

Download
memory/4816-228-0x00007FFDBC100000-0x00007FFDBC110000-memory.dmp

Filesize
64KB

Download
memory/4816-234-0x00007FFDB95B0000-0x00007FFDB95C0000-memory.dmp

Filesize
64KB

Download
memory/4816-236-0x00007FFDB95B0000-0x00007FFDB95C0000-memory.dmp

Filesize
64KB

Download
memory/5068-387-0x00007FF614A90000-0x00007FF614B88000-memory.dmp

Filesize
992KB

Download
memory/5068-388-0x00007FFDEE920000-0x00007FFDEE954000-memory.dmp

Filesize
208KB

Download
memory/5068-389-0x00007FFDDA380000-0x00007FFDDA636000-memory.dmp

Filesize
2.7MB

Download
memory/5068-391-0x00007FFDEEF30000-0x00007FFDEEF47000-memory.dmp

Filesize
92KB

Download
memory/5068-396-0x00007FFDEE080000-0x00007FFDEE091000-memory.dmp

Filesize
68KB

Download
memory/5068-395-0x00007FFDEE350000-0x00007FFDEE36D000-memory.dmp

Filesize
116KB

Download
memory/5068-394-0x00007FFDEE3A0000-0x00007FFDEE3B1000-memory.dmp

Filesize
68KB

Download
memory/5068-393-0x00007FFDEE3C0000-0x00007FFDEE3D7000-memory.dmp

Filesize
92KB

Download
memory/5068-392-0x00007FFDEE900000-0x00007FFDEE911000-memory.dmp

Filesize
68KB

Download
memory/5068-398-0x00007FFDEAB10000-0x00007FFDEAB51000-memory.dmp

Filesize
260KB

Download
memory/5068-397-0x00007FFDD7A50000-0x00007FFDD7C5B000-memory.dmp

Filesize
2.0MB

Download
memory/5068-390-0x00007FFDEF180000-0x00007FFDEF198000-memory.dmp

Filesize
96KB

Download
memory/5068-401-0x00007FFDEE060000-0x00007FFDEE078000-memory.dmp

Filesize
96KB

Download
memory/5068-402-0x00007FFDDA310000-0x00007FFDDA377000-memory.dmp

Filesize
412KB

Download
memory/5068-400-0x00007FFDEAAE0000-0x00007FFDEAB01000-memory.dmp

Filesize
132KB

Download
memory/5068-403-0x00007FFDDA2F0000-0x00007FFDDA307000-memory.dmp

Filesize
92KB

Download
memory/5068-399-0x00007FFDD1AA0000-0x00007FFDD2B50000-memory.dmp

Filesize
16.7MB

Download
memory/5068-532-0x00007FFDD1AA0000-0x00007FFDD2B50000-memory.dmp

Filesize
16.7MB

Download