rhadamanthys | 59922610678132915fd74ecc4c3f2117987135537bca02b830b08f27c3ac96d4

Resubmissions

16/07/2024, 05:11

240716-fvrb7ayhlf 10

16/07/2024, 05:08

240716-fs2edaygnf 5

16/07/2024, 05:05

240716-frcdvswdkp 7

Analysis

max time kernel
304s
max time network
349s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16/07/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Patrick.pdf
Size

36KB
MD5

8cda87bb4d6f53572254f7be23544b5c
SHA1

29e3ac8d5890f2bacdabdd26a7fe1c79307df3a7
SHA256

59922610678132915fd74ecc4c3f2117987135537bca02b830b08f27c3ac96d4
SHA512

d91f13669edadaed762c329f296c8771e6c847f57507144c92092a8043e68f013f4101fe2697545b1c7e77d5336f7771cdc0aec155240e1ae124d44cf8b319da
SSDEEP

768:V+EL9njhyr5AD4UPbBbFUjDNZSlDc6edap9otZNZo6a2X:V+i9jha52H0vNZSlDc6ofNOqX

Score

10^/10

rhadamanthys execution stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 15 IoCs

description	pid	Process	procid_target
PID 5124 created 2924	5124	update1404.exe	49
PID 6092 created 2924	6092	update1404.exe	49
PID 4364 created 2924	4364	update1404.exe	49
PID 4904 created 2924	4904	update1404.exe	49
PID 6048 created 2924	6048	update1404.exe	49
PID 5268 created 2924	5268	update1404.exe	49
PID 736 created 2924	736	update1404.exe	49
PID 5040 created 2924	5040	update1404.exe	49
PID 5188 created 2924	5188	update1404.exe	49
PID 5200 created 2924	5200	update1404.exe	49
PID 5376 created 2924	5376	update1404.exe	49
PID 6096 created 2924	6096	update1404.exe	49
PID 3560 created 2924	3560	update1404.exe	49
PID 4996 created 2924	4996	update1404.exe	49
PID 1884 created 2924	1884	update1404.exe	49

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5784	powershell.exe
6104	powershell.exe
5616	powershell.exe
3492	powershell.exe
5912	powershell.exe
1480	powershell.exe
368	powershell.exe
1488	powershell.exe
5460	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 56 IoCs

pid	Process
4996	Installer.exe
5940	update1404.exe
5308	update1404.exe
5040	update1404.exe
5916	update1404.exe
780	update1404.exe
4264	update1404.exe
5092	update1404.exe
760	update1404.exe
4860	update1404.exe
5888	update1404.exe
2216	update1404.exe
5340	update1404.exe
5432	update1404.exe
5452	update1404.exe
4740	update1404.exe
4936	update1404.exe
3252	update1404.exe
5772	update1404.exe
3892	update1404.exe
5200	update1404.exe
4788	update1404.exe
5100	update1404.exe
2264	update1404.exe
3928	update1404.exe
5856	update1404.exe
1312	update1404.exe
4848	update1404.exe
2212	update1404.exe
5068	update1404.exe
3108	update1404.exe
5208	update1404.exe
4624	update1404.exe
2896	update1404.exe
3112	update1404.exe
6044	update1404.exe
4044	update1404.exe
5756	update1404.exe
1096	Installer.exe
5124	update1404.exe
6092	update1404.exe
4364	update1404.exe
4904	update1404.exe
6048	update1404.exe
5268	update1404.exe
736	update1404.exe
5040	update1404.exe
5188	update1404.exe
5200	update1404.exe
5376	update1404.exe
6096	update1404.exe
3560	update1404.exe
4996	update1404.exe
1884	update1404.exe
5772	update1404.exe
1660	update1404.exe

Loads dropped DLL 7 IoCs

pid	Process
4996	Installer.exe
4996	Installer.exe
4996	Installer.exe
2412	taskmgr.exe
1096	Installer.exe
1096	Installer.exe
1096	Installer.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\launcher289\update1404.zip	Installer.exe
File created	C:\Program Files\launcher289\update1404.exe	Installer.exe
File opened for modification	C:\Program Files\launcher289\update1404.exe	Installer.exe
File created	C:\Program Files\launcher289\update1404.zip	Installer.exe
File created	C:\Program Files\launcher289\update1404.exe	Installer.exe
File opened for modification	C:\Program Files\launcher289\update1404.exe	Installer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	firefox.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00050000000006d5-922.dat	nsis_installer_1
behavioral1/files/0x00050000000006d5-922.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 59 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Installer.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
5912	powershell.exe
5912	powershell.exe
5912	powershell.exe
5912	powershell.exe
5460	powershell.exe
5460	powershell.exe
5460	powershell.exe
5460	powershell.exe
5784	powershell.exe
5784	powershell.exe
5784	powershell.exe
5784	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
6104	powershell.exe
6104	powershell.exe
6104	powershell.exe
6104	powershell.exe
4996	Installer.exe
4996	Installer.exe
4996	Installer.exe
5940	update1404.exe
5940	update1404.exe
4996	Installer.exe
5940	update1404.exe
5940	update1404.exe
5492	openwith.exe
5492	openwith.exe
5308	update1404.exe
5308	update1404.exe
5492	openwith.exe
5492	openwith.exe
4996	Installer.exe
5308	update1404.exe
5308	update1404.exe
1764	openwith.exe
1764	openwith.exe
1764	openwith.exe
1764	openwith.exe
4996	Installer.exe
5040	update1404.exe
5040	update1404.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1352	firefox.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	firefox.exe
Token: SeDebugPrivilege	1352	firefox.exe
Token: SeDebugPrivilege	4996	Installer.exe
Token: SeDebugPrivilege	5912	powershell.exe
Token: SeIncreaseQuotaPrivilege	5912	powershell.exe
Token: SeSecurityPrivilege	5912	powershell.exe
Token: SeTakeOwnershipPrivilege	5912	powershell.exe
Token: SeLoadDriverPrivilege	5912	powershell.exe
Token: SeSystemProfilePrivilege	5912	powershell.exe
Token: SeSystemtimePrivilege	5912	powershell.exe
Token: SeProfSingleProcessPrivilege	5912	powershell.exe
Token: SeIncBasePriorityPrivilege	5912	powershell.exe
Token: SeCreatePagefilePrivilege	5912	powershell.exe
Token: SeBackupPrivilege	5912	powershell.exe
Token: SeRestorePrivilege	5912	powershell.exe
Token: SeShutdownPrivilege	5912	powershell.exe
Token: SeDebugPrivilege	5912	powershell.exe
Token: SeSystemEnvironmentPrivilege	5912	powershell.exe
Token: SeRemoteShutdownPrivilege	5912	powershell.exe
Token: SeUndockPrivilege	5912	powershell.exe
Token: SeManageVolumePrivilege	5912	powershell.exe
Token: SeImpersonatePrivilege	5912	powershell.exe
Token: 33	5912	powershell.exe
Token: 34	5912	powershell.exe
Token: 35	5912	powershell.exe
Token: 36	5912	powershell.exe
Token: SeDebugPrivilege	5460	powershell.exe
Token: SeIncreaseQuotaPrivilege	5460	powershell.exe
Token: SeSecurityPrivilege	5460	powershell.exe
Token: SeTakeOwnershipPrivilege	5460	powershell.exe
Token: SeLoadDriverPrivilege	5460	powershell.exe
Token: SeSystemProfilePrivilege	5460	powershell.exe
Token: SeSystemtimePrivilege	5460	powershell.exe
Token: SeProfSingleProcessPrivilege	5460	powershell.exe
Token: SeIncBasePriorityPrivilege	5460	powershell.exe
Token: SeCreatePagefilePrivilege	5460	powershell.exe
Token: SeBackupPrivilege	5460	powershell.exe
Token: SeRestorePrivilege	5460	powershell.exe
Token: SeShutdownPrivilege	5460	powershell.exe
Token: SeDebugPrivilege	5460	powershell.exe
Token: SeSystemEnvironmentPrivilege	5460	powershell.exe
Token: SeRemoteShutdownPrivilege	5460	powershell.exe
Token: SeUndockPrivilege	5460	powershell.exe
Token: SeManageVolumePrivilege	5460	powershell.exe
Token: SeImpersonatePrivilege	5460	powershell.exe
Token: 33	5460	powershell.exe
Token: 34	5460	powershell.exe
Token: 35	5460	powershell.exe
Token: 36	5460	powershell.exe
Token: SeDebugPrivilege	5784	powershell.exe
Token: SeIncreaseQuotaPrivilege	5784	powershell.exe
Token: SeSecurityPrivilege	5784	powershell.exe
Token: SeTakeOwnershipPrivilege	5784	powershell.exe
Token: SeLoadDriverPrivilege	5784	powershell.exe
Token: SeSystemProfilePrivilege	5784	powershell.exe
Token: SeSystemtimePrivilege	5784	powershell.exe
Token: SeProfSingleProcessPrivilege	5784	powershell.exe
Token: SeIncBasePriorityPrivilege	5784	powershell.exe
Token: SeCreatePagefilePrivilege	5784	powershell.exe
Token: SeBackupPrivilege	5784	powershell.exe
Token: SeRestorePrivilege	5784	powershell.exe
Token: SeShutdownPrivilege	5784	powershell.exe
Token: SeDebugPrivilege	5784	powershell.exe
Token: SeSystemEnvironmentPrivilege	5784	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2272	AcroRd32.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe
2412	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
1352	firefox.exe
2272	AcroRd32.exe
1352	firefox.exe
1352	firefox.exe
1352	firefox.exe
4996	Installer.exe
2272	AcroRd32.exe
5940	update1404.exe
5308	update1404.exe
5040	update1404.exe
5916	update1404.exe
780	update1404.exe
4264	update1404.exe
5092	update1404.exe
760	update1404.exe
4860	update1404.exe
5888	update1404.exe
2216	update1404.exe
5340	update1404.exe
5432	update1404.exe
5452	update1404.exe
4740	update1404.exe
4936	update1404.exe
3252	update1404.exe
5772	update1404.exe
3892	update1404.exe
1352	firefox.exe
5200	update1404.exe
1352	firefox.exe
4788	update1404.exe
5100	update1404.exe
2264	update1404.exe
3928	update1404.exe
5856	update1404.exe
1312	update1404.exe
4848	update1404.exe
2212	update1404.exe
5068	update1404.exe
3108	update1404.exe
5208	update1404.exe
4624	update1404.exe
2896	update1404.exe
3112	update1404.exe
6044	update1404.exe
4044	update1404.exe
5756	update1404.exe
1096	Installer.exe
5124	update1404.exe
6092	update1404.exe
4364	update1404.exe
4904	update1404.exe
6048	update1404.exe
5268	update1404.exe
736	update1404.exe
5040	update1404.exe
5188	update1404.exe
5200	update1404.exe
5376	update1404.exe
6096	update1404.exe
3560	update1404.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 420 wrote to memory of 1352	420	firefox.exe	74
PID 420 wrote to memory of 1352	420	firefox.exe	74
PID 420 wrote to memory of 1352	420	firefox.exe	74
PID 420 wrote to memory of 1352	420	firefox.exe	74
PID 420 wrote to memory of 1352	420	firefox.exe	74
PID 420 wrote to memory of 1352	420	firefox.exe	74
PID 420 wrote to memory of 1352	420	firefox.exe	74
PID 420 wrote to memory of 1352	420	firefox.exe	74
PID 420 wrote to memory of 1352	420	firefox.exe	74
PID 420 wrote to memory of 1352	420	firefox.exe	74
PID 420 wrote to memory of 1352	420	firefox.exe	74
PID 1352 wrote to memory of 4876	1352	firefox.exe	75
PID 1352 wrote to memory of 4876	1352	firefox.exe	75
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 3644	1352	firefox.exe	76
PID 1352 wrote to memory of 4956	1352	firefox.exe	77
PID 1352 wrote to memory of 4956	1352	firefox.exe	77
PID 1352 wrote to memory of 4956	1352	firefox.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2924
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:2216
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:4960
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:3136
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5780
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5764
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5000
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:4220
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5208
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5948
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5872
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5752
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5240
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5000
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:4740
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:2836
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:4288
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:4468
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:2200
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:4676
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:4720
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5480
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:4540
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5304
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5096
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:6040
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5520
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:5404
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:236
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:2540

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Patrick.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2272
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:3960
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=53B46C80D653985C676459728918678C --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3604
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BEE733758C40BDADDFFA651934375EEF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BEE733758C40BDADDFFA651934375EEF --renderer-client-id=2 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3588
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E34E2ED5A0C65B6E7F0965737E3A926A --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2264
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EAFAE0EA00117C852E8C44C0AC4D59E1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EAFAE0EA00117C852E8C44C0AC4D59E1 --renderer-client-id=5 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3804
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AB6E12F9B258C03E79EDEA4C9D7C44F1 --mojo-platform-channel-handle=2576 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3520
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1FC4CC7B137918193A18F937BBC17899 --mojo-platform-channel-handle=1612 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:420
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.0.1588219800\968207104" -parentBuildID 20221007134813 -prefsHandle 1748 -prefMapHandle 1728 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {feb42e53-cca3-4803-be28-17b3560d8496} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 1828 287919d6458 gpu
    3⤵
    PID:4876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.1.1768150668\156233340" -parentBuildID 20221007134813 -prefsHandle 2164 -prefMapHandle 2160 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c521d98e-f53d-43b5-8e45-ffc3d65bbc29} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2184 287918ef258 socket
    3⤵
    PID:3644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.2.1820796626\771056535" -childID 1 -isForBrowser -prefsHandle 2772 -prefMapHandle 2768 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f5c623c-a311-494f-9aa6-34f5316e57df} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2744 2879195f458 tab
    3⤵
    PID:4956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.3.136122194\532728133" -childID 2 -isForBrowser -prefsHandle 3376 -prefMapHandle 3372 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f997061-79cb-491a-9266-4332bb318752} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 3396 28796a47e58 tab
    3⤵
    PID:2128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.4.485567694\1352150336" -childID 3 -isForBrowser -prefsHandle 4428 -prefMapHandle 4424 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9adf6506-6ff0-4cb9-a4ce-26884ab8c650} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 4436 28797ee5858 tab
    3⤵
    PID:484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.5.2078188457\1599627548" -childID 4 -isForBrowser -prefsHandle 4472 -prefMapHandle 4156 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6a915f3-7871-4b6e-bca5-6075f710941b} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 1616 28798025458 tab
    3⤵
    PID:2308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.6.1789466108\349232430" -childID 5 -isForBrowser -prefsHandle 5060 -prefMapHandle 5064 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68e000d0-b7a0-4715-a0f8-b4b5c8a92484} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 5048 287986b4e58 tab
    3⤵
    PID:2072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.7.133537355\314648959" -childID 6 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a9b32d0-0d01-48ea-a59b-c6f471f02fe7} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 5248 287992aab58 tab
    3⤵
    PID:4376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.8.294891623\1681094144" -childID 7 -isForBrowser -prefsHandle 4748 -prefMapHandle 4664 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02dc4d9c-2e1e-4f21-823f-b93d5bf2c5b5} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 4432 287918efe58 tab
    3⤵
    PID:5624
- - C:\Users\Admin\Downloads\Installer.exe
    "C:\Users\Admin\Downloads\Installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6104
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5940
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5492
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5308
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1764
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5040
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:712
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5916
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5500
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:780
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:2364
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4264
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5992
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5092
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:6116
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:760
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5740
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4860
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:2384
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5888
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5732
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2216
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5748
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5340
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:2388
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5432
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:2848
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5452
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:1292
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4740
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:4192
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4936
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:4028
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3252
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5376
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5772
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3892
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5472
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5200
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:1760
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4788
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5844
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5100
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:2952
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2264
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5504
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3928
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:524
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5856
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:2072
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1312
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:1384
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4848
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5096
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2212
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:4536
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5068
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5972
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3108
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:4036
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5208
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5648
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4624
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:3116
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2896
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:1096
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3112
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:2900
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6044
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5196
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4044
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5988
  - - C:\Program Files\launcher289\update1404.exe
      "C:\Program Files\launcher289\update1404.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5756
    - - C:\Windows\SysWOW64\openwith.exe
        
        "C:\Windows\system32\openwith.exe"
        5⤵
        
        PID:5292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.9.1329795673\946233554" -childID 8 -isForBrowser -prefsHandle 6396 -prefMapHandle 6416 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5fc1af0-d97b-4744-8209-e2775d7af242} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 6404 28799f77658 tab
    3⤵
    PID:5836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.10.711348458\121728861" -childID 9 -isForBrowser -prefsHandle 6708 -prefMapHandle 6704 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d23acfc-fb33-48ef-b95c-f60a5b8ad517} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 6716 2879a911658 tab
    3⤵
    PID:5488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.11.795080892\1561266308" -childID 10 -isForBrowser -prefsHandle 6972 -prefMapHandle 6968 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d44b32c4-9302-4420-aecc-a7baf51ffa1f} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 6984 2879aa6b458 tab
    3⤵
    PID:5460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.12.762400302\1425216027" -childID 11 -isForBrowser -prefsHandle 7156 -prefMapHandle 7152 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {928af72e-d78f-4f37-87e6-5cc991ecf496} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 6968 287942f3e58 tab
    3⤵
    PID:4496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.13.1861307418\1296414552" -childID 12 -isForBrowser -prefsHandle 8632 -prefMapHandle 8636 -prefsLen 27517 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c51194ac-e371-4558-8a6c-15bd04cf9b6d} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 8692 2879aa46c58 tab
    3⤵
    PID:4184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.14.1208086486\856476968" -childID 13 -isForBrowser -prefsHandle 8188 -prefMapHandle 8180 -prefsLen 27517 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d5701cc-ce5f-41c7-85b5-f9656b77e860} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 8360 2879aa47858 tab
    3⤵
    PID:5248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1352.15.1041993301\1753148389" -childID 14 -isForBrowser -prefsHandle 8396 -prefMapHandle 8388 -prefsLen 27517 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7436f937-ea67-40a6-99d4-c1e8e7f42572} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 8592 28794ca7958 tab
    3⤵
    PID:5336

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5736

C:\Users\Admin\Downloads\Installer.exe
"C:\Users\Admin\Downloads\Installer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3492
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5124
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6092
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4364
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4904
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6048
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5268
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:736
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5040
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5188
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5200
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5376
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6096
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3560
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:4996
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:1884
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Executes dropped EXE
  PID:5772
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:1760
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:2736
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:1092
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:524
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:6044
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:5104
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:4044
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:5564
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:4528
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:5948
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:5480
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:4888
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:5304
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:4560
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:4336
- C:\Program Files\launcher289\update1404.exe
  "C:\Program Files\launcher289\update1404.exe"
  2⤵
  PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\launcher289\update1404.exe

Filesize
4.5MB

MD5
f2e8e0e9219c2776813c93adf1f5f54f

SHA1
98f734c0e0290222587df89c3de8b63317363f42

SHA256
5580517b51b79de266d453826f2affec1c458afecfe5c4ea8f84db9fb7d1e787

SHA512
5e0cfa6eda4143eb54a148b8f80498f13aac293eb363d0a001acce81daedc183e3b2cf49f94732c747e2882492f38679c7909b889c26e2c0199dd3306f6a18b8

Download Submit
C:\Program Files\launcher289\update1404.zip

Filesize
4.4MB

MD5
2fcca197f9e514805b8c9dcc20d36efa

SHA1
cbe09591fda02e3af52fb60e876bc3d360195170

SHA256
2fdb8b418455353b74b8da4aa61d353a90aa77d2a590dc25bc073280f4f716c6

SHA512
3d254c07de899d3be002b6263250c38443f68ae25c372a872534f66f827321f264935a69632b9d7742a95b42a7bda9684745d6f1ebcc7ca18ee48d8fa5109684

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
5262ead6398df5e168e6f9c6f3c2adfe

SHA1
7418886296f2bd95462dd609d03cfbb3322c271e

SHA256
75aa7fb1c05d42d6785edfa35de3b5366beb3e90b90777cc16f7042d1ad64e84

SHA512
c19556feb1ff1362545e112c7d017d1beb305b691b99abbf680835e9a6f8f98a7a5a319ae1325ab7a9c5ed125907a540056febdabf7c5b6c58293f5229507a4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f2d3439d9256cbda45f3e0b31c60164

SHA1
0f25b20a2031036804b17941aa6d4156e0995979

SHA256
0ae2179f193595d29ff9c36252d3681547307daac8b796dad44df6d005ce1758

SHA512
51f2b4f3642aae3a362f2c7cba79451d4ee1eef7e69bd49c5bfb12ff0289974d1f1f32d3dee5d95e3733615497091ddb5c5ae36cb6373905b5eb6ed172be1ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
35d4119edfcf1cd6cbe480018e09f9f8

SHA1
42a1577952fc9789c8d58b66474200c4e04c86b1

SHA256
749eb3fa0365bb1f124762cb0b90e8df4f91ab7ca379c36484412f687f547efa

SHA512
9ebc9dafb58aa6fde110cdf6c19a218e0c562f5c0081aaec579908d07b5768c6258dfbfce5a831b4a14dcc3a8df10849540af99215e9a6a0c38dcb64ecc935cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
51b0cb9cf5ce21eb2f32508285422cd7

SHA1
aefe1f7a855ebdce11fa2c4244b543c2f1ea3e14

SHA256
9110fcab099c0b25d857d7e909ededf142b0849ef0eda7a2cc88d56d79b689d2

SHA512
80a33492348baed0b63e579ffd5c3ffef966b5bf45ff084111b815f8c84aed83a088325f1353d2f5fb974bc0e53ae1b3a5e3d116a91db1f1b9ed99f41390735b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
68ece4e625d25eb690d3cd9f9ce4464a

SHA1
f21ff126a1cfb683518e1bf82c255ae9b237380d

SHA256
fa3a1913e4ed81c29c6fd84998f8d0d7293de83102085fd3ab91ceee15bd58ac

SHA512
beb31f2bafe28e9cbe9cecdee7f5dc424bcd6b5c87d87f6bdad563732c409ae69366a3264b22490647e5d1953a7c6f69c3d25be267fd05e25f2d81319f461aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
73b66cde181e28c021b1d4d7a36810bd

SHA1
12b02641e229d32fd06e5f19f3534aa102a84d48

SHA256
9891a6bc43eee6a64c36d2dcac60d0a948e75b26b0f58717d6fc37dd0b968e5e

SHA512
ff70e4d3caa9e854237d4fb65958d24753cc8080985416d199ef3214f2c906462461f5067484f1fd81e4f1d82d259ca1824fb029b9f4a9653f04a504bd4b2bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ecc79aea9cae109f87f3df2bdc51b1e8

SHA1
3a156f977c8c3cba1b518bca094f36968ed3127e

SHA256
56df2f02bf88066a4f9adb02ce6373df383d5bdcaa92368c0568d9c2a2b1dcbb

SHA512
9fd3fa59438e167da842ad4b6ae75c3fe9eef5379b5ab61f01cf6f5a5691e0426ebb862e6df712275f722b2f28399c29b156ccb489b9a194919bac5fff52319e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dee9b9104147fb6c2e834de69a4c0996

SHA1
ae2a96187ac45ffbe5d617280b02705f3b267c13

SHA256
d460f6c60ce6f4c02f484c93a7e1159a02867bf97cca2bd2fa82efd0e276c836

SHA512
dc02d26cccdd524654f6b001b634ffaceb392473fd9d5f7fd3d88213fdd14380d2a936e028fd46e4b29cf8e5151474fd82e044a959d33bfba8e2a90f91debca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dde770e76b6c3dce9932362eccfabd2

SHA1
c772571782021b9c3d6e038efa2ef7d37ee89a50

SHA256
604dc959273e635140470e64a3e5ebd54e44f0b0b3af1a8fe20c0e365999cea2

SHA512
fdab9f743001bc4025853af8b3defd5accb29acfb972115b38fb16092698ccc82fedd4a9ee9c92edbc28c2eb9d63e0c9a713e24ef38c26b6408cab7911e624ac

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\21708

Filesize
15KB

MD5
0d3b6dab3c5acd6d6f1ed230c6075ee4

SHA1
cc1c62c2fc000e3621a70716c08001df14429507

SHA256
9f3d6b43a966fc7fdbe5c9f305635f97b5693d6a2af7212d7b8b470eb7008884

SHA512
f96455faad4b8166fd98962baab118d363c3b91cecad294e0a6f94bce4281041ba0774170383c540dc36a690366af178c98f249f466ffd804cdfc5d85f52fcdc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\8BE316C0C3F5460083E01461ACD7D84B7196E04D

Filesize
220KB

MD5
441a090ecd881f5bb8a5f6f3321a1576

SHA1
64a10ce52bfe536b308b98ea2bcb56522070cb99

SHA256
cad086a6986ed3dbd0342831f65f99a2039fce0b1fdc0aa379bd7ce82a301373

SHA512
85e5ac067b0ceea61541f6fe13682540e7fe832ec26d6ffc00b0abb38f7030c9a41b9822b4d5f378447b28af06adf6d3dfabcd147ca24f68b600bc3c6992fbe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tgdtdvsr.xna.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
10KB

MD5
efef908cfb1a04a949d5d02f2fe7d51d

SHA1
6cad1305c906c2db8ac03dc8be31059149cb615a

SHA256
5991ec29e9ee5809a594b65485254fb969cd499671ba69ca3ccaa97d5f93ea92

SHA512
06ed2d51cdc41147bbb8e3037b094de6b57319295bd2a9648b48e60a4234f377d5e2c3f0e09fd8dddc959985033fc597effecb4b2a1eb4bbfc0caa1f8e00c847

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
dd8a29015471afa0fc253e9294591dc4

SHA1
fd60e711aeaa262ea6a5baa5cb957dc2ad1c35c6

SHA256
6b8746c8587df8dbb6d51458b3dbeca9928687db331475df751e10de8510d766

SHA512
8bced3771da5958ed0153a1e5548efec822a91581bbe8b5e4657849482d0158aae58da34e2e93368367a2aee2ba325e5b87bce6dbdb33ecf5fa6cf8c91662010

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\5f0009ad-1938-47ce-a472-d4d81a2b973f

Filesize
9KB

MD5
6d8c2747f5b7b597bf8be4064c84b954

SHA1
3bf8505ea5950807f29021f7fbf0ed532cb0528e

SHA256
847651fdb6f4eef7f210c27ee8b7b625fc690867e2fb403d5e507b88c0e25c42

SHA512
5af869cfdede11c532c59425427819cfc4a7dca43e4ce549cb6a1c7b92717c58a9f4f988997b73bfaa1070175f7b387abb7a1413f28609557507fddb3d08ffcf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\e1953a06-9821-4d8b-a788-951a7e92a99d

Filesize
746B

MD5
13a6ce58544ed06688dc3df09d33575a

SHA1
2b272ff7466e3b43864ae3ff4574737084d2d3e2

SHA256
29db546c06fa9bc9e1f43caadc4e322bd205a98d6b4ffd69c4ba7aab666114a3

SHA512
6d44641d1e8097aad167a8e1f4a4079d11baf179774e4bfab22eaf79712abf9e46c5c9a358b289edf5bae77de61e411616a79ea9d5e3f906006cad92bd1378d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
3ec39d671ecf19f4f7289683015c9451

SHA1
3e722bf28b9bc13e4a6009d09e14033032964b4f

SHA256
8c9632bcc675b02cc3f72c695e8e20f43aa72a86c6b951cee040e494be2f6139

SHA512
70f0987d261a0f1062f40608a22bd4d8ad945c365e7edd4ee77f16cea0716365c4dfc36772a6667e5c4bfd7273c4ddb8ba6e46113ed3401ebcdc0fb778cf218d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
89d1ee717bf90de072e4cbab3bd38612

SHA1
dd0c8cee29ade48bda2016e9609d69b9695309f6

SHA256
92263e037b92e8c3b4147eb844f256e0a3f4b733be5586cd129e144717e31fc7

SHA512
63c87047d117a6958a01236a8626e41af04fefb1aeff902cae1a36f491f476b50dda69a44750da6b751428eb87e98ef08797ca035267bacd356ef3df519bed06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
7KB

MD5
cc7619de1991788e9daa1b994e50a31d

SHA1
cdb95c1596daf0e3cf41a5d2c044a126bc6aaf86

SHA256
12d1f56fbc362764fb5d8df8a3321644a9857ebfa8c08488ff4198fc56d64ecb

SHA512
8ae5bc9ba806f5563581d0db1a630127bdc6a486a00235d6c94e97ce7b64a6c0b04c42f89f29f75d4e6d3d8d1da6ed74bd547cb191832c8189befa904d2ddd40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
0d7c16ecc65c137e346cdfdb1087fd2e

SHA1
5d87e9ce6a6cd0d88cf0bcd5de26d17220abc32a

SHA256
978f861046319d48cb219c8dabd89ced2c4366ed31e07906e97d8f3a5f453832

SHA512
8a042a849a65c95607eb5accefd51e4aee5414ffa6a0c709cdb63d08b00363f00c5a77bfc49204510e888a419f04a90f633afdb53057eba38758b2f2df3f8e6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
4b0c4046b55903f7ca9796d7f284120e

SHA1
f765b7e32f029473c8ea7a20684e1525eee98f4c

SHA256
bdd86f7b1a1e7ddbe19cc72f2b11c352182c0182c756d956df1415e5768a3bab

SHA512
336abc421286de8e286013712680992bc62e35020bc5bef0d7fc7e2d02efc6fc06d0eaca5dd9a42d5fdc4dc49fe105b2ae0217db65bbbdbae81c3d1ddb38697e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
679165ea1986a5c5b372d77a0cc1513d

SHA1
c222c087b19b24d7fcaa6c4b7af1270547e86605

SHA256
2047e2853ed44e711931f92eb055775a2944ec2a663e7ffddd6b8c4d19a5e472

SHA512
d36a9cf84c9ef303b1980e65e48f754494a74209c18a67ab8b7e1c241864e93470f3bfb65437a13fb36878fd9fb6d5650fe1e68abaed7404f50ee31a6a230cd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
1e66b6ddc336434afcfb3d2cd174ca54

SHA1
0519da2126e3b60b4027374852c637be814a593d

SHA256
b81f80dbd3e0fba1a921b67ff8ee59363f22f45a48d44f1011e9af3d2cc57d2e

SHA512
415b203d661ebdd145448b3e2a5ff4d5659aab72fc28beacaad8253abe4a1ad2cec1dcf7376525a9556fbba92d04ef710298f68fa38b63caca35a58464f1c456

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
0ec3cb663869768039a91e4580e78abb

SHA1
71ca91dd022195bb4c9030a56f9cd4b399598a54

SHA256
6b03be01d880e44f9a3c1022aa65a4bf3881105b16aedebb2033ce67cb3ab7cd

SHA512
0ed4a6396cfda2f55cb40dfe03cf639a5c7bf182bddba73af974597322fe1b80df61d28edf811e034b445a287900bcfc9a0d7bc2950f57c92e066508919e84c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
01e597fb5135d66f311dc849f19b3117

SHA1
725d4fc2a87fd784cc5c1db094baa8ca5e3c376c

SHA256
cae5b17d33f98246474e77e53792c9756a5fab7cd763892cad3fc9d91bbe2938

SHA512
f60e24d2d6471851c83c15312448f001b15b4cdd6afa0a491ce44f3ef080e45ab50f03ae906ad184d64da544a42c083d37096193ef62a2eadeba66237f99fe00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
7e86bae8e1b0d87f7bb132b9912f843a

SHA1
cbd63599b7f159956e5133543a4ba8eb0ef401fd

SHA256
6fc424a3649444e9f47c51ca015339f8f01c0278bf368211308e67fed6dca1fc

SHA512
51dfa6ad3d7af2af9b371d911e4722b23ff77554c85b3ca28dc851e6e941d7251c022344513147ed2e335012f7c7908533c0ae5e047008d4f3b2869dfd3358e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
3401326795eb7b44b83c4a4de1b4be91

SHA1
7932e4747ad0c652dcecee97371e0366c1574a74

SHA256
31b90f9415592385f09cad4c0065ebd180c7ac91cb35bf94caee27dd3325e694

SHA512
eb6a898aee76fe07eef4f3442976a2360a439b71e9be143d6b41c10105351c8f592388b10ad6653be6ec66b0c1a8e6cd6484a5517dbd29a3149716dce1b3dcac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
2a6c4f5e2bdbb42819454020d39c7d0f

SHA1
513b09d3dd052eb2be4093565ce29b09ddc604e7

SHA256
e4a24ccb2ad21cf11f7c766ad61fc6adcb251db2acb2f8243c9bd4691e216dde

SHA512
c704249ea334870e6de8e5de27c506b7e95020f4ad3e4f15e40057875616764b41f9a0b2a14b36d48b01c48629495a09ec7abbd8e40ca2b810109c253f7ae581

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
d93a5952ef6a72da61010ac3f87a8c7c

SHA1
27399fa87fe6c4a7724519b483b38779a8ff154e

SHA256
d92f612fb81a8305bb99004e7c4844b484f55c25dc0efdd35868216f01aaed92

SHA512
f4a6d0e9b11ab181ed001caf1374d2682150f992c6db0c0b96ae7572d56affd6c9f7ccffdc078019269b74dde527301807bc2eab0757e94a339271ee12c9ab71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
c23a217c57364d9c76f135dc847232d4

SHA1
59efc23fcc315255fc3e5d3f8a3138c6e9241f80

SHA256
a52bb518dabd8729fa6396c0bc9e15c2d0e8bede9b33f81cd12fa822dc745b26

SHA512
eb10a6df5dc05eaa884f9b22d3b6712751f9b14ddc8ed88902a844ce949bbfceae0d14d6dea44b8aadc8945809e936047eefa5c54f89cd0a5d5437bdad68bd45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
39134d27034421110cd153c68df43261

SHA1
f9b5e1bef6ea21d5d629eb494e6085bdd152a2dc

SHA256
5aa814ec61cd7b5f0b1a45a53bc3c5b140bc80e114dfba28dd34bffffc243a94

SHA512
783d300f16166245a619e105d9e2d8872e22c13e0c8132928df5bcb8dbbcbdd4fd09bbe348b180d869370d88c82efebd2b240f6f39ac46ca6d1c2a999534a35a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
371e9dcd870f6b1fcaefe83372ca3647

SHA1
169ebe8857df41765317c6971019254000fa6a21

SHA256
0ef1511b7277fb1c48b1355fa3617c23eba8624abb3458af5da14509b2efe459

SHA512
94b6a3bb8f8cb237532ec171ea3fe95f57349c449ebc328d8f1258af0bb9e34e222b1c968957b6f608739dc2a0cdfcd009bf45a2012592cbf9afd2dca74479c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
ee9f0a559ec4ebd3c37c2f3dbd99508a

SHA1
7a55a20fa1235ce79916ea93330cc62cfcac3d74

SHA256
b2463d77efe5a59a812e6efc36dbb1bbe19092b7374faeab74723c53678ddc4e

SHA512
cb8cea577fa646bec52f8fc423469eedfc800d6822849550d1bb61dd4193baae58ef61fa6b54a9063502fe1168daa266331ebb130ef2c2c36ec5faacd3484a3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
d189f759239412172124b19c5cecf460

SHA1
8ed81c562cb0d57e6a6cfc8801eb38b820391576

SHA256
38f3df239c1ba468e21d9f76405c429cd34396c4b1fa9bf44e7b72d57610d746

SHA512
bfaa775b89ab4f4dfb5cbe46597f94004ccbfd897a8d1891de02aa0a30e148c86b6ef788eb52d0847ce86740d5e375c16f5754780c4cf231312b9662bc9f53a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
fe51d36d26ad96f5e58b96bd54eea6a1

SHA1
547a63660abf2663ff2f43e606eeefb48b0ef5c3

SHA256
aa51758d9768f1ad2b5eea3e4774442eb118249878a43443cd6dbaae7d76ab66

SHA512
d36b552781d318912381dedcfce41ad0ae7b89d4a44e3f057f694091c62eec3a3ebd8a1dbe164c903955a8f97a80f0d2572ae8e8357369a13917236e7f6a4f2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
9fc245de6a5d328af8973399bd7bbb69

SHA1
7d80715cfdf6c354f452f850aa095d8bdb4e184b

SHA256
f13bc42ec1f40cd3acf5632a600f692d9a53535554019d2fdf6fd9643b1fa027

SHA512
9b2ee3fca5a805b604dd78a6befd43120b0d78ec410511528e376786845f5c4d0b6adcee1c3199680766346f9b0641346a4bd38c31d73efa56df93b6111cf4fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++www.virustotal.com\cache\morgue\127\{56067cc8-2809-464b-b99c-a6287ebfc97f}.final

Filesize
48KB

MD5
68bb9c6503bb874a3fd59d6e420dd975

SHA1
ca07ac4219d173b3f815eca8ec483c569ff920e4

SHA256
4fa58668347f515b6e4592aa4a174d0908ba013e1c30d1552738db7aff9e497a

SHA512
81cfe789cf1cd07d2eddcf201667c85a43fd25b923019de78221c348eb70e53f00df7092de74ea452226a0f8120373ebb963201b6b1cfa2aaed88c0838056ae1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
674a6b5676724fa94a2048b1d575d44a

SHA1
b3385af298f177e873b1f7c65092b381c8485488

SHA256
85b156075f68605f0ece309f2c2a2d06ab110f057bd396da60bed157ccb0523e

SHA512
4e07696541f994c77669e515e61e086baa2fdda801954376a0c97238dfe9a90549c7df97a2bd5756583e7cd3ebbbc999eef667aed3bc243fcf307db0e57e115d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
7f868e557b098795d645df9ea302427f

SHA1
001f3306144559b4049a8ab139b4139f51e59c0e

SHA256
b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

SHA512
56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

Download Submit
C:\Users\Admin\Downloads\Installer.9oCnrvT9.exe.part

Filesize
15KB

MD5
2746a6ae06a073a9cf959f77f608f0af

SHA1
933fe83851037bda61f78ea1045d779f4a9f8270

SHA256
b4d9f9c554451b5dc436ed4d3199a7c362a5855ca05858de5a25c422b0590069

SHA512
5fdb0f2b22e3c0e3c626e238d47349d46331a1e12e3b83b2490dd7eaae23e8c14e52d39c5ede8ade8573483af6a4e16ba03741fa836b7b10520f2772488b9396

Download Submit
\Users\Admin\AppData\Local\Temp\.net\Installer\h5bkiNdImxEzdJoPnlxCUAGxndDSn44=\D3DCompiler_47_cor3.dll

Filesize
4.7MB

MD5
a7349236212b0e5cec2978f2cfa49a1a

SHA1
5abb08949162fd1985b89ffad40aaf5fc769017e

SHA256
a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

SHA512
c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

Download Submit
\Users\Admin\AppData\Local\Temp\.net\Installer\h5bkiNdImxEzdJoPnlxCUAGxndDSn44=\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
e67dff697095b778ab6b76229c005811

SHA1
88a54a3e3ff2bf83a76bbf5df8a0e50bdb36bcdc

SHA256
e92b997f6f3a10b43d3fdc7743307228aa3b0a43430af60ccb06efa154d37e6a

SHA512
6f2a2bbbfa0464537fccb53d40239a294dca8fd477e79d70cd9f74079da48525a300675d3b0daae292432adbb9dd099fd4dc95b6fe2794f4c5f3a7e56e15ef51

Download Submit
\Users\Admin\AppData\Local\Temp\.net\Installer\h5bkiNdImxEzdJoPnlxCUAGxndDSn44=\wpfgfx_cor3.dll

Filesize
1.9MB

MD5
24ea1814e6701927b9c714e0a4c3c185

SHA1
95c27a6b1f5927e3021cb6f9d5ef5998b2c4560a

SHA256
d2ebedc0004d5e336c6092e417c11c051767c7dcbcb80303f3484fd805e084ae

SHA512
d6c2f32818970d989c834babeac1ce845e832b853ce1c0b3f7ecbfd41331b7d519461bcc0ef07fd35382f263b9e26ac47bb22f0370071913900fc40e3e2656f2

Download Submit
memory/4996-419-0x0000017C4CDF0000-0x0000017C4CE10000-memory.dmp

Filesize
128KB

Download
memory/4996-427-0x0000017C4D500000-0x0000017C4D540000-memory.dmp

Filesize
256KB

Download
memory/4996-423-0x0000017C4D170000-0x0000017C4D4C0000-memory.dmp

Filesize
3.3MB

Download
memory/4996-415-0x0000017C4CDB0000-0x0000017C4CDD0000-memory.dmp

Filesize
128KB

Download
memory/4996-431-0x0000017C4D540000-0x0000017C4D550000-memory.dmp

Filesize
64KB

Download
memory/4996-435-0x0000017C4D560000-0x0000017C4D570000-memory.dmp

Filesize
64KB

Download
memory/4996-439-0x0000017C4D590000-0x0000017C4D5A0000-memory.dmp

Filesize
64KB

Download
memory/4996-406-0x0000017C4B4A0000-0x0000017C4B4C0000-memory.dmp

Filesize
128KB

Download
memory/4996-410-0x0000013BB3490000-0x0000013BB34A0000-memory.dmp

Filesize
64KB

Download
memory/4996-398-0x0000013BB4F10000-0x0000013BB4F20000-memory.dmp

Filesize
64KB

Download
memory/4996-402-0x0000017C4B410000-0x0000017C4B4A0000-memory.dmp

Filesize
576KB

Download
memory/4996-390-0x0000017C4ABA0000-0x0000017C4B160000-memory.dmp

Filesize
5.8MB

Download
memory/4996-379-0x0000017C4F440000-0x0000017C544A0000-memory.dmp

Filesize
80.4MB

Download
memory/4996-375-0x0000017C49FC0000-0x0000017C4A3E0000-memory.dmp

Filesize
4.1MB

Download
memory/4996-394-0x0000017C4B270000-0x0000017C4B380000-memory.dmp

Filesize
1.1MB

Download
memory/4996-386-0x0000013BB4ED0000-0x0000013BB4F10000-memory.dmp

Filesize
256KB

Download
memory/5912-626-0x0000021E78280000-0x0000021E782A2000-memory.dmp

Filesize
136KB

Download
memory/5912-630-0x0000021E78C70000-0x0000021E78CE6000-memory.dmp

Filesize
472KB

Download