hxxps://www[.]majorgeeks[.]com/files/details/microsoft_process_explorer[.]html

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.majorgeeks.com/files/details/microsoft_process_explorer.html

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	procexp64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	procexp64.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	procexp64.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	procexp64.exe
File opened (read-only)	\??\H:	procexp64.exe
File opened (read-only)	\??\K:	procexp64.exe
File opened (read-only)	\??\L:	procexp64.exe
File opened (read-only)	\??\T:	procexp64.exe
File opened (read-only)	\??\Z:	procexp64.exe
File opened (read-only)	\??\B:	procexp64.exe
File opened (read-only)	\??\I:	procexp64.exe
File opened (read-only)	\??\J:	procexp64.exe
File opened (read-only)	\??\M:	procexp64.exe
File opened (read-only)	\??\P:	procexp64.exe
File opened (read-only)	\??\Q:	procexp64.exe
File opened (read-only)	\??\G:	procexp64.exe
File opened (read-only)	\??\S:	procexp64.exe
File opened (read-only)	\??\V:	procexp64.exe
File opened (read-only)	\??\Y:	procexp64.exe
File opened (read-only)	\??\E:	procexp64.exe
File opened (read-only)	\??\N:	procexp64.exe
File opened (read-only)	\??\O:	procexp64.exe
File opened (read-only)	\??\R:	procexp64.exe
File opened (read-only)	\??\U:	procexp64.exe
File opened (read-only)	\??\W:	procexp64.exe
File opened (read-only)	\??\X:	procexp64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
505	raw.githubusercontent.com
506	raw.githubusercontent.com
507	raw.githubusercontent.com
514	raw.githubusercontent.com
503	raw.githubusercontent.com
504	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	procexp.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133697823797383801"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{CCD09F42-9F3C-4F08-8938-633441AB3211}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	procexp64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\ProcessExplorer.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2340	procexp64.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	firefox.exe
Token: SeDebugPrivilege	3448	firefox.exe
Token: SeDebugPrivilege	3448	firefox.exe
Token: SeDebugPrivilege	2340	procexp64.exe
Token: SeBackupPrivilege	2340	procexp64.exe
Token: SeSecurityPrivilege	2340	procexp64.exe
Token: SeLoadDriverPrivilege	2340	procexp64.exe
Token: SeShutdownPrivilege	2340	procexp64.exe
Token: SeCreatePagefilePrivilege	2340	procexp64.exe
Token: SeShutdownPrivilege	2340	procexp64.exe
Token: SeCreatePagefilePrivilege	2340	procexp64.exe
Token: SeDebugPrivilege	2340	procexp64.exe
Token: SeImpersonatePrivilege	2340	procexp64.exe
Token: SeSecurityPrivilege	2340	procexp64.exe
Token: SeDebugPrivilege	2340	procexp64.exe
Token: SeBackupPrivilege	2340	procexp64.exe
Token: SeRestorePrivilege	2340	procexp64.exe
Token: SeDebugPrivilege	2340	procexp64.exe
Token: SeDebugPrivilege	3448	firefox.exe
Token: SeDebugPrivilege	3448	firefox.exe
Token: SeDebugPrivilege	3448	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe
2340	procexp64.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe
2340	procexp64.exe
3448	firefox.exe
3448	firefox.exe
3448	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 3448	4124	firefox.exe	90
PID 4124 wrote to memory of 3448	4124	firefox.exe	90
PID 4124 wrote to memory of 3448	4124	firefox.exe	90
PID 4124 wrote to memory of 3448	4124	firefox.exe	90
PID 4124 wrote to memory of 3448	4124	firefox.exe	90
PID 4124 wrote to memory of 3448	4124	firefox.exe	90
PID 4124 wrote to memory of 3448	4124	firefox.exe	90
PID 4124 wrote to memory of 3448	4124	firefox.exe	90
PID 4124 wrote to memory of 3448	4124	firefox.exe	90
PID 4124 wrote to memory of 3448	4124	firefox.exe	90
PID 4124 wrote to memory of 3448	4124	firefox.exe	90
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 428	3448	firefox.exe	91
PID 3448 wrote to memory of 4652	3448	firefox.exe	92
PID 3448 wrote to memory of 4652	3448	firefox.exe	92
PID 3448 wrote to memory of 4652	3448	firefox.exe	92
PID 3448 wrote to memory of 4652	3448	firefox.exe	92
PID 3448 wrote to memory of 4652	3448	firefox.exe	92
PID 3448 wrote to memory of 4652	3448	firefox.exe	92
PID 3448 wrote to memory of 4652	3448	firefox.exe	92
PID 3448 wrote to memory of 4652	3448	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.majorgeeks.com/files/details/microsoft_process_explorer.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.majorgeeks.com/files/details/microsoft_process_explorer.html
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1764e25f-9676-4932-bd05-dc64f73b681f} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" gpu
    3⤵
    PID:428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50e913fa-83e7-4103-83a2-b0f674e6c4f7} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" socket
    3⤵
    PID:4652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3192 -childID 1 -isForBrowser -prefsHandle 2836 -prefMapHandle 3272 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {403e5574-a7dc-4e9c-819e-de2305656f53} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:2844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3812 -childID 2 -isForBrowser -prefsHandle 3804 -prefMapHandle 3800 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e8b0636-20d0-4c85-aa56-96bc1a0e197a} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:4520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4600 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4648 -prefMapHandle 4644 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd6fdb36-6bac-4611-8c48-6ea16a6cee3c} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" utility
    3⤵
    - Checks processor information in registry
    PID:984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 3 -isForBrowser -prefsHandle 5676 -prefMapHandle 5672 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdd88f9a-d4e8-476c-9eb6-ea85fb1d18b6} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:5160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5852 -childID 4 -isForBrowser -prefsHandle 5860 -prefMapHandle 5864 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6f20c94-9c27-441d-ba9c-383d015a8127} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:4912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5940 -childID 5 -isForBrowser -prefsHandle 5840 -prefMapHandle 5844 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68f886f6-6a05-452f-adef-739096caf88b} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:32
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6148 -childID 6 -isForBrowser -prefsHandle 6300 -prefMapHandle 6120 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d11ca8f-e560-4a13-ab3d-498ca325cb63} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:5284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4072 -childID 7 -isForBrowser -prefsHandle 6524 -prefMapHandle 4084 -prefsLen 27132 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4b64071-c47b-48b0-bbcb-98e0c929e49c} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:6024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6580 -childID 8 -isForBrowser -prefsHandle 6592 -prefMapHandle 6544 -prefsLen 27132 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1655f6e4-0531-43ef-bb03-ac7374f66abd} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:6040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6832 -childID 9 -isForBrowser -prefsHandle 6844 -prefMapHandle 6840 -prefsLen 27132 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aea73ec8-bc8b-4a4e-a9ab-83b4857543d5} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:6048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6604 -childID 10 -isForBrowser -prefsHandle 6504 -prefMapHandle 6472 -prefsLen 29278 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49ff8070-d762-44d6-8db5-c6dbc2fcd764} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:5932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5980 -childID 11 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 27211 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d89b05ac-fe68-406c-a621-ba0259f48948} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:4432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 12 -isForBrowser -prefsHandle 5516 -prefMapHandle 6128 -prefsLen 27211 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0698550b-a790-4563-89f0-c7cbf9e1e3ba} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:4476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 13 -isForBrowser -prefsHandle 6108 -prefMapHandle 6088 -prefsLen 27211 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d186caa-c3ea-4449-bec1-34d203069f58} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:5580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6668 -childID 14 -isForBrowser -prefsHandle 6676 -prefMapHandle 6548 -prefsLen 27211 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20d00ff2-2816-4bdb-a9d1-4af93434473c} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:5548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -childID 15 -isForBrowser -prefsHandle 7716 -prefMapHandle 4532 -prefsLen 28094 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7b02352-ef9e-4c1c-83bd-b860bbb0f53b} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:6868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6136 -childID 16 -isForBrowser -prefsHandle 6208 -prefMapHandle 5968 -prefsLen 28094 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ed242f8-9541-48b7-8f55-2c026350d617} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:6608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4992 -childID 17 -isForBrowser -prefsHandle 5588 -prefMapHandle 6260 -prefsLen 28094 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5bdbc95-f8ad-40d2-886b-0023029540ec} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab
    3⤵
    PID:7100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=1436 /prefetch:8
1⤵
PID:2396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6012

C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe
"C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6072
- C:\Users\Admin\AppData\Local\Temp\procexp64.exe
  "C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.virustotal.com/about/terms-of-service
1⤵
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4000,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:1
1⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3960,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:1
1⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5380,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:8
1⤵
PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5384,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:8
1⤵
PID:2764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffde283d198,0x7ffde283d1a4,0x7ffde283d1b0
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2296,i,9679450456908259176,698139168159272433,262144 --variations-seed-version --mojo-platform-channel-handle=2292 /prefetch:2
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1780,i,9679450456908259176,698139168159272433,262144 --variations-seed-version --mojo-platform-channel-handle=3156 /prefetch:3
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=1940,i,9679450456908259176,698139168159272433,262144 --variations-seed-version --mojo-platform-channel-handle=3124 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4544,i,9679450456908259176,698139168159272433,262144 --variations-seed-version --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4544,i,9679450456908259176,698139168159272433,262144 --variations-seed-version --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4272,i,9679450456908259176,698139168159272433,262144 --variations-seed-version --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:6980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4752,i,9679450456908259176,698139168159272433,262144 --variations-seed-version --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:6988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=2148,i,9679450456908259176,698139168159272433,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
  2⤵
  PID:7156

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\4b987d3b-1bed-48c2-baeb-5592767dc215.tmp

Filesize
2KB

MD5
a04a3fd1da9e3556d6d54d015dd1e497

SHA1
7811874e5542b40b31127db1d20b153c45269965

SHA256
26ff55832534b7cc211177bbbe6a767f32d2f6e1c461a2c449e87d171399edb1

SHA512
092feeab8276d9bd122d15d3cb0cdfb5374c6d2fad28867079328c61274da65718ab050c2f4a54429a7a15e1882555814e83a913e79263b2fd159cb6f972d14a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
b2445b0946ed5825f69636d3258f0013

SHA1
23f508bf4a18034ff2ee42bc6f16d7d22a4cb2d5

SHA256
4d1cecfc61a522a34991e657e502393e2eaf51ddcecd36f3a0ed881f3683343d

SHA512
762d81d0a878db5f62762d3f855fbc688fb25791583a4186b204319a842806ff29e386bbf687a39ca6bf96756743009388fcb2aba6086cb407a5a6ac96f83e90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
e809c2655bfab723b72598700f7f42a1

SHA1
065078a69177ac32f4bfc3bd6623d93c0efe3787

SHA256
1e4529a5c1ed38977f82c190e7ef6dc6fee14804c14c055b7541c18f3d8f8c5c

SHA512
ac49b2da2c9b3fea0dc1e3329e67df73c8f406f97ecf39a28af26db2b02013f49cb5dc5ab0e347dc851b21c6cb7e8e214c569dd3f85815fbbe533b675c13efba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
44KB

MD5
e6a69c4a9931aa6d1fc342878c6ee3a4

SHA1
130ac41a521c84de0b41d47627a63127dc5aa8c3

SHA256
0689de4eb1708fddd61f0172013d4ce81862146926ff3678230401c0c91b5b94

SHA512
6331281cb724b631863067d9a6c7518b60a43937b9d5c784148cd8598568c6b33a135dc622d4f818812a54bc2360b3efe7d9f045ec9c7567a7554a27812f3892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
bb3333b25680cbc99938eda1d453cfae

SHA1
63392c829d8c045ea8da1753b157ed822b77a718

SHA256
74f837bfbef3ef532a5128a024d401338fa263cf4cf8a596c95c4edb4708b08f

SHA512
dfd842889319252469da4a4f6183e817176dde7c6cf12eabd66627059adec258f79667d8850241d662cd14067f7b2aeaf7d133aecd9f8efcc9a1105c364d6ac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
36KB

MD5
dccadb620590fa0369f3bd43aef82bb6

SHA1
4f611e48b148acad71bfc6c9da0f8e9d8dd9f623

SHA256
1537cd0463026438ae78cad34ff7b9d0232c1e16fd8bf0b439c60e048a6ae383

SHA512
a8c530927495ae1ac1bbd446b24baa219cbe8dd4b55f8bef7142c83484ac488b7bf8276e209c4cd2b1097039fdca17a700981f5665fc43bf3e98e132b1f851c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
f22bbbdd00ee35e41e89a505e5e1a9af

SHA1
996ab349a81697e31daabb31bff7ba2e083d3e82

SHA256
22bb060b603cdd384dad590ea32239f8b0da58e96db0ba9f8301e9337443429f

SHA512
0a37b3b015a045b3d985c40eacafd190248635776b995d5cc5ca690f61a2193b65ff7d9543258dbd809bd620c48ce0a8729e0906a05910fcedc1b339bb44a2b5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\doomed\25391

Filesize
49KB

MD5
1621b03363f09355a724cd982a1d988b

SHA1
37df6bcb5cf6a654fb02f4b41d5a316bfa02c010

SHA256
13e014d217ba05398cb7884b41b4ff10ee7208226955c139531f425e29f57c2d

SHA512
df5fa21e7c6dedce0dba7f6e45d84dea344a5c0d72db2ca6d66aa5d8a93fd663ae6ab4e8152ba853eecdaab66c75e3bb1bd91ece0e22ec9d0023b21630f23378

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\008802C162A9154F535C2E29053C9269F25FAFDD

Filesize
150KB

MD5
fb0c0afc9dac647e1ec60628a95b7f1e

SHA1
317c9afc7cd75ebb04175a2f5a209ff0b54ea046

SHA256
a98d75ae0b2498ecf401b9cd8db3ea0beea6271c4b235cb171bd07e2926f3a39

SHA512
20597c2b4de882b074dab8a456805c34183a7d36c67cb24d14d3185390b8b57b5b0d92ed5407bbd008f3a0b905c344a22bdf2bfa5b97799a539add0e550da45e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\22BC66147DE4D9CCB3F524F6E89AC26C10296C33

Filesize
40KB

MD5
fb66f9db802785b68704969097026b95

SHA1
c5aa64eff4e72fd3c3b25152bb6525aa0464370b

SHA256
b24695ff53b500f7cbb11a9500fecca9b150b6affa862f83b0ee2e531ae45b84

SHA512
6a30ffcd79bb6a8dd836b2123cf8c91dc7f0c78f2db7fb9517b6e8b51569c1fb854ba98eafa856b327d8a579ffdaf755a304e7ba508d5dc1dd79f0f981fbc536

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

Filesize
791KB

MD5
aac2c3360572acf77c04a237328d1d46

SHA1
dcc7f8c88d0941aee23dcd8a1f534f3abb482da0

SHA256
b6f858afeac4a90ffe9a8616d3e8c833d5d575bbc5d77c9d40ffe1a464da1e4f

SHA512
de887c2c3aa80adfd182ea1749ef4697d9e31175050789d6021396c84a18d5ff6d4bfb669c97eafb517ad673f2cf1d01ff073d313ad68c3f9ddeead34bfe5fea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\3B5769283C179770F2CAA780FDC2929B4B9E5038

Filesize
13KB

MD5
c12c689e3eddd6aa1f35d110852edcd7

SHA1
a52f1c3b7887e45b6925337a33e86ffa5323b216

SHA256
9d1716bcaedfe3a0a22eef496c84d5d0bff6943de3b83d124e1284dd44866c50

SHA512
d9719bb73b2b0abb572afee4cf2ea32358a472c49030151f1bd757b7facd693b071864c304e8f737571ce4309b51b0408b0eff0abb3afa419fb6b3d04aaf342d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\4BCF7D608B2663D7D1515223C0F13E5D72484770

Filesize
80KB

MD5
174a7a6496967eac00992dc25e3844a7

SHA1
ae92aea9a1735a0850866e4698580fe2ca85ce2d

SHA256
51c1b6e07d14c28202fb2c04a17641f648d644a5e832ec66bedd1e0f52ce0c26

SHA512
dee919c40f91ff02bd61b00983331d2035e058834e4599d0ab66f5b2b1eb8ef29fd1517213c18eebecc5b8f0c4f7196f5bcd727756c9c83fb25955a202e2dd28

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\4CA2E679CEC293F142684E37B6B4D5F01FB00E81

Filesize
41KB

MD5
121d41464b8b2dc9bf4891d62cfb98c9

SHA1
25482e5392dba715a7abd1320476c039cfdfa2ba

SHA256
6286a316248345d8e753def4884987b59c8dd8a6a5a96efbed1998567ace90e7

SHA512
54e82cc0f95698de37b7f5680344dd1aeec8c327f9d7dc046ca2857ecc5bdbf0d1fb8377c23cc0b769fe23dc0606552cb61f062216fb4a653e865e74ac13c4f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\572F0ED336AE2650801061B8F31BB2D7362D6B9E

Filesize
187KB

MD5
710c6b6d061158416fad130be7ad2ce0

SHA1
d16238f6f8cd923a40a8c43c18e5d0cc1316a758

SHA256
9a73ad65c8713dde5fb4bcb394e105b930b4afebf09ebc4606e3bfc5262a0ab3

SHA512
c414af1635a90238d21a31ce7152949ce263ce2f42bdded85bdce7dd90e9137069859cdf4e33596c883364eea2d627e64da9e934ec117e77f45bb2c50b0d482f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\635B48880E56C89BCB1EFACA38CA66013A086AD1

Filesize
30KB

MD5
5860cb9c3f3c396227d3cfc05b261bbc

SHA1
6fa485460a7c6ac9a560dedbb6142ecd17004105

SHA256
b2f9532f6ad8abfc6577831937ae77165cca808d9309cc5eec36af1d800b9884

SHA512
a19d7088f4cb33148592c318cbb3675509edc3bdfd09b449b37174c97baeb9073aeda0875b53a86de51b0ee2f2f534f433c9740c4dc85b1d89c84bca7a55bb85

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\6DA69A746F9687E1FF413119EDE7AAED2F9783B9

Filesize
2.1MB

MD5
4fd84d5d1fb65121310532e6bf6fbee2

SHA1
1925b8d6a3ed533e46abb1bc15a775c9fbf22786

SHA256
b17f785a993bc1b76764ec386739f5838431f26f9d99694046c38357d353afbc

SHA512
6013e6653e9f5c8ee0902a369047721fdae18449cec993f20c18c3cda96fd263026d2f02d6fea6a6920845546999057b03a3f341bc3d2ae1c3390e005150fc2c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\7F30F53457983F11F2D61636C9FB5706ED9AB60D

Filesize
95KB

MD5
d16a6e3b182e8d10117f232150329d22

SHA1
b7b6ab62a6b38fbf4f6eeb37b90da2bce95fa634

SHA256
58a6f36e8e9a2a0ed7701852a17e04269246eb494c34d10ff7b93ce961b3ea44

SHA512
59db228872b0c2b16d28a5b2dff4ffba85baf190482e2ab2d471a7542bf351fd73e54f2e4214619abe77622de3f8898ddf7de3ce1176292aaafcbde73d2bbd2c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\878D57D194D36A5530D4BB67461357E393C85A3D

Filesize
106KB

MD5
7acff7478d17faea34db6609be9c0632

SHA1
a345239b30898bb81472a3f92a1c292cd5b1d068

SHA256
81a34b9ec667f866553076dcf096c01f89003fecbc1367d35368218f39477585

SHA512
49b54311d945efca9300a8b6306cf4a903a855a21ce91a364e32bca3935b1f925100005d04c4f0b4d97780b403f2565b3bf73d56990c8016038d2fd8131d0e38

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\9695EF6C5E0CE18BF6742C5C0EE08F02BAE83E2C

Filesize
20KB

MD5
05b19c8769f90d6062ffe899565a5b38

SHA1
f0297a7c04476d352621ec5396292321c8e01558

SHA256
091d8abb31e9189e8b3ce10af69d73653d9bcd6980fd7d17d036191768fcd865

SHA512
1d52affd0992a5a571200af66d550471a792e5282d1ae7e61c86f7023960cb331c7bdf86f138eac7faf012a7e05bb2a07fdf9a0b2260827ae62c5665f3a3ce53

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\A7BFD7F859FEEF756C6ADAE32A931308CD5C619D

Filesize
42KB

MD5
c8ca2a62a6696b9814229870d799fcd2

SHA1
ec319157d562a193364f09103ab8daed90dd9813

SHA256
22d596f418bdddc127ac4e13d174b312925ba6431488a5828b11e59f16903c53

SHA512
06a865cd7fbb89fc9d44c7e7c263e5ae83304da2604812aff13b9e437e473086e19fc8e98bf4f6849489537dbc4d9e7d61926b7581995cef2281be47825bb95a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\AC6959268E349C7B5497A3867D6DCDC4D543431E

Filesize
86KB

MD5
d3319ef2b78b59030cfd0633bd632632

SHA1
01d728c998b9bccefebd8a9b51c0886365a62b84

SHA256
7954f7bd083090205cb2c600f452aefb6cc4b2c64f320d7a5140e8f9b3b4c938

SHA512
a10bcfd86d44c76e9e7d12fbb29b329cec335c675b67728c18fb52bc97cbfd0db14c2ff3f6c0504e9b19d24d6a59ae9ec4235b7b92900d4d8b4579a78e42927d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\AD8185C100979BEE2403BB5F3C0072BB1D314C2E

Filesize
71KB

MD5
e26817780eba1fde59d7d8757cf23275

SHA1
b33ab8ff64a09f73f29084e45fccd35a4e233b34

SHA256
a6540b1e0eda0c243566b2624f7ac2cef802738a6311a63d5f9ddddd4a5506fb

SHA512
e59c065d1ddb3f64575bf6d3e14621397a2e864e38cfb1eab65c54b373d73af1cbe429421ef5e9b89f01f3262a3124d799969ab1c93ac6e6340cfe1b58796404

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\AF6E7B7DB9908D7B867517AC33D094ABD56E38F7

Filesize
81KB

MD5
6bbdf493fda0b3877c2fabd4029ffb21

SHA1
034b11f23d12e9f25f0695dae4c717d910393c3f

SHA256
4ce90c0e9313d8cdb064080857c00fb5f336fda38a8b6bbd519ab44589753d8d

SHA512
59ab42b2137eb0be03350229a690b2449fc7a01144b629b1e31442b0430f78101155e1f3092d9b94dfe9c8f04c2fe71ba5208d0c14708e3b817d1291345ce934

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\C3C1B73261AC1D76E896892B7C9776351D4E38E4

Filesize
32KB

MD5
32301683b8f04d6983ed29a4bce3a9d6

SHA1
8ea787b1bfd67d90c4ce8a644df58345c7e7800f

SHA256
f828e045132eb4c9d335d2cd54d04eb98a3f2d38326e9bb879d4b9e7c0285e2c

SHA512
d475270232309a7a9f481a237d19183e4d6372c96b130670791bddb8d9e6ce961850fcf9643d30d05652303b3f5beb22e3fa6361d0a30f2931f1990f25ccf329

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\E2E8122A6253CFFA077D0D33D689966608450980

Filesize
110KB

MD5
d9e64f519d398b9c54fa1817ca5a77ff

SHA1
79125ed57af2c87fed08092f38392b71d5fde017

SHA256
33b50dffedbce2c7cae3e7ea94956861fe7e9fa295ccf75ff9e531277a1b30ce

SHA512
c88233f851dea27ceaada7670eb809c94af6afb5e02c942390adadb0e37071c686a467cd94f292c4230f068936184d224b182c951f683e1310bd66ad498d2a07

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC

Filesize
14KB

MD5
3830eafbc08b38151ee4b0fba13f2a6c

SHA1
44ed74c548915f13c6d5e6cf4a91714affa34671

SHA256
afe59d3765b5890e0f5493fc6a3422f0cab01737a6f6a84a5dd359fd8a0afb50

SHA512
66655b6f6110aa4d09c978dab94ed345e545e3b46d4cab9476b6dc5ab138228339bc9a1ee643b085a2ca3bb538219aa0a3fdd28038dd8d09ed1bf61961ec2ba7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\EC8927C51600DCFB101869E2BC0169F040E712BF

Filesize
12KB

MD5
0f50df18c3014a3599fc1b4bf07613ec

SHA1
5e304cdf777d68f943b74298a642921ea9841d0c

SHA256
11f1b5dfd03776f669014fa4cb85a9ee80968d1eddaa0afaed6929e65900db12

SHA512
272b6fa8ecb148ee54138b6e630ef38e7fb3e88c496e9b40337869411d171168ce49852cd54212eceeef45bcec279ee54c062f09e59d7090424f336c714c8b74

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\F5A1FBDEF4E6F115791D6C8EF1598942067B8080

Filesize
79KB

MD5
0ace2536cddab9c80e1b79e331880b9c

SHA1
1c6e202fc9330efa5e629a5e91e070a2ed06e999

SHA256
9a98e283681e0740b9535142036594fa3e272fae15d5ce6b6ac5034cb022eaa1

SHA512
bd63aaf67b1b3290cf3789c6941fe12a527e2776798cadc846b1b03167186ab6817dd13c25d2e63117ac21e35a304ef1b664f853c9be8fac1f5c75d53c543609

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\FF405EA908A0CDBF948198368567C7EC073C7A02

Filesize
123KB

MD5
bec047508a7d2738be11c3029fd939e6

SHA1
4b121c8566adceba561b74cbb08c90aa1ea5a816

SHA256
7653f180d3ccd78485e2d08eddcd8fbfe0ef08877ebe90a407505d946fefe0ca

SHA512
d8f6453980df9a906bf7f119a6d91549dcff4d0c4c9d969f8f4ecd3dc4bb97d31d720f9c1e89c1b9092d077a603ec1fa9d3744031ac2961ad5e2089866646996

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\procexp64.exe

Filesize
2.3MB

MD5
dfeea73e421c76deb18d5ca0800dccf2

SHA1
0497eba0b24d0f4500faad5ae96dbebab9c64608

SHA256
8158dc0569972c10056f507cf9e72f4946600ce163c4c659a610480585cd4935

SHA512
23ddc9f28314d4cf3b05d88b9e0b6fd69f9804f5e9c3f7703258ff2c5786721061321379fde53e21048d3c7cce1ff71e2872d48dcc580d059397fa0692335630

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
6KB

MD5
5a1692f436aa8c73eace462ccfcf7419

SHA1
40ca574a4677c1ebb6b1c97d765eb15b17537528

SHA256
808c484da31b0ba225e38ed0a9e4dfe55639b7e1caa9a831b844062d69cef739

SHA512
be37bcc936395b7b12e7c1bcb2be7ad75457ce62a2d9d0c363301ca2c229e81cb925aee2e6f09f80990ce93273bebb11529a9a575f02ddb9483909a356083b96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
7KB

MD5
43bb51183919d0f95b0de91f12fcbf06

SHA1
06d20b4e3309292564d041f0302859018ecfa228

SHA256
bcf2313f6b388bc2ff354bddba516707fa64cd55e3285b8c6fe8977c7dc548ed

SHA512
4bd8b4021d8a1110392e7df1b1c664eaad3e3c103ff6591cf826ae8d174cb3312e53b2c9552801a13b85bf8ab8b9069c937caf54ce9823977b58da39757d289e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
37KB

MD5
1f42c499ec37135a44cc8f462e6b6b83

SHA1
c50644105b54e00879cbe85a9458e585e823b544

SHA256
ce07fcd73ea72ff3e9c04981a4c8c0ba0523bfc8913119eb311e5131024ae890

SHA512
3fdd103029f778f829c45803246de1368fe3d5d127330a3d8b100a36a0d312236a9874b8b7b1c8154d7f95f1236104682953f7881f735392ef629b05ece6b03a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
91b83922cf666ece48edbae418a7c7d3

SHA1
5d2f64e8bd23f5943419c637578bb9ce2b75a0be

SHA256
421c23e142ae29921904ee827c5cc8ddb0ad3d2c664e0ea5dc614d51a05eb00f

SHA512
4179bcd0c6031134d9c94d5abc2071c37ecfb0c06a955f3e2e9c4455c734a4e43df60763a7a866c0befb466c8a58aab4e32b34a0ffb78ca343e10e636a307b67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c0796030ec2646cf59407c6e158b6ade

SHA1
a252c0244f7e91f40972ef4571a83aba17082d82

SHA256
ef996439d780d5334445176f993225da07fe72ad7125a458f3c12fce5eb3832a

SHA512
7bf20f2f164e1aa10dc01754ef9d87a689fd2ea1e1292c7ae7fbb4948692cf3cbada74489bac38568a7f4afe1695be73a6f6c54282373567724f982866528d3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
a38920ec35b27d2d98d7907639e31531

SHA1
befc653683f5afb4f3173b2afd48a9dababf2e53

SHA256
d4604d6d6d46de42aecffe9a2552140398753d2c4c1c5166f53cf32865a3773e

SHA512
f9a23ed31cc456e8f3b514b3856257f0ce220393d574ba33493c8af627d92c97eb59652959c8c10047753f550ac14e88854c7a84c6c5372c0af1156bbc9b7100

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
8add9ec958326cf2c0ef74646ed792cb

SHA1
f82ae7121ac391c6c03895c6d737db11bb4138cc

SHA256
688c9f57c75cfc8d7b45704e1d2d64954954489b1b44f3fc6c2b4948046237eb

SHA512
11df6c54cdb76432d946a06ffd020d5822b82e09d04ce9940eb499f8a50d9013c68bfb4db8f68effc92115085ec0bf3ff6c7604f4cad9f626ba85e21e1341200

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\13fbdcab-76ef-46c9-b9c3-4414c614979a

Filesize
982B

MD5
c5f334f39e161e04809d2a47588e8c99

SHA1
a86a8cbb6a44a558aa75de34c875d3ec158214fe

SHA256
a84d836c4c68fa1fecfdb4e2ceb1ac02d5ca3149d6fe719900832fd1615c07a5

SHA512
b723dd8d3e6ebfed1c8efc901ff1c44465e9a76177fc94777126428a105e6eba7ee008a7952875758967a7063fd77b3e1a4b901d01852141ebad6847fe6f2025

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\61ea0a59-7c74-4f8e-b81a-5de2cefa9aed

Filesize
671B

MD5
d47b2e80221e3fc7296b5066abb74af9

SHA1
50421191a688250d38b139ff3d095e5915c7ead8

SHA256
7aadc720a1e8fea916d262624588993582d7b51b8983b31452815396472f5a14

SHA512
0be7286d7765d425f3ff5ff77d5f78382ebfc3542b3543abea5536f0219472f02009d74f588863b865c8efa6d4fd48f5492eb886f0c7e53511e7aa186ea458bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\c1c8ed8d-581e-402f-a743-1737e88f4d49

Filesize
28KB

MD5
23dc122bd0eee2e8afa2859ee68cb1d3

SHA1
0950523ce59c274b3a24c2c8aa095593769d9483

SHA256
23b939bcb171226753f1d583bdc9efbf8a3eece61333125c2454a46a2f29f03f

SHA512
f91e48de9d8d37f460ad78897a256950456c67c893ef4f0742ddd5f18039b89d51582e04b75c3650cea4cdb1820a20a578c4d7835fae411165c9b795b16734d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
11KB

MD5
bcf328f5f64c8d4e2ba5141e82309d87

SHA1
4881c70e908b2361fc1ee66230f13c04694e60a2

SHA256
3d5e3bc6e0001d7ec1521ae1eb7705c736171371946e45f7789109aaa369b88c

SHA512
67e6ebb0b429f5cb4b75d348a05e2703ff1e4552cfff2a11fa71b01e96e98482ac08954fac4dc9ab1f878e08c3c060c1fbd63092dfc0a53c1c86044a3debeeb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
11KB

MD5
1bd6ec79c98ece779668dc69efef1ebe

SHA1
d8d477eb4343396e0e0c75358d4203115c049552

SHA256
265df08a0df2eef1cb840e7b9a350a3b463371b254c5a46e26fd73ebf92ca7fd

SHA512
ae1b147478ffcc17cee749922442f13ac8a533b0ec7ebe721db25bcac1a90f53b3417d8ec0e8dfc42a7eb71aabf071794851ae23fa0bee7dad7b4ec88df03aaa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
12KB

MD5
db2549450e6b888aa3d7b5f806671e67

SHA1
40b59c0f9e0115046fd148ffe10353e9500e42ac

SHA256
b9a1bc0fdf32da065cadb0738e787fdafeeccb22d63311edb65c3f5556d6f839

SHA512
4b7a2fb28f5c361895ded9ab6608077f7bb3218a7f60f850bd86d58ec4a64697d893b772f9630cb796f9ef9deae567179fc65cd2f64fd1711228245781287645

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

Filesize
11KB

MD5
949d3e787442637292417b1a38b72d68

SHA1
38444797a501fcc88af867343e736e2abd6f2c45

SHA256
d7a7e186283fdaec40f736af8cae099f6bd5ec00e3df5a316d6698164fc12298

SHA512
ec3fc4d861b6d9579baf50b94b21a898bcf4b8b23b377e814a6d265bfeee556a442d4f9d3f92b15fec2543e5f32da5ff18118b352ae04f6bb56d3e755d8ac37e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

Filesize
11KB

MD5
369431562a58b5efdc99a6748b35f94b

SHA1
e0733fcda509b033bded1ce85c4b0a32ed02352f

SHA256
67cb8d883423393d8a4732542ee9f47dbdaee68d9dc1ef35d8dac550a975dc5d

SHA512
721bf9f952b3fd2130ae26043a1e2bbf923bff2a8dc4f93d59ffa4c6b86826d93736be1cf5887cf3945c0475bc35d11896970ad7773d1875c73b5f32cfc994b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
1dee38e06f44829acdb37d43de04ddae

SHA1
58c3cbe6783ad492afd6c894e7c9eb2f3c387ea6

SHA256
0243947ef2de482e69fe2cf644d5636d7555fa6cc7663856c83af71a3541bafa

SHA512
cccea1cf2a3e3c121056ad8968528578e463defc2e7422a12d278679d6643f44ba52f6448278e716aea064ac3f667dc7339bbd96c9a4871c5e019f16c83955ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
455142a48912cb4aed41fe2ac0f6d11c

SHA1
55cd1f0841e731117bad28449b129ca1a13a38fb

SHA256
b59e8a4bda3da7096edd9534e76410cbfbdbc6279c1c81619d6688a08a34d6fe

SHA512
d6139f84e8ad18bb1a85b12b426bb4878d64b1b6932ce1f20d0235e886519c0b7515ca459ddc81b62fbf7ebca32385a6ad352fbbef5178af37693676b7b43d54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
b078405197a4d9700b20681da620351b

SHA1
20441b0c651d2f1254a7961a22a7c10c69612da0

SHA256
ea6c114540259f6076b8a2373f09c6e95a3e3865adc32c340fb5e62b181ee081

SHA512
2d3c2d891c0887f1d5fb04fff46d1eacf218fa382298d20ff88aa6edd2f0ff574cb56ddf9e01f4b5e57d9e6408bda69934465b87d09d6531d78a2b8bc8f3dc69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
1830b03e7612b3aa1b5464d8c3cc7ad6

SHA1
a0724cdeee27e73869fdda132dd7c28147d4e411

SHA256
6972a41874aa9541414da737811d8ad0beda0e21dd3dafbe995c99eb5f38d758

SHA512
a893a486e7958b595f98f37632e438e16f935223efb29244957b63dc29395d5cab60606647c7f13af1806aa837280637eb8e59ef228e6d1e17f1d161aa9e826c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
04b0eda86718f7375de1f934159d897e

SHA1
3258e3d55423cfee7a2377d8038ec179e82a7a1f

SHA256
e641dd178655497167c108576cedf42c4b780b2a37617cd9cb6f08ec25f181c2

SHA512
fa639aed111cbee0d8490e1052c66ac36f5a21e94cc1c14f689eca078322204e116ac8f82e17edef8b568a7ef8c8802a42552553e66d5b1554f95ae85c22d5c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
1750a80d13f5bfa340219c5e762d7af0

SHA1
0f01327100c9cf65389ffcb71c48161a01a9cb12

SHA256
2c8604926a614f7f8e75f3c127c57f7bf8c4bc9f5f9d2bdc7731cc7dfaadeb91

SHA512
14a62bd20b40ce6653c72598d62a54d69a5229827c305f7551b687dea28efb18fd4aa280ae1f4b02fb5d9332905a0fa3be470859fae71474622efbe427979dca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
9650ab00acb07a28bcafc17e188f9454

SHA1
a913d88a132615b12dc2b7f8f0b50364efae8585

SHA256
a6df24cb1e3c60182b7aacbfd403aeac59688bf0e296a558e468d69695cb6f17

SHA512
ad66d2571d561de0ad1ad16573d59d24c7a59c00db1fe0525ad003a43dea3dbff5f7d75e7282deddf9aa2778ad2220edc24a805c3964962025e5e5dfc3ae6b31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
392KB

MD5
9a32532eb20ee1417ec3c0dfd1fb297d

SHA1
98732926151790da6feb8007a3c26efb94bb9fb6

SHA256
966084411f7e8f93ef2209089ca8f2f8743d662dd0420b45c907edade23d666f

SHA512
269f2afec3a57acf8889834410df4861761065cad627e658cd4bb9bccf81b27563deb9ba325af93f630320025b0e4a73387055179bd4b144e8d2f3c49f078021

Download Submit
C:\Users\Admin\Downloads\ProcessExplorer.lIxJ4mVD.zip.part

Filesize
3.3MB

MD5
6c33b4937c5ed3f19f44cda1a9fe0bfc

SHA1
09ac5309b4d112d7cdb275572c28e3513748ad8c

SHA256
54336cd4f4608903b1f89a43ca88f65c2f209f4512a5201cebd2b38ddc855f24

SHA512
de2d46289164c77e7e5815d011164b48fe3e7394228a4ac2dd97b58a9ec68e306e7d18b18c45913fda9b80fed47607ea7600004e5fdffcda5b1362e71ad68056

Download Submit