8b9147aeca757bc36f30e98c7481ec302d2be6de1b893a6f2ad80864f1106fb3

Resubmissions

03-08-2024 19:46

240803-yg8nestbqr 10

03-08-2024 19:44

240803-ygbcxsxhld 6

03-08-2024 19:41

240803-yd6pnaxgpa 6

Analysis

max time kernel
598s
max time network
603s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

win-airplay.zip
Size

14.5MB
MD5

79907c402bfd25fa29f2fa1336b292af
SHA1

0f914d4eec4c6d3005b80ff6500a14fec13a384d
SHA256

8b9147aeca757bc36f30e98c7481ec302d2be6de1b893a6f2ad80864f1106fb3
SHA512

f4f5b53ad78e89409e46179db2286842a6edb14c920c466c57ad160ef17cc95055fe610de9dc122ccb682ec0f1ea2bd7908e52eac8193c846a8da277d42a6bd6
SSDEEP

393216:5CSO2to+1kmcVJ2HvYPE+cgLGYlaARy7nMvuC7O2XmA0:5CSO26+1kJLwD4RhmCq3

Score

10^/10

defense_evasion discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

mDNSResponder.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	mDNSResponder.exe

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Executes dropped EXE 3 IoCs

Processes:

mDNSResponder.exevlc-3.0.21-win64.exevlc-3.0.21-win64.exe

pid process

5232 mDNSResponder.exe
5996 vlc-3.0.21-win64.exe
4880 vlc-3.0.21-win64.exe

pid	process
5232	mDNSResponder.exe
5996	vlc-3.0.21-win64.exe
4880	vlc-3.0.21-win64.exe

Loads dropped DLL 19 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeBlueberry-Airplay.exeiexplore.exeIEXPLORE.EXEfirefox.exevlc-3.0.21-win64.exevlc-3.0.21-win64.exefirefox.exe

pid	process
4000	MsiExec.exe
3540	MsiExec.exe
3540	MsiExec.exe
184	MsiExec.exe
184	MsiExec.exe
1380	MsiExec.exe
5188	MsiExec.exe
5216	MsiExec.exe
472
268
5532	Blueberry-Airplay.exe
5744	iexplore.exe
5844	IEXPLORE.EXE
1952	firefox.exe
5996	vlc-3.0.21-win64.exe
5996	vlc-3.0.21-win64.exe
4880	vlc-3.0.21-win64.exe
4880	vlc-3.0.21-win64.exe
3008	firefox.exe

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

785 3988 msiexec.exe
787 3988 msiexec.exe
789 3988 msiexec.exe
791 3988 msiexec.exe

flow	pid	process
785	3988	msiexec.exe
787	3988	msiexec.exe
789	3988	msiexec.exe
791	3988	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
134	raw.githubusercontent.com
129	raw.githubusercontent.com
130	raw.githubusercontent.com
131	raw.githubusercontent.com
132	raw.githubusercontent.com
133	raw.githubusercontent.com

Drops file in System32 directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dnssdX.dll	msiexec.exe
File created	C:\Windows\system32\dnssdX.dll	msiexec.exe
File created	C:\Windows\SysWOW64\jdns_sd.dll	msiexec.exe
File created	C:\Windows\system32\jdns_sd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dns-sd.exe	msiexec.exe
File created	C:\Windows\system32\dns-sd.exe	msiexec.exe
File created	C:\Windows\SysWOW64\dnssd.dll	msiexec.exe
File created	C:\Windows\system32\dnssd.dll	msiexec.exe

Drops file in Program Files directory 29 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\en.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\en_GB.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fi.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pl.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\dns_sd.jar	msiexec.exe
File created	C:\Program Files\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files\Java\jre7\lib\ext\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\de.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nl.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_TW.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\it.lproj\About Bonjour.rtf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nb.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ru.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\About Bonjour.lnk	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fr.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ja.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ko.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\sv.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_CN.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\mdnsNSP.dll	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\About Bonjour.lnk	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\da.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\es.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt_PT.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\mdnsNSP.dll	msiexec.exe

Drops file in Windows directory 20 IoCs

Processes:

DrvInst.exemsiexec.exefirefox.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI62DB.tmp	msiexec.exe
File created	C:\Windows\Installer\f7d60e9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI635A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\f7d60e6.ipi	msiexec.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	firefox.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f7d60e5.msi	msiexec.exe
File created	C:\Windows\Installer\f7d60e6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI661B.tmp	msiexec.exe
File created	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico	msiexec.exe
File created	C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI62EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6493.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7d60e5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6164.tmp	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\vlc-3.0.21-win64.exe:Zone.Identifier firefox.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\Downloads\vlc-3.0.21-win64.exe:Zone.Identifier	firefox.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeBlueberry-Airplay.exeIEXPLORE.EXEvlc-3.0.21-win64.exevlc-3.0.21-win64.exeBlueberry-Airplay.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blueberry-Airplay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vlc-3.0.21-win64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vlc-3.0.21-win64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blueberry-Airplay.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000dbe0a613a8d203b84e6cd25f60a4d31d8b717fbb44242cdc899fc3519192c5a3000000000e80000000020000200000005dc5e9c6dbe24339ccc1f4e1cae076b244ce77dd78d9843380df555f2bafd57390000000d3b1df788f467b831aa3e9762a12cf0484d4dc0255627bf66b8734d827e9965541abd2fc610b16da453479799c141bca99dae3c5241fbee3b8654d1105cad86e74e06156c4f471e1d24633e1bf34e833fbd261946d35e473d72c9cf1ae12daba4bbba01a62cd771caeeb6f2c1c4dab18cfaf5897459a88149460302a99b8b5fedb6c54aba08dc5d26cf506134304fa8c40000000e627367f21280ff03e1b4162775e4ffd517d28e710133a41b17260e21ca8fdf0829f95706a80ef2abef3cc09ecfc2dc6423ad65105fdcbdb826492b9530782dd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ca052edfe5da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000cdb45dff386878a5b641e6ebac1ea213e2a94f0dfb212ade18f0a73668049721000000000e8000000002000020000000808c514bcd77f4ef654dc95313051586c14485bf694c78989556233d3fe195dd20000000517f9f52949d73d5f1290457c3f5f4e09970fab4029ed1606e9aaa3eaf1070bd40000000e6abd89c0f68397ca4e31bc12fa457077c4c7b53f6e9134ee0b30989d9fda119626fbf9e19fe5f1fafbe21f085a92d8af1b80134558256978680bf7bcb100920	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{57636729-51D2-11EF-8EE0-F67F0CB12BFA} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exefirefox.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\NumMethods\ = "19"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ = "_IDNSSDEvents"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\win-airplay\\win-airplay\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ = "IDNSSDService"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ = "ITXTRecord"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID\ = "Bonjour.DNSSDRecord"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ProgID\ = "Bonjour.DNSSDRecord.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\FLAGS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\VersionIndependentProgID\ = "Bonjour.DNSSDEventManager"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\ = "DNSSDEventManager Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ = "TXTRecord Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\HELPDIR\ = "C:\\Program Files\\Bonjour\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ = "IDNSSDRecord"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\NumMethods\ = "9"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\ = "Apple Bonjour Library 1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDEventManager	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{56608F9C-223B-4CB6-813D-85EDCCADFB4B}\ = "Bonjour"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\NumMethods\ = "7"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID\ = "Bonjour.TXTRecord"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDEventManager.1\ = "DNSSDEventManager Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\win-airplay\\win-airplay\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDService\CurVer\ = "Bonjour.DNSSDService.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Net\2 = "C:\\ProgramData\\Apple\\Installer Cache\\Bonjour 3.0.0.10\\"	msiexec.exe

NTFS ADS 3 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\android-receiver.apk:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\win-airplay.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\vlc-3.0.21-win64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2788 chrome.exe
2788 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

4612 rundll32.exe

pid	process
4612	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

chrome.exefirefox.exemsiexec.exeBlueberry-Airplay.exeiexplore.exe

pid	process
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
3988	msiexec.exe
3988	msiexec.exe
5532	Blueberry-Airplay.exe
5744	iexplore.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

chrome.exefirefox.exe

pid	process
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

firefox.exeiexplore.exeIEXPLORE.EXE

pid	process
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
5744	iexplore.exe
5744	iexplore.exe
5844	IEXPLORE.EXE
5844	IEXPLORE.EXE
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2788 wrote to memory of 2760	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2760	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2760	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 584	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2684	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2684	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2684	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe
PID 2788 wrote to memory of 2968	2788	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\win-airplay.zip
1⤵
PID:2564

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5f69758,0x7fef5f69768,0x7fef5f69778
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1392,i,14267407216237068353,8418762670977600792,131072 /prefetch:2
2⤵
PID:584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1392,i,14267407216237068353,8418762670977600792,131072 /prefetch:8
2⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1392,i,14267407216237068353,8418762670977600792,131072 /prefetch:8
2⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2308 --field-trial-handle=1392,i,14267407216237068353,8418762670977600792,131072 /prefetch:1
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1392,i,14267407216237068353,8418762670977600792,131072 /prefetch:1
2⤵
PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1448 --field-trial-handle=1392,i,14267407216237068353,8418762670977600792,131072 /prefetch:2
2⤵
PID:876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2892 --field-trial-handle=1392,i,14267407216237068353,8418762670977600792,131072 /prefetch:1
2⤵
PID:1980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2620 --field-trial-handle=1392,i,14267407216237068353,8418762670977600792,131072 /prefetch:8
2⤵
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3752 --field-trial-handle=1392,i,14267407216237068353,8418762670977600792,131072 /prefetch:1
2⤵
PID:2188

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.0.275632164\1252998462" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1176 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4143b907-764f-4830-8f55-fd6d847dbbf2} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 1284 106d7458 gpu
3⤵
PID:2488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.1.288474831\927962983" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2806f163-0b45-4d4f-bef5-ca4177f08a6f} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 1484 ef41858 socket
3⤵
- Loads dropped DLL
PID:3008

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.2.879713084\1478972360" -childID 1 -isForBrowser -prefsHandle 2016 -prefMapHandle 2012 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d357d03e-a46e-4237-a92a-686f4dc531bb} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 2028 18d35658 tab
3⤵
PID:1848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.3.2126245735\475770875" -childID 2 -isForBrowser -prefsHandle 2692 -prefMapHandle 2688 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0226889a-a582-4315-8fd5-6a61dc6e1ead} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 2704 d67158 tab
3⤵
PID:752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.4.808490604\2098647008" -childID 3 -isForBrowser -prefsHandle 2888 -prefMapHandle 2880 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a2ed3af-db8e-4f97-8473-1c2088c0ce3d} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 2900 d61858 tab
3⤵
PID:1996

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.5.800005382\1134237494" -childID 4 -isForBrowser -prefsHandle 3780 -prefMapHandle 3784 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af7c223a-f784-4fa1-b90d-e79a0d7c401b} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 3796 d2d858 tab
3⤵
PID:2672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.6.836648177\168203457" -childID 5 -isForBrowser -prefsHandle 3908 -prefMapHandle 3912 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cb56838-9d85-4b09-a780-99b3f5dcb266} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 3900 1eac2f58 tab
3⤵
PID:1552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.7.691849170\780886256" -childID 6 -isForBrowser -prefsHandle 4092 -prefMapHandle 4152 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9571a27-4ce8-4818-bd81-225e40f09b8e} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 4136 1eac1758 tab
3⤵
PID:2256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.8.2000684420\2086726306" -childID 7 -isForBrowser -prefsHandle 2176 -prefMapHandle 1124 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56bd9295-c113-4d87-8e59-522f30ef7204} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 2728 21fbb558 tab
3⤵
PID:2252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.9.2120451685\1349115629" -childID 8 -isForBrowser -prefsHandle 1684 -prefMapHandle 3036 -prefsLen 27130 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {873e5720-06ba-417b-9bdc-0cde40ff76e4} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 1808 232a9a58 tab
3⤵
PID:932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.10.1615376154\1870896236" -childID 9 -isForBrowser -prefsHandle 2656 -prefMapHandle 4636 -prefsLen 27130 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc85176b-5f45-4789-821b-23dd15674913} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 4644 20103858 tab
3⤵
PID:2628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.11.2057350483\1106754473" -childID 10 -isForBrowser -prefsHandle 3288 -prefMapHandle 4956 -prefsLen 27870 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c31691fd-8a5a-4446-a5b9-0c1ee608ab66} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 4940 2054cc58 tab
3⤵
PID:3232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.12.919817669\18091431" -childID 11 -isForBrowser -prefsHandle 3296 -prefMapHandle 8976 -prefsLen 27870 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4e2114f-1457-4a51-974e-65aa32e57867} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 5172 2337ae58 tab
3⤵
PID:3500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.13.2144581112\1288633719" -childID 12 -isForBrowser -prefsHandle 9036 -prefMapHandle 5076 -prefsLen 27870 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c7da737-ae5d-40a8-903c-a7e3aaa92b60} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8928 23cd1f58 tab
3⤵
PID:3036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.14.1219744757\1826245779" -childID 13 -isForBrowser -prefsHandle 8776 -prefMapHandle 8772 -prefsLen 27870 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b80cbe58-94a6-4dca-9c7d-aed0b2b4a8df} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8788 2485be58 tab
3⤵
PID:3600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.15.1675668790\2084397414" -childID 14 -isForBrowser -prefsHandle 8676 -prefMapHandle 8672 -prefsLen 27870 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06d8322d-441c-4db8-9402-161c8f83b1d0} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8688 2485e558 tab
3⤵
PID:3604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.16.1671259590\1581672995" -childID 15 -isForBrowser -prefsHandle 8504 -prefMapHandle 8500 -prefsLen 27870 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {992f4c77-d97a-47ed-889b-3dac36e32d20} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8516 2485ee58 tab
3⤵
PID:3644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.17.2008383517\900667465" -childID 16 -isForBrowser -prefsHandle 8464 -prefMapHandle 8468 -prefsLen 27870 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a61add8-4156-4524-adf4-a834d34f6c03} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8452 2a611e58 tab
3⤵
PID:4032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.18.620727148\2102690671" -childID 17 -isForBrowser -prefsHandle 8240 -prefMapHandle 8228 -prefsLen 27870 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49cda5b0-850e-4448-87d2-4c967f7ac70e} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8140 222dc558 tab
3⤵
PID:4072

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.19.521198809\1805985455" -childID 18 -isForBrowser -prefsHandle 8248 -prefMapHandle 8232 -prefsLen 27870 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba840c3d-308b-4c11-a1e8-802c3a4306cf} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8108 2a772458 tab
3⤵
PID:3288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.20.999288955\31347423" -childID 19 -isForBrowser -prefsHandle 8020 -prefMapHandle 7920 -prefsLen 27870 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9284712-bdc4-4601-a42a-59a13ba94508} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8148 2a773958 tab
3⤵
PID:1636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.21.1702172096\1499971461" -childID 20 -isForBrowser -prefsHandle 8248 -prefMapHandle 7896 -prefsLen 27870 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {408f70d1-e52c-4742-b756-1b8b42525ed5} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7928 29cb6958 tab
3⤵
PID:4392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.22.1358171249\615069058" -childID 21 -isForBrowser -prefsHandle 7608 -prefMapHandle 7596 -prefsLen 27870 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5aea6e3-11d4-4cf4-be45-70342e2e2afb} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 4572 2b00d558 tab
3⤵
PID:4756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.23.1452618797\864625587" -childID 22 -isForBrowser -prefsHandle 8508 -prefMapHandle 7824 -prefsLen 27935 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b0b4058-ca18-4e76-9f5b-45cc42b544fb} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8032 246c8358 tab
3⤵
PID:4140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.24.1234531688\1690270215" -childID 23 -isForBrowser -prefsHandle 7472 -prefMapHandle 7476 -prefsLen 27935 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45e2f1a3-f992-42d9-a964-fdc8ff277b64} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7372 d2f958 tab
3⤵
PID:2684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.25.939795798\172814681" -childID 24 -isForBrowser -prefsHandle 4552 -prefMapHandle 7756 -prefsLen 27944 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5e87b81-393c-46e9-abf5-7756ed703e99} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8936 20106b58 tab
3⤵
PID:2232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.26.1123701101\644240847" -childID 25 -isForBrowser -prefsHandle 7388 -prefMapHandle 4888 -prefsLen 27944 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4ec13cd-9b02-4b02-a95a-18e9bfac128d} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 2716 2344fb58 tab
3⤵
PID:5680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.27.1942256902\440634862" -childID 26 -isForBrowser -prefsHandle 8404 -prefMapHandle 624 -prefsLen 27944 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d095769-1097-4f5e-bc00-47556b9f6f9c} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 2716 2a772d58 tab
3⤵
PID:6100

C:\Users\Admin\Downloads\vlc-3.0.21-win64.exe
"C:\Users\Admin\Downloads\vlc-3.0.21-win64.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5996

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.28.788287085\1321472703" -childID 27 -isForBrowser -prefsHandle 7088 -prefMapHandle 4968 -prefsLen 27944 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab7639d0-c19c-499c-b38f-816a9969674d} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7076 25fb9758 tab
3⤵
PID:6104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.29.1217066027\236512530" -childID 28 -isForBrowser -prefsHandle 7060 -prefMapHandle 6936 -prefsLen 27944 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5680a038-7e38-4164-9642-422ff97f7c6a} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7076 24643258 tab
3⤵
PID:5560

C:\Users\Admin\Downloads\vlc-3.0.21-win64.exe
"C:\Users\Admin\Downloads\vlc-3.0.21-win64.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.30.1882845112\463609376" -childID 29 -isForBrowser -prefsHandle 7676 -prefMapHandle 1684 -prefsLen 27944 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17432820-af53-4517-99c1-e64a7e4c6ba3} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7220 2a965258 tab
3⤵
PID:4600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.31.819397680\1747480920" -parentBuildID 20221007134813 -prefsHandle 7504 -prefMapHandle 7500 -prefsLen 27953 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db4c861b-9ccf-42b1-b91e-cd8f9c7a6b8c} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 3452 26154d58 rdd
3⤵
PID:6092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.32.157502897\798349853" -childID 30 -isForBrowser -prefsHandle 8216 -prefMapHandle 9052 -prefsLen 27953 -prefMapSize 233444 -jsInitHandle 656 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c63b436-8b5e-468d-868a-e7e5c9b85153} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8856 d6d558 tab
3⤵
PID:5580

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\android-receiver.apk
1⤵
PID:1996

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\android-receiver.apk
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:4612

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
PID:3844

C:\Users\Admin\Downloads\win-airplay\win-airplay\Blueberry-Airplay.exe
"C:\Users\Admin\Downloads\win-airplay\win-airplay\Blueberry-Airplay.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3880

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\win-airplay\win-airplay\Bonjour64.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:3988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4104

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 15DBDE37D9DC81D0F3152E14A7E9E9DC C
2⤵
- Loads dropped DLL
PID:4000

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding C99C5E85C14717563CA4F843F5DC3417
2⤵
- Loads dropped DLL
PID:3540

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B6A37456AD054A7DCE292486D40832B2
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:184

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7D1C312E33FC8EE485BCE1BCA7A12486 M Global\MSI0000
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1380

C:\Windows\system32\MsiExec.exe
"C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"
2⤵
- Loads dropped DLL
PID:5188

C:\Windows\syswow64\MsiExec.exe
"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3088

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000604" "0000000000000608"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4268

C:\Program Files\Bonjour\mDNSResponder.exe
"C:\Program Files\Bonjour\mDNSResponder.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:5232

C:\Users\Admin\Downloads\win-airplay\win-airplay\Blueberry-Airplay.exe
"C:\Users\Admin\Downloads\win-airplay\win-airplay\Blueberry-Airplay.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:5532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5744

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5744 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7d60e7.rbs

Filesize
118KB

MD5
a8ba2fecc24c7f763acb2ed22dd3814d

SHA1
bfb296a9a82287d1a04a42e67bc0c4775b5a8b42

SHA256
3d097b18841d84b17cf8004fddf71aec683b1e4cdf6b3273622af8b5db9b8b0b

SHA512
67455afb3f5f7b7ab068a1f2f798b23677495e23d9e6d05aca675dfa254269d43e8979128097c24faceeaaddebd0ae29f82343796883af21117b7bcd245263cb

Download Submit
C:\Program Files\Java\jre7\lib\ext\dns_sd.jar

Filesize
16KB

MD5
ca086bb31b598febd7e8d44daf14714a

SHA1
4838808e80df811cfb2bf7faf361b3cbc16f9f81

SHA256
3818abdee5b1d3d77ae4a5ace25a638b2d7d624605f8e8ce14dd6d4c6639c00c

SHA512
54188bf433a0da1b6b8f6f881af6d681a6bb629693191c7ee46f852953529cb94dfa894aca574e1cd7355985ea8d6187e7694c8144ea1db880922676f0dfe0c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_BE32D9F1882B93E37445F58E05C44495

Filesize
472B

MD5
996b036d63a7652e2eb4b8a954e5f282

SHA1
7ab9bf0acfd65fb9d670ef755dd41d4afb61df87

SHA256
aeac2a1d1952f62b85d59b0056f9976c40b7c543930ed9fffa466e6a9d7cf595

SHA512
3eaaad6e3ebc4838efc90b21a042b387281037b112a075ef8a23b834526fdb3be67fe85b1763bdfcffbf6c595282d5edf8ac5a99f09b7dba312b0cfdf03588a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6

Filesize
81KB

MD5
2f9bdbee42d1c3ffa89ea7be35a8df93

SHA1
c1c21f9e7b6c073e1045886708f4bd50e4e488a5

SHA256
c6efdab6cc7904630a873a5b258689584cc50e488565b6fef247ea05aa56e252

SHA512
52d68851794406b252ff764a9848e305784d543cbc4bf2b91e1b5e2c346f09a73218accd54cda9817b8011aadd558660b1318c56bc9d22e6610eda69ea8c248a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2087E0B670B77412221B4DDD6EED487

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F

Filesize
834B

MD5
a0af4d81b2b19a99a3d01be89d5f99d9

SHA1
4725c1a810005f860ede9dace7f1e5a20e5230d6

SHA256
de9f05ceb1610cf9964f0def09d525005569602993c82a647743f192e9414d4a

SHA512
eb98d475d51d07b929d92fe5aa00bfa21078f567906f3650eb3bebfff39c616a21918da8f0687853310acebdb160d4f65451204619a7b8085fbbc25491bb0554

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
ed776db679ac825ecc6df62aa7f1f77e

SHA1
b745cc9ab7d1352979c23e7807591eb4a345a75d

SHA256
9cd7c615e6127f41a904c1e0f73caadab44bf5a29531a5704ada9a0a4ea2bb0c

SHA512
f07c7736974b500a2a015c36d1b530927ad0687a269533a56a0d2115b9ae3b51936365ca65a490320b29f95edc447b6fe1d44809d2be0cbf6f2d4f56373c51a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6

Filesize
212B

MD5
9882f9f20675eb1b27cbb019f32757c6

SHA1
56fecd4e76d999a33b5816c1d917e4d0cb994d83

SHA256
cc07af74482c0541e8920f6c2a9bccb98020b981736f46b639e240e3fcbe62d2

SHA512
20e95098f4d5308158756772f77587e1a3ba38511e791dcaad1dc20fa6aa1654905b489a8e0821895574c201c376f3c47b6fb1ba7c970372321e745543f5ec2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2087E0B670B77412221B4DDD6EED487

Filesize
412B

MD5
a2bf82ef90384fa81daa64d69179d8f4

SHA1
c1b659f63445bf4546325a09d91e02067a884032

SHA256
a480934edd2f407bf5f53cbd36adf582a2dfca976946f75ad4e166fe42014aab

SHA512
fe58a49693297536c251d6383dbf56b056f2a2c8ced7e9847390dc4d1e5272a8f728ced8a339aeeecbf64cb1add05d1e3c994d2463b87fa7146145ac6e0ea8f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
404B

MD5
0b6c07337066bb534e5c7df0d5436828

SHA1
90f387f9f1cf94620a4de63c43a1b0ba62184d9e

SHA256
943632d0c42eca5dca35e7a92ef63966ce07ba8646b21ca30e484b8364083e35

SHA512
c3b23fbf5c654ae9354ae46247f9512ed32fa25ec61531354ef9a381029d9238dd6737a24c373e41e7143bba1e3f46d68463c78daf2d9d5e3c28fa3676073b4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F

Filesize
188B

MD5
2e5640d498c3e4613ddcde70cdae7c11

SHA1
3098ca031868cb805833404e900c14c998b33283

SHA256
742cb761b9e936717925af72db34d4bf1b1aa4657481c1c4015651721d2f616f

SHA512
513c847a0cf5b4ebc64542d62b017d4147ef6b9bdacdd16bfc6a363d0cbf699bf7be89edaed9802d8a7df94000396cc967ea27ba7abaddd6b7c31af46f77acd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06541258fd92e05234b76fb2555626fe

SHA1
631fd472c89b1d412dd00dd7ce07cd7dbf71556d

SHA256
caa87ea72024d030615bc04e18acf392e1a41c0e8f6c28f31edc0840229938dd

SHA512
d34e8d24e29eb7865e0a678c65e9ffa89a652e7d8b3645262e11fc3b566569db563cf6464f73254e1d7c6f33e9e58c7c4faf7e34dd66a039416083bd79acdd62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb8f6bd69c04924ec1515815664b222c

SHA1
db9c6a426b31248bc62703c94459320b0d2b2d6a

SHA256
d155f9e978dffb2072cddf5a55a3de4da10ad12453b5a125f2a61d60c35a411d

SHA512
b4786b336717a2dc286ec28fa717b409ba6f7fa3a6aaf02eb221215550ad6a883dc7cb48e4780275b018e5a7320a6625b0a67683f88f6833c62420fa3261383c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76e8da1db658f09b0c739fdfa141415a

SHA1
067fdb67e9b7759344164a177ccaafafe3b47fcf

SHA256
3205b83ed442aaeee9dca80545cec1e71d4210610250a182d3efc9748f9c81ca

SHA512
bc9e793ca93267680a76df0d67cdb455e4668e523dedd8acb53d56d6b6f9808592a05ff5c599cc8e0030a236e0cc091ea2dbb68c1ae4e420708e91b64439a45e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5e74ddcbda7a904b5424e743cd39cc2

SHA1
f4726e03c39d5af363bee0ff91c7885931c983ee

SHA256
5ec445db34dc417136f5294d0a624d6ff2edfa662dbb1ba343f83ca6c77b348d

SHA512
d9d8f69d5d570781f6696522f1a817b2b185037fd2ce499df81bfa571b1596bb1411ae4e89516485cb2b764473f6ffdf46264d8adcf8b98226fb992d0e276014

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
618b32ebcc6ef4c8d7f3650c601627fa

SHA1
8b8792c326f3906798e7d87981af7c2d9cfe9b15

SHA256
0f741fd9628fa739e34f609a47f90740bbdc7a806cdbdab6d6d8b05d82c85d3d

SHA512
f86bd0f236eef81d5ce6c677d6865b14e3ed43fa7808b727b84e1b6d55d4c08eb16ae54330d729be5928cb790b5fdfc4ae0d0c7a08e4fce2257480b9e711dfc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d16b899ca7c7065721a2539224785c36

SHA1
c0ddf3012912447022420b835a5405bfa89db63f

SHA256
bdc2dbdd18c8870f22650725e2cff97a1cce2fb202329f4343ff690aacb9c5d1

SHA512
5cb2e49b9bee31a69fc9806ee7e2aede5e4e4bfbc12c202ee20f605176d4d2c7a9a900cf01410c598cc3c35fe382cfd8bccd871e7d32cf82d66f3ecac59a08ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3ebfe308cf224560a5325ec5274543b

SHA1
ec77af527aa14b1fa136550b6bf6b8830ab8757f

SHA256
d0e9de3334d0cdaa485b642251d3cfa58850d0d226c86702772f18a392b17a2c

SHA512
777467488de0fda44012ab49e2de844cff2968a6c973669a7b59e52fb3349d283c94ae86e58853930ef52e6476bf1c4b1289a3cc2d145387759b6adc7053ab89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a623328e2434b5917447e17f334a7782

SHA1
0148dd1f7cc5978752943565b99184848bd1d16d

SHA256
5dc416126bd343b18cf646820b4b8f5995ba0ab0288d54a457bc3727297fa039

SHA512
abf75fca0fcbd5d3ff1877fe80923e315953bfe5e73f3ae4a6a98c76205f1bcbfa10387746d04c3071e69b23c7016fb7f1106a58da3934f28dcf60db55645e68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ef266fd1048102515dcdf08f987a177

SHA1
b6cdd1923d1d3f1ab6855f781cab486559642106

SHA256
21a9f73af751269e782297008266130a51a150f80241f8d64814a1787102225c

SHA512
2336b4887eb674fe53a7fd31cd1f27b449087b23add71d6145b5a4f86a59350b99e56923e876b86854ab67e0125b0e4b92d23aa2b2c6d7dffee6023562b701cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ece6bc37d3105464c379e25f7c1c632

SHA1
2ab9f31708b71a811ecaa9a1fe2a6109df135cc7

SHA256
8447e6370d9741bfbdd993812ee396045689c8e4495b929796b026e05d1ea9c4

SHA512
9fd51257df47a8d694535df729d4bba4b2530a87e5eaa946ed389e68457ac60ad723837f0c73c410e4ef83db982afefa1b106bd8bec343a846aa6633d2565927

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bb2dfc31178321bd91b5da2c4e2ec65

SHA1
753cd9020e6e7bc092ca251c696bec01eb12d32b

SHA256
20345bafd4528d74c2b82235031298fadf6e71e514fac1dea18271751d633403

SHA512
611c43b668794aa3aa23e58a00c5be42a56cb8e62993926774e1186d69c7aa0c126a3c0f135644f45ae0b3a9d0cb0a6fc71b06abfda7e64a53ab409451b58aca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5d1db8b1814c22f00ba485d850a457e3

SHA1
121cc6d990a2b18574a24e6d270d4ba356c9af7e

SHA256
85f31173d004e241b7dd928e7404fe03015a846a96e5c2aafded81b83f81fb3f

SHA512
481122146014356ba1789ff52dd8476e88792ac9503a872061bd14020d455706d2e0cf6f4d0b9208e525d681a1a5f2848c4d98c71d42eaea16d18741913fdfab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
65feb1083d4211ccb74896ac5061210e

SHA1
574734df9beb0ae24a5ad45aa2eae2ad1b34c290

SHA256
d0105dbaee0a5fe94907deab99061cf3f4ecf90c7f6aff56ce05121320e1c332

SHA512
7451946449ae6993d11b75ba912435967612e8c6bcc46ad66d6f4a76d38ad312ce27bd4c2f99e6b03cc3ae6f320c82a2223a9416e0fb417a9ebf3f741fc33e34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
81a147f3cd89e88e58fd67d2eced128e

SHA1
5d9685e217f852937228c1aa85bb90c091b26d66

SHA256
2c827144f021fb7c45513690a45e12f7c00daa06cf87c47e17a70c8c581fb9af

SHA512
77bd281b4e842ac3bdd92c0f289ff9ffc6ea686724f5d6cee2278d1a64ccd2e9ea72aad12868670ce24ad41fc2722593e2682ecbdf1aa03de104aff459b80a97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6c788dea3e2802532dc7e9a970f5232f

SHA1
27eabd1d85cc0db6b4f87854646e72460a961e91

SHA256
0a089f77a2136a622674a81d50bba400a3a92d7294f91deab434e767cdd69850

SHA512
13b2d0041d66486aabe2aaae7937a70e4ba2aa1c60008f1250532d4bb7fba7f6e6a1c58ad02b66c8a565cf5b07b47722a6c50757164b3ebac80fad48563a71d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
325ba4065da0085844743dbd1f22f81d

SHA1
ef3ad5971e41748982e69bec378bae748f94274e

SHA256
3d2e16a22fd0b947d1464128f8b38c8670c788afd8144be05327bee45408059e

SHA512
033aae740d9661f0605e65cdff25acd5e8cd72251e91331133a5301a0ff4ae0bda83a0ecf9a690b67a5ee68c2b85e316176aad34faf1da559ee455db615502cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
aeb7904f217e94979c25ecf0246f0b20

SHA1
1d403e645b07ac3f57010cf45e585398e1dfc5df

SHA256
fe6d1ee818daad60cfb201f4999a944e068f6a18a064b27edbaf507e939f9b2d

SHA512
4f1d2def4331a536c0b52e780bb16ce1158d382577baa5e53967eaaa5cf6b3ac5f8dcd1d95ecb23e8e76baae9755f143d876a2fd19461970bdf2d0f144a6a1c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
311KB

MD5
62952e2dd2e634dd010ce15d91c0907e

SHA1
96afc7e610cd70c36e11d8e35df5c9ff455fa2f9

SHA256
2659621112e8c4a602ba7d0780deedafde218ff34e80dee49f0950d0f7d22089

SHA512
9a37da2ee0d4495f2b92be42960301d27e7f87af54f57b923538e1cdf5ba2de0e62bcf51148426ffa222936431745e41233ffeef66202553fb809e34b33fdb93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fc7f9b94-cf48-4985-afed-d9a9919e483c.tmp

Filesize
311KB

MD5
06eff9a9959154ee9e162a2ceb718722

SHA1
387c6274c9a679a17147b2e5c21ddc79f556e42a

SHA256
8493179e9d5f7afc80ca5212fe4d8f4b4816acde00bd8b9f37da794e1e389976

SHA512
3c9dda849f3a486e9e8cc975b21c66fe5dc747befd0ff3047bf5d8cc8ddd2d2a70de657b752db3f6ada67f4db3109a87122162b58fc0c6c5b4c5f6ada6f6969d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\85y7ywt\imagestore.dat

Filesize
3KB

MD5
0020ff022719d630df0b0bec826ae796

SHA1
8e136b4ab8b97b50b52f11089c99e8ccbd53b16b

SHA256
3cfad9f17247856ba95e544ff9f3afcc5e78050bfa073cdc2fafd9fb04cdf8e0

SHA512
e1189eac669e39bf41ed51acac33137a3b2b497b3bec3215d9402d6f6997e29a2c285622bd4996797b2cee24b89b5968ad716bef67cfde0ef4fe72f01f6aa6d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4RXRX1VH\favicon[1].png

Filesize
3KB

MD5
f6e2351388d04cca72dafc573690a1c2

SHA1
9310aa8b2cd5a2493094a865ff958e3559440c4b

SHA256
b4ec2824f00ea079fbc5213b7069a1022900e54c797c00292e1150ec1033eb65

SHA512
36990155cada6a2b0002780f263a4e7adcbdfa4ff547e8a41a41edd03a618e72d8b5047f9be846eff5dfcdbbd221593c176e3a02b18b78e5d1aeaa2ad12c6638

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
032366ad0fa8209cff4be9fc4f76bf06

SHA1
c726e5d093b5efbb8e6472dec19b7ccd87e335f9

SHA256
07bf9d9da99ee1ad89c84c74371a61b6d9b7a6c6a33b3ccd4bbb6fdb5568a6ac

SHA512
de444655edd76332a95c453607e9c39bb055e4647571a8bcb5f712a56b6d9ee9e49bfd9d6eed7a40321d7ecdd7ca6ae2f3071d68d707dabb59c178a78dc82756

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\doomed\10115

Filesize
8KB

MD5
1266f95d0c9c8bd2d5ac819f06f62cba

SHA1
ab8e2ef67d9a10759744a7e7a31a9ec2697a1033

SHA256
07e3114bcb139a2aef88bfbe0c7107b1ef2f5600c8eb84c40b0c69f999072ee4

SHA512
d6ea20f56d30ef6f6a0bce9869989ce6732c7a4eb5c2622e7365f771818e967d8a6f4b3181b2c7dc898b7f12d2a667dff0b0ee5e869d2f6eeeaaafb7a9b65d11

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\doomed\14072

Filesize
10KB

MD5
d7975c04d2bc474e224b383f5533bf8c

SHA1
834894143ca21ef733cbc6deee2834688b8d033f

SHA256
1367db50257433b7f29d056cd4b881f1c0d2a3859df0c32960407d4a34e2adf9

SHA512
705508a472d13d695b82f94443253c04eea8c81d469c2e560460d306c725f5b8c73f530d545c3307424740c87cb14e6de7cec455c910f9a475a750377e3f4926

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\doomed\17057

Filesize
10KB

MD5
dc5b7147e527be36c91eb154aa0c04a3

SHA1
b925755670cf85e784f250ef1933b6536467edcb

SHA256
bd1a6ed538387971c8b9a0cd7ef4186ac5643e0d284edb463e2a303361e7ea8f

SHA512
f3dfed5db38dfe42486fff42a59f69fdd89ea2c148e8c4f43b8fa4f16c48565915a30f493b5e86c02b9421494461090b9a9347c13ab1e9b15cdb6f3e5064b54a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\doomed\26480

Filesize
90KB

MD5
65ea1caf5da522cf3f153a5767fe269f

SHA1
35f963b846326485344f6da9cda26862bcb10460

SHA256
c3366f2110a30b07e43e0b703c728623ccc2ff3c266ad4873850bfc8a3e16d52

SHA512
f4cfd2e41062f946b89bc86b37bcc89e443307946e672783d226087c4834edcb618e63b7cad21ba6d9a5ce69181f24b56c74ec6ff1a2c022aebb1f7cd4d3fa9f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\doomed\28974

Filesize
12KB

MD5
c1753033a04dcccae72a300c1b2e92d2

SHA1
5bbefaac059e0a0af7c6d1ff7c3797696692db7d

SHA256
c90db662938d453ad5093b67c029300d0ff3b0437753de56b2a7ca18b67f979b

SHA512
a7f58a5fbe2670d95ef8f1ff2697942040274bbc33cc14761d311eb87fb90709d68cb8e379e37aea3d677ddb602066166ef088da99acd2f9ebd9af27d480122e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\18EEB42879475063460A51908A7F5B4B8022E05B

Filesize
138KB

MD5
846a15b5a9a09fd87bd44229452cca44

SHA1
2915543f3341c1cf60631e4a200bb3002ffe2097

SHA256
673893602fd10aa198efc4dc34fe0de5598c8e85bbb81517837021466f8fd78a

SHA512
984f55e3b98df1ca8ca7f1279ee35fb718e25b32de844cdeac1ebeb399494f337ac4573c284d37a9520706f9691e11d92d0a85f785b73afb15f3cb681d37b841

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\19E37A4CA5D124F301F7728967045EED9FB0FE21

Filesize
18KB

MD5
ef33085e2aedb354288f8ded85382465

SHA1
82320184f650d64dfee1336ac846c511d0b31754

SHA256
01828a60e34f24ec050308c6e51637fff2a13bb103b7bf3a8abe81dc3a8ec4a1

SHA512
669734feb0419366d1241a8b928877ebdfcb97a8e9515f66b459d12b801e5b6a9f839ab11f82ff022993f7a0a9d03a0c3ac61e337f5559ffdc99fc31ebecfc58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\21DB8F0C235833C79E2127F2155A1C888E6E81D9

Filesize
24KB

MD5
f08e578159a749f343d90db3a6df5762

SHA1
f780847d39ca3bb7305ae9ce9c6af9e20d3dfc83

SHA256
0a9352ff5b0330c2711c0fb23a944a233f4bc290fd4aa9880db743e4384ec7b4

SHA512
bfb804f971324b06bc239481a73482b2e2fc0805442c41a7945e11aa6726474609e4dbe914bb1c579b5070a18417956caccf03e31b46bff0cddbb6c2b1ac0740

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\677B80A25A006EDCC273545819E7C8B9A97E5201

Filesize
41KB

MD5
0aa28e2dbd6c84f95cf7ace560b5ee4b

SHA1
6440e53736473885e4ef08e3f1d5ef47e9c2bc0a

SHA256
5c9fc0268afef9a7b92bbd127aa5d054b31e3017ffff6fbc74d9a292b1c99564

SHA512
aabf4acadf8098f7069fd1e77e695abd3448b38fdb1ccd7a6498a86b75a629419327b40d2216cfae0aab6992c190b23fc73e6e77fedabc810b1974f0ff865283

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\7D3068195A30D049CC263CE0A0641E65E92E39CF

Filesize
793KB

MD5
54b371f3463bb23b89aba1e7c2f1ed34

SHA1
875329dc025df80ccb3047a33c4fa6375b7eaf83

SHA256
f17e6d3e587b5429677524090624d70fe8254d746ef2e0a21295693361744b61

SHA512
7d157e5c09fdb5c2ab6568d5bdf131272e2992753317a4facbcf687e7a3a11b37fa8662304173aeb9f165b159a7cd4a87b508917822cd2b02a921b70affbe212

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\8709E8A0A3A140D3BA059C3A07420EF01DA5FB25

Filesize
32KB

MD5
f9de1736a83f105b41c51c5074bc2675

SHA1
5e66e2705291296f1eb198c7fcba079252182344

SHA256
27a98c19cca3244eb673c467dadd81f82e145a08236509092ec8cfcc403eb9e4

SHA512
c3ac3b35a10ff670fdbcf83c57249e4cecaa791d474e3aa6dfce15036bd516ce0840a9c0999091d90b38c77c505fd05a6a9263940b7c9f6c07ad5143ccb96ddc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\B593400C004AF31BFEA6FFE327487132E8085C28

Filesize
21KB

MD5
1e2d09df3a85fe55705506c1b14b6186

SHA1
9ca4cb62c7a1f5f6a5290ab20dc2acce2faa8510

SHA256
e41fd4ecc32c05fa91c2e7a6164c5d7dc5dbdaf6d0eae2155e3c66d2db5d69c2

SHA512
db1a63a895581eb50f27d06c4c44de300ee9e7d421d2272894c8ad6a61eae0456275e9f16d7297510ea9b50518862864a54b1f9cf28c710d9ba7b64857f6c937

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\D3543417D9B86731A33D197FC5B4F7C610C172F9

Filesize
17KB

MD5
1821ac0d39de253141f0ab1832aa4198

SHA1
cae5556851b48047a4823a305c841ae2b2d55f22

SHA256
430129bb32ab7016856218997b3fead4aabb3b39d936e776cf451d1330466687

SHA512
c496cec295dab13301fbfa7672fbdea0de96e1853d8c4b142f04444c075f521120aadc91b86c25e61e71d5707da17a55ecc93aa474704ad0a79879d5137a13a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab189.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI50A.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar19B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
21KB

MD5
4891414c9fd9d98a1dd363dbc3f90bdd

SHA1
3d15eef9eaa85c8d5533de17737cb9b6008fc7f0

SHA256
b1eec970adaab7b4c8aa844b1fbf23979e5b91019172242b105ffee4e10f4c0d

SHA512
d7baf8b9666232698e6cf48e780a8589fb4c2101223b887a3621de71fc73147cee8d017fe4d50e4306bf3f548605b6dca9ac360d2a443a2da6e5cb52ceb27b01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
14KB

MD5
6fb02cd2036502c4c7e0a514aa9abe07

SHA1
36f36cc8d19e9d952b6abf0e4d2d9f00c1515e7d

SHA256
d06baaa4a4d6f02dc16d3eacc2b72962ba2cfd76395a1ecf550422f537bcf482

SHA512
55c60f0d93fcf29a23b99a4e9a7144a876cba45f9eef828f65d2201ca12bf408a4d54b8a61cddc8e5823f0ed16d7146c642b6750de9edd6c747555eeabf70a91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
ef45fde16c91e76d034ae9cfe7adcf9b

SHA1
eb1252b0327cb4fc36fbe5d2a39494f470183091

SHA256
189f495cffc06e2e0b6fa3b2597013f8a9d491a6fe74fb8a74d1fe73690f3ca1

SHA512
0d9cfac53311362eeb8a7ea38e6fb9bf71f9a7d0d0b3f0b71807788ddb8c1fdf2a1bc99c42ed561978c7d430e53e1d6e35146f6daea9b602bbaa309d9ca2a8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
1b012146e0748a51ed0ba798b0a01576

SHA1
6e02f3467348286a774b6df30ae97b0ef18f500b

SHA256
530e2bfdba1dcb08df08e690fa2f4822ecb5f35817fe1015125849c27495e05c

SHA512
60f0c50c45b07c1d1f7af909e728fddb57725e88cdf6fc235e14b0d52d92e757c888e87d990f7e8f948148404cd8cd9ce17e02a1fb9b915643a5cc3807a3f3e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
2ec4ac6e4e94ee7f83b2fed8cbbedfa3

SHA1
c74ed6ee5f249248c01613ee2c7f7582e8290e4c

SHA256
a09cd4c2112f2ca0ff958ad4eba678f59a480541108814310c28306959093d5c

SHA512
5126c12d095780b7c0a6476968a848089a200f236587addc7338f22aa4be1a56260811a91fe25575b635af31c90eece446cb91e4aecd162a7d975ea93137866b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\e3a16c3a-d1b9-4297-a3ca-1391741c6678

Filesize
745B

MD5
67a82f388300c3b545f334eedb7bc148

SHA1
e126c3f426b6925698ab17ef93f16ad186158030

SHA256
fe294a44b0e74ef32337cd7b841db24a7b54eb6407b9dd8d937ef12b91e9ac6a

SHA512
14bb2469f2d8114cae98c8eca020d460b14879bd5a614a04feaccdea7208b1c9adf104f0bfeab58f719acb45742df8cbdf5714abbba4300938046fb7dd0d8317

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\f5940744-68e5-4f6f-a1c0-ea314613be5f

Filesize
11KB

MD5
025abcb919e916458eae761809c8e67d

SHA1
14a5afe09963781ef3d6a175c198dfc88061af9d

SHA256
34b1d49fede7f2a22223e79eaeae6db4f21069c7cc999520aa4fb4954b698bbd

SHA512
2ac93fbd9e3c39b08af539be493d6a3fb97a891371fd23069a46c7b7b55f4255bac3639f88ca537db2770e06a723b025c91df3939df930cfe4b5f5c263e29fe1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

Filesize
7KB

MD5
55434424a64f82da9943eeff4dda98c8

SHA1
7e0473139b24c3b4a29a4f9bf920f0c89a7bcd6f

SHA256
2308b9307fa55b44e908bdee52460c73fc5dcf439e091527ff32c22d12994a95

SHA512
870d99b22ddf6b05aa1e366011332f1c0ee9d2a3ee1c531d566467c22dd80fe5c832ae80b37bfae139bf0660a424239441c82369b87f1d0b2a61a8510687161b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

Filesize
6KB

MD5
be51958ad3b0ae74030d871a8492b860

SHA1
c0afd5b92b88f1996a174688286bd5b93c07b407

SHA256
9154141c8f2531b9cf7e8ae8a001bc6ea4faf990f539e9479b2aeccae13de380

SHA512
381bb4385fe533d5c00ce87d7502b2f7d01b88b28386b1bed32cedfa6fc28576699838a3d2cff0a9cd3fad1581050e00a42e494b2c78e5eabb957f7a10c16f27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

Filesize
6KB

MD5
1c2d1ed4f9a4b7828a77a4289a46b725

SHA1
95eb3e1bc30da769b8b98d7cbac76ea91225102a

SHA256
230c7a859dd369e50855bbb8da1dc7b88a36fa27762dc4dd2ed962ea65b7113a

SHA512
afa162b282cbacca9b12c8d5c50f341928dd2dcb4cc554864fe576ae8e43b5282bf2cadf73740d0ec1d38c07d2b427db7a91e531c4d8e4284188eeb7ddb78078

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

Filesize
6KB

MD5
bc0f6cc7378b90e180465799730be04b

SHA1
265f8524c8b8807f8d5244476178aa5cb5c7d280

SHA256
75a0d532dfe5960140d34f9cf2a7604b81f370a5e7d6409b033ff61fd3701b7d

SHA512
23faca3c7d2747e98c4fc9b98a1796a094efd812ec2506472e2582199d287993ca097a4549a5098f32f1bcaed9666eda1784b3f3182fe5ba99c7bfebd6ddcf93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
142506242d8ee74be6c34bbdf5a4af0c

SHA1
6de41b5d3631e7d2ecca6c1f10b3a22bcc76b3d8

SHA256
f1c472c7c1a5b71994f35b739857735a8730b428e1ac981b8b24c7a1cf47b122

SHA512
6ee7d7b3ba48858c309384cfca3ed4fdee60d0115fca58f3ed726d682fda195f056e98bad016c77dc3a783b431d5b1f50d4444f664da1d5c8544bd0e00400fc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
a518a045624c802dd68a554568ada526

SHA1
6313482d706abc4b8346270e5916f67b23dcd01a

SHA256
8a7fadbaa1eecdadd4c3a4255188eebb7dac43299e9853c6f20935aba84a57ac

SHA512
68cf0fdad582bbf20a2927c4638fbe76e02b081776ba7125eb27c36b3541557dcfeaae446844bc49b29800e381440c79b1322d969cc67e7e778feb13350c0823

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
80ca9c174adc3a93f2c7f4a5b948895a

SHA1
50fa5789401768d9a895662a206c3b7cec62ec4d

SHA256
ec9e750de879ba0b807ba538c3879a1ab0fe3bd6c72c6b24ff1bec3ecd0585a9

SHA512
eb3b83f68176945975fb6f10765cceed147a1facfe434bff69d2478132e21184c416403e123ebea2dc741e0c626fc6e114af069963afa893c29e4355f6da76a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
fb98089e581b5276fde411ee5f22af0f

SHA1
4ec2ec689db6e19eabe3c9836d4cf67dd83c1eac

SHA256
d50349cc2bb8bba88801f3274fb8112349c2a17e4c299d5f707efe858a77b9cd

SHA512
9cad81937c0fc400f819eb6f303570d1a8dc889cd1639770f13d86093beacc999ca5fc98427f9d7ce7c7744a2bf3dfd0eba8502b5572a72f775ddef224d304fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c7b9388d16242f25916a97a95d3d8c5f

SHA1
eb2cde48ddba8acd984a8afcda554cb5a720f88f

SHA256
a16add434bd7af631ceea2a64e8a3dc032e8fa3fa433a4961335f7cd4c8c06e9

SHA512
bf637540a6f1e49d516992362d557dc6007703f41be3edf924336e9d2f0b2a6e53c7bc9c0161f6cf5af403319bfc3d5682f03087c81e58ffe451785e8b2026d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
8abeae664c1f37cc8392b06d311cdcb7

SHA1
0e7443b69465d12c7e38d2d6b912e9c4fbbe35fa

SHA256
d6d70d22c2925a3d3f3c1da2cf81069aa90ab1e5fcfbbfe4638dcfb49aa0118a

SHA512
ba51219e1acae78f6c2ece9c3dc6101ac996570e7ee2f66ed11e566583d38caeb42509e4d8ffa0c0ef225c11b6b34bd16ad41d42b309e1f3c8b6ed58f9404c3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
fd296773ea9106d27666faa4c04b65fa

SHA1
be7814e79686a6b07db0f1d01954f1867d3cb208

SHA256
08f1682797a76a5f956b7afb99503a9dfef48353144f3278431d637ba6604ea5

SHA512
834aa515ec4adb45f6825f53f2e7331922db72fd2d9b97e2362a63170b3e763cd648a5db805d5c7a47f7ec369497294087ba68ffaa79883fdee9cba9e740d46b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
29c807f4086e7f9bdb19e8ec79bca312

SHA1
489baebcc7ef021b3af3e9d97c3fdf686d8c89c6

SHA256
574a2fd89cf60826e770554499dd4428c14d329a24b33e2eab0a81c23b0fb0e1

SHA512
5a8ce56970bb880236258ab1ed3d61744acab94fb5c59a957cffa8e58e4c7cc83c3bdaeb869a449de6ce8e68165f237d9a7a0fa7d515ead5c1b35dfb7231fa42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
41be34d080c9ae512df040c68917b9e2

SHA1
d94a766f09757f596bf6602026e97f77d586e67d

SHA256
339fc5953f528c4d5bd5c07d47dc02a460c8cd255f21688b04494b12ca5c4fe7

SHA512
4172d7025fabd6f5ccc5005ffd3ff2443e0ce7881e352dc60ed62c54ea9d32f12ad85e6caea055beb96a577406c437ebc90c5ef7495b8b3077e3d5ce6b528df5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
e77332c8f880c64a6a9042533585d238

SHA1
ab5a04c5575334019a867412e19e33d4ce201e6e

SHA256
11d17443489e62976be7709b99d5bebc793bd3006f3f06b6300ba6390a86dcd3

SHA512
889cdf52242b369ff55407f686d8abd85579977d5672ea3d376a4236a24d8b0c3c6ac2f28139032ba0de95f7381057a65e7970ff48e9829e2d3569fc4a384a0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
f7617b1ae534ac02a1526001ad2c1bf7

SHA1
0b1cce9fd86b196c0ba21ea11906e76a91f68316

SHA256
5b36a1cff804e4d8a2eafe79605ad15a1d2ade19d9f39e8672bbb25645a7687d

SHA512
97dbb1d72d7c95526a0a3d0d677d36f9c198378cddfa08cf4495791c0d9fce0320a5e97265d25bab9cf85970f40f2983ebae5c5ed6ccd7f22c9da18766cbea10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
37cf3f5dca629e2d32cb0bc08269ba27

SHA1
709a2cc1c98d9f660d150ebbe3fc613bd6f0afe6

SHA256
54a459cbe0d8103d88981b8b3847780c9fccda775174ef9b14cedc68121fd3c7

SHA512
2ab985fad4181062a0041e8e1852fe70c8e1afca88f2eceb469c4266549a7ccdfcea36cc81da1331ea3ca79b9a8546e36f745fad7147526e0bf72376cb8eff76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
519180da4715210d9bb2ff30b818ecc6

SHA1
e11273e8574802d71553b8cf665d7f02bd42e74f

SHA256
ec797bcd38f6e25f79fa8228190a42cafe10cad677014719fcd4bc8bd9f45b5c

SHA512
a72188a6b7accc32628d3add1d9410bb511cbb51c252d55037df860cbd77730ed15d73170057d5104aeb4b3595f47a7bb2a59b240c908c3adfb051a19615e6fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
8039ac9142f344199a204880c7e60484

SHA1
c964ebc8e51f1e6e72c5504795c3f86b712f41d1

SHA256
0a976e0bf26aa0c9580adfaf491c63b1cd22b1a3a4e1b913fc7c18b12850b198

SHA512
982e3f300d5424517e6993d24af2e83c14dad2c2adde1cb36998dd4999a571032a97e14141e7ed26c023a4443ffd3e9917d6f7938b3f5628f5f9d23862030b46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
3ca7881a48b1863f064daa39e69f0408

SHA1
3af457e1384f26b34c5d0f38935600dc138eb7f0

SHA256
0e88ef25c4f1192f4bae81045a590988b61ad91cd416e1ab8c252cd5bbbff2e9

SHA512
490abfd14563061d0bd26e06d25dcccd8c1366c1eae8923d110351d53a612d472c80628d023c1e5341883b0766b4049a3bb8dfb0491d7e9085aa99852f2f6335

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
f4f58de9d1885163d5fb4c37a838c244

SHA1
b6cbd05737d97f7f00fff654ef3d071d2d6e8553

SHA256
7e44203927cc22c5b8337c8895569c0feac211c3a7b9f9b759f0682c639212e0

SHA512
9ccaf1567ae0ad432441c53de793ccfa39b24838bcea0663883e1f600db532dda26a87a302ac18cc6f85f083cbd7aa6f61391eabf2ea7b94ac80f99e6b43e04e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
c087b6744dc72748d4ece2e86ba99c40

SHA1
2e5e179ee7dfebe5c8bd6dcc10b605255789bc25

SHA256
e23551e84ed5941937b5fbe3ef63ad0dd3cb5dff9cc77b597564259c87d39976

SHA512
430f2fa1849bcab9d4eb9f52806e8f4a200ab4c13bb94eadf09fd5b897a410b2e844fc088eb37eb4e7f2d054b793c37759e905400392f477b440cef728034cc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
80c6e356f3ee7fb78af1f57f800ceac5

SHA1
650c3d97245d3aaca6ea312046ee901612ffebf2

SHA256
7a8c1e98e36dd6f44c8704ac5fe29fdaa539c7cffc12e60bca04d12cce1fa148

SHA512
76b4861ed389a6053357598d0a3e98331e0e0e92dcd6bfcfc0f6702d0b96033a3e2706a246b5817384710aa85c9ce7be58c1a49297b4805d31fc2d1a1ad9488a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
17KB

MD5
3a4725b1046a15010db096401cb6b01e

SHA1
130598bf793ae8728a18445a5583fda10c93e5c0

SHA256
dc2d7f107e7541c73f83e0023ac1ff4cd63dd07d829044836945d8fde0efe99f

SHA512
c78fc2b1063cb72910a59300e1fae7218e4828e49ce68dcbde2820d8c18f5ff1b91de08fea9f156d32c898efccc85db423034ec0bb404598adb738cd4b3b0dd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
26KB

MD5
93ef3adc0c5eb8ddb7eed3cd50bc9910

SHA1
4e11818e0ce9c8a44ddd60661ea053509bd52eb3

SHA256
217a67adc13d67800d39a53aee503015e8594cdb0d3f4b1c164f5d4312490cd2

SHA512
c504dfd2bcd6d26f2cb8595d8422721cb5de400a40e0dbf6e683feba0304679696d014833aabdd8e73fcc0a131deb9f5273dead655b35d8f28bcab74d2d916b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Filesize
11KB

MD5
eba53e1cc5fa6b50ef1908d7658aeeb8

SHA1
e30f6536998006faf0ee2969f7c00f701f30b403

SHA256
17a46e2dabab188c2af552b5519beab5a0925a9bb7bbc3147fdcb754bd738904

SHA512
a7fc173368a9234cc817db0e4302464c8c83f2203249521891789a63f757327b1ed1b9b721c619c8bdadbec18c566d8a2abd87c348edd752c340c3a631bce774

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\storage\default\https+++www.temu.com\cache\morgue\2\{c57a714a-7c39-4f3e-833a-25c629019e02}.final

Filesize
74KB

MD5
31fd883500de772311148bddc565a737

SHA1
4e7ef9e9881d1946c9a619f31f067403e5aaa8ce

SHA256
f1392ad0a099536b29375ed9fa9b779d382c6869485e044ffd1e4a78d2c2be04

SHA512
f4da4c85931b4fd8dec11227963ca6f5105ec6e44f5626eef3d32c63d258255d20f50ec3060f62056e0e0c76e39b9f6f22abb60fefe0a640fee873405b1f9c15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\storage\default\https+++www.temu.com\idb\1322037025poafgnei-.sqlite

Filesize
48KB

MD5
e0240abd1fdc48892c1cbc38c5d45f06

SHA1
31ee74c0513b3e6887d535aa1f788788a7305672

SHA256
7ac6c23afb6ee161daca45a2c16928398ee6cc17adcad10c6081da27d2ce8af6

SHA512
ef30510a0b55317d3b4f264be535115b55fa9a12e9d6aa783bea1cc6d3152ac4363acff37edcebe21928af898c303c3f53e9097f4c42118c6fd389f507ff0eb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
be1bbe7f9d9a9a15bde02b440ed41bc5

SHA1
03ff19a1d4c2c077f8d3e4e3fb1e62a8d2ab698e

SHA256
fa6e20ebe78e01513fd905527cdf38fcaa35a033d0def8f332488cd4b028bc81

SHA512
523f1dde049a05a6def71685fce7d0e0484920786e40c296c6bee536ef03c9424ce5d0a5806d1d67f7ec9f3333986cef4cef993e5aaf246cc2e4b600329ad407

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\weave\toFetch\tabs.json.tmp

Filesize
10B

MD5
f20674a0751f58bbd67ada26a34ad922

SHA1
72a8da9e69d207c3b03adcd315cab704d55d5d5f

SHA256
8f05bafd61f29998ca102b333f853628502d4e45d53cff41148d6dd15f011792

SHA512
2bce112a766304daa2725740622d2afb6fe2221b242e4cb0276a8665d631109fbd498a57ca43f9ca67b14e52402abe900f5bac9502eac819a6617d133c1ba6a3

Download Submit
C:\Users\Admin\Downloads\android-receiver.zD9IFExR.apk.part

Filesize
13KB

MD5
09221835278d41d84e73c4723577889f

SHA1
4c0b39ad9f554d1260042d53c58ce4c874e29870

SHA256
a2b03a299a1b61f3adb214788e913d47c07d4a430a74f268c0f6301c47245f3b

SHA512
91ff8d947ef6b72e3a40ea4670a704f028065925ba092dbd9072476183a617a791c5ef3c363745e00158599a32c4a41b8d4fbb92cc036c2978cb7dc80ec2d0ac

Download Submit
C:\Users\Admin\Downloads\vlc-3.0.21-win64.exe

Filesize
42.9MB

MD5
a6f92affb6ce711f9f5048410cb4bc32

SHA1
80d994fb95087efce34aeb4a98c8f4d7d2a035a6

SHA256
9742689a50e96ddc04d80ceff046b28da2beefd617be18166f8c5e715ec60c59

SHA512
1a8ff18e29514c48b29fab5ad419b506610c462c09891b4ba6dc0cee550d05eed03bed8d018b9bd61b3d81e1848da7845d53c1b01a508dd87381791541a44f2c

Download Submit
C:\Users\Admin\Downloads\win-airplay.VRhXf-SX.zip.part

Filesize
4KB

MD5
9f5ca5601d0d55d05939f8e32f979769

SHA1
8d77c5bc80651990ed78d3639036b0c2bbf6f501

SHA256
069daa3ebb744fac41075bfe2e4ae85ee3a9a6c0f6f3df8b8e0707f87e4a497b

SHA512
c4283cd73e236b705a2b4292c47608c478424176738e3ec85801ef7ad3b9444bae65a5f042de998aa78a111f7a7a402c11d735a678a6cf182aaf0366d4ab2013

Download Submit
C:\Users\Admin\Downloads\win-airplay\win-airplay\d031bbba323fd9e5b47e0ee5a0353f11-le32d8.cache-7

Filesize
1.8MB

MD5
428d5883562572a240d41dae7bd007eb

SHA1
32ab9222e15579b24906bdc821fc41c11ff9cddb

SHA256
6d2f765c4884c2b0104cc3a7bc73dd646f113ce5a3f0a30a2ab48d502e1989fe

SHA512
4c71f8565a24e60706cf84710da6de6d178ceb3b2a7954a55ba8ec93c91bc1a27ad5d627298dd5ae7686209ffc3683ac3420cf14bc6efbb4f0faa3cd2454b97e

Download Submit
C:\Windows\Installer\MSI635A.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\f7d60e9.msi

Filesize
2.6MB

MD5
8dcf5c9eaacdaf4568220d103f393dea

SHA1
27f68596398b68ba048f95752b4eeb4aa013c23f

SHA256
53be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93

SHA512
10f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088

Download Submit
C:\Windows\SysWOW64\dnssd.dll

Filesize
71KB

MD5
062373995eae5f0eac9eaa9192136bfb

SHA1
b421e274da7d34aba8bf09ec2d3e7b4a01392b84

SHA256
0392d5656bd677c4c5cb74c96e7b85b0867f2535a37950aec7f5c4a1a70d19ae

SHA512
89c01c6c0abb7462a0dff6d9d03141f5dc42d08fcb22e44e532d8a87dd9d8c7db2fc272a1a52a147645e54d0116db94878fedc81f5fe4e5bf7d15292d95b2b88

Download Submit
\??\pipe\crashpad_2788_XLIRVAXHEGCIWFFR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\Bonjour\mdnsNSP.dll

Filesize
118KB

MD5
40947436a70e0034e41123df5a0a7702

SHA1
6c27e1dd1c1533feb6435190a5074300ac2a9822

SHA256
5d40fd92da5ca59c1badb58ad509db6a6d613f18660a9a270a53eca85d34c3a9

SHA512
ba5634cc82f306245f9f0350bfa0b91e2f5ffc6c355b1452a95483f47e6acdb42c4e063f6c15115faf0f0630005df4fe8ef0e01539c270031cbd07a34a929704

Download Submit
\Program Files\Bonjour\mDNSResponder.exe

Filesize
451KB

MD5
ebbcd5dfbb1de70e8f4af8fa59e401fd

SHA1
5ca966b9a5ff4ecd0e139e21b3e30f3ea48e1a88

SHA256
17bffc5df609ce3b2f0cab4bd6c118608c66a3ad86116a47e90b2bb7d8954122

SHA512
2fbfcff6bc25461e7c98aabdae0efb33f2df64140aaf4b2b0c253e34294e1606077ae47b000ebababb3600bd4d9154a945036c58e4e930da445a0dda765ac8a4

Download Submit
\Program Files\Bonjour\mdnsNSP.dll

Filesize
129KB

MD5
f9d908de6b166dac9b89bf62fa291ce8

SHA1
938b53238291fc41ae852fdde51eed7a2bff0604

SHA256
d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02

SHA512
6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

Download Submit
\Users\Admin\AppData\Local\Temp\nsm68F2.tmp\LangDLL.dll

Filesize
8KB

MD5
6a4ce8d10efd06369f368898462546e0

SHA1
79b9c182afcfddb4687663f287327fb968731c1b

SHA256
42c46cde21b03935314697ef444b01d85e319fc443519bde35fec90c8b21fc98

SHA512
8a5f1d1bf6fef5ed5b51f41129715bdad0ebabb539c0260b080e567a101db7acdba722a9df5e55527ccdd2bf05a009bfee3c4a3745825c953f3348ef55e61918

Download Submit
\Users\Admin\AppData\Local\Temp\nsm68F2.tmp\System.dll

Filesize
28KB

MD5
4a82832a6209cdc3a2447ab2de137542

SHA1
21f334bf90566e3a94a712b68f2cbc32746711d4

SHA256
b07a12c5ced6a1ece5e7dc4103f8b3e15bf77f5edb70daef115b9a77bcf55885

SHA512
6bceff4d3eba26a84029d09f6e403f3fc0c95a744f4d6bfde22accf480a724a0f38960d848a5255258a6a57d3ec9b384847acf167b485ff67f7161aac04300f0

Download Submit
memory/4880-3089-0x0000000073E70000-0x0000000073E7A000-memory.dmp

Filesize
40KB

Download
memory/4880-3088-0x0000000073E80000-0x0000000073E8F000-memory.dmp

Filesize
60KB

Download
memory/4880-3087-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5996-2884-0x0000000073EA0000-0x0000000073EAF000-memory.dmp

Filesize
60KB

Download
memory/5996-2885-0x0000000073E90000-0x0000000073E9A000-memory.dmp

Filesize
40KB

Download
memory/5996-2883-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download