locky | 0537fa38b88755f39df1cd774b907ec759dacab2388dc0109f4db9f0e9d191a0

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Locky.exe
Size

180KB
MD5

b06d9dd17c69ed2ae75d9e40b2631b42
SHA1

b606aaa402bfe4a15ef80165e964d384f25564e4
SHA256

bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
SHA512

8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c
SSDEEP

3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6

Score

10^/10

locky discovery ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Locky.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Locky.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Locky.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exePOWERPNT.EXEfirefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exePOWERPNT.EXEmsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE

Modifies registry class 3 IoCs

Processes:

msedge.exefirefox.exemspaint.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{F8DF9D1C-80AA-477D-8461-7C532D6EDA7C}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

vlc.exePOWERPNT.EXE

pid process

5800 vlc.exe
5772 POWERPNT.EXE

pid	process
5800	vlc.exe
5772	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exechrome.exemspaint.exemsedge.exe

pid	process
3240	msedge.exe
3240	msedge.exe
2668	msedge.exe
2668	msedge.exe
4544	identity_helper.exe
4544	identity_helper.exe
3556	msedge.exe
3556	msedge.exe
6100	chrome.exe
6100	chrome.exe
5160	mspaint.exe
5160	mspaint.exe
5216	msedge.exe
5216	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

5800 vlc.exe

pid	process
5800	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exechrome.exe

pid	process
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

chrome.exefirefox.exe

description	pid	process
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeDebugPrivilege	3740	firefox.exe
Token: SeDebugPrivilege	3740	firefox.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe
Token: SeShutdownPrivilege	6100	chrome.exe
Token: SeCreatePagefilePrivilege	6100	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exefirefox.exe

pid	process
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exechrome.exefirefox.exe

pid	process
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
6100	chrome.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

firefox.exevlc.exemspaint.exeOpenWith.exePOWERPNT.EXE

pid	process
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
5800	vlc.exe
5160	mspaint.exe
3112	OpenWith.exe
5772	POWERPNT.EXE
5772	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2668 wrote to memory of 1208	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1208	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 1984	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3240	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3240	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2000	2668	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Locky.exe
"C:\Users\Admin\AppData\Local\Temp\Locky.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb616c46f8,0x7ffb616c4708,0x7ffb616c4718
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8382961086891104675,7894209688883643212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:2632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb6156cc40,0x7ffb6156cc4c,0x7ffb6156cc58
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,8573091332357342997,9745655278600893181,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,8573091332357342997,9745655278600893181,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,8573091332357342997,9745655278600893181,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2480 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,8573091332357342997,9745655278600893181,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3408,i,8573091332357342997,9745655278600893181,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,8573091332357342997,9745655278600893181,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:5028

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5160
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2040 -parentBuildID 20240401114208 -prefsHandle 1968 -prefMapHandle 1960 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96314942-5cc9-4f31-a0a9-c7e52ad51677} 3740 "\\.\pipe\gecko-crash-server-pipe.3740" gpu
    3⤵
    PID:2836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2408 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79bcff1e-c527-493b-b95a-dec01084bcf3} 3740 "\\.\pipe\gecko-crash-server-pipe.3740" socket
    3⤵
    - Checks processor information in registry
    PID:4684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3048 -childID 1 -isForBrowser -prefsHandle 1576 -prefMapHandle 1564 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40497527-0816-4244-a68f-2519822431ea} 3740 "\\.\pipe\gecko-crash-server-pipe.3740" tab
    3⤵
    PID:5776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3660 -childID 2 -isForBrowser -prefsHandle 2972 -prefMapHandle 3060 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e694a0a-e490-42dc-838a-bee26628b58a} 3740 "\\.\pipe\gecko-crash-server-pipe.3740" tab
    3⤵
    PID:5884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4556 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4564 -prefMapHandle 4524 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b060d4be-65eb-4dec-9587-c50b252a7cb0} 3740 "\\.\pipe\gecko-crash-server-pipe.3740" utility
    3⤵
    - Checks processor information in registry
    PID:1500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5284 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e68d39b-38b3-421f-aecf-f93db59b3dbf} 3740 "\\.\pipe\gecko-crash-server-pipe.3740" tab
    3⤵
    PID:5128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5492 -prefMapHandle 5304 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {165ee7d6-7927-4120-8adf-4082540ab960} 3740 "\\.\pipe\gecko-crash-server-pipe.3740" tab
    3⤵
    PID:3172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5736 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {064c51de-7a0a-4dd8-a1ea-dc664af43c73} 3740 "\\.\pipe\gecko-crash-server-pipe.3740" tab
    3⤵
    PID:2620

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditAdd.3gp2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5800

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ConnectRename.jfif" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3112

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\DenyPush.ppsx" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultd5a566deh1796h43c6ha054h2ae4137ce844
1⤵
PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb616c46f8,0x7ffb616c4708,0x7ffb616c4718
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,8294658798050162475,17139487146698733705,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,8294658798050162475,17139487146698733705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,8294658798050162475,17139487146698733705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\331bd15b-6939-43f9-a105-e41cc5544294.tmp

Filesize
99KB

MD5
e503853050effdcf21c0ddb8ecf18f60

SHA1
5a63581cc22068e061ccc833c360f58594b1a74a

SHA256
4895d7cd07e791839d6976c99ba547c2cb798089b46797b3cf89af950287f857

SHA512
b9ce56532d1fcf8bca8b6de42c3f88bdd073813b878d264e317eb9a307365ec614fff41a7e8dd1dac9a07024c618cb4a5d94e0589528b4555a59a874f8b51223

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5170ca0b24146c527638f98229aeadf7

SHA1
94d49cdd6e832684ade7e3e7b937c4b7c453c310

SHA256
53323a6ea6482e9058267c7de929603402667c1d9d582b5e8e394aae76ab64a1

SHA512
4b657353a9918d0286c0cf74e3f3c51c5137918e409c229a4f9ac45a8485d71cdd8bd138bdcd0bd08c9b234a303928e93daca2985acccffbc27ddda77bf6b2de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
67f05e7dded21bf97244c4bd0464d534

SHA1
002671ff78299a14da705a68b5f1c414459d6350

SHA256
e0c9ea3c8cd184b625cb318aa5761dc95ef9adbd1fa16b293f8fdb5265698a9e

SHA512
7486567d805c17a001e2d034d9fe4d38691d5cdeed195e8eed03e42046974568af5c5bf42ad473e1298867dda635721f0e576202ed01a07e9c961ff110f7251d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c8fba7e005b3c832f6d6d29e298507f1

SHA1
6bdd2fb1a2054471b10bc28648fe990fc96c342d

SHA256
4f494eb54437cb48ed3ee780bdeeebeedd88799c361e0fe9179f0624ff6ea950

SHA512
04607da4e9b3e574abc9fba9f3699fd7b566c93da69e7c71ec6f8a1997c69f45928c9f8cab6dbc8894372ec1028a8505ae38cb4fe4f4fc5175661e377a7ed3a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f6cf0b6b0256b4d905cce3100c0ce5f5

SHA1
c9a45a8f0ca6dfe24c291843d92bc77241ba4b7c

SHA256
39b922e3dd70fa6818f05e47cf11b3652b1464e49b612f70866909bd5787df53

SHA512
3c1877f99b216a2b7b776b7d2e6a08e4ea4dba0a4048004b2d245e05671fd3ac7b5784dc39ec36a5aa6a2012afdbd65cebd5b6893a17add13b51ee3bbfdac13f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
709db79ffe039683082d815c1c28b4f7

SHA1
5f40e08603e2203a999de11641bf7c8e66670eaf

SHA256
12e2ec0d44b7a36a816f0cf60b55343d49e42a550f4095939d3bdfdb3bb533b0

SHA512
0a338a813a6f6681ccadabfe3c79a0db8d76e19934f010936f361b0dc0ce156c3b9399299d6b19019af8e9294b40a2003387fbdf57a849c9b6102d7964676367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5fef0b5ab8f5829bc2b9878b832b0ebe

SHA1
3e1c646926b836bc365c02526a406dd78ec00ab3

SHA256
ce832369a5b0dba3e5e6ceebb3fe3690466d42fe1677c5db24f50da8aa001335

SHA512
cafef56fefda6ca94c4ba065d43ac2173adad7d190ac48804c574fc7f572dfdb727c6bfe83ad06a021ff94f6c7898145602dd9fb2fb33ba71ee67db6ff0e0d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
bc23985a7af1c795a61181fbc4b0d800

SHA1
6b3ead3ed64658227ab5ac7a5a4eafa802205ad4

SHA256
224075c5273773642d644017bcb7c449bd1eeb599f7f571a2110c4335defdf7a

SHA512
f7e0fb22fcf17495631629304d62b55a29d1ae6ca487e9a663135ba6f948b0d5979a815e16b2d17870e08cf533a573e93507bcf2e0118df909839e2506f3ca15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
0c846e9980f8b46ee8af7ce2945ce9e3

SHA1
9168bea578b2b515861762a79e2f736e017e98e6

SHA256
a97ccb59702a93d118970e098e82dccd13f8a4bc9670c622e20ef99fe18df46b

SHA512
8177cea01c53d8a3effefb6c570f60462aab1357644a1cf6780c87e3176b735d825e8e7446969dc4c43d96c2a4aa35fda8e6397eb7e5575f4bc8e5f489be3eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
460876cf925a87e91246623b4294aa00

SHA1
264359de276a45460235e6e7f7843b206a1b1ca1

SHA256
bc58b69af70d73e9a1e1a4d97857abd8116add5ea466595a7c3a9740116de086

SHA512
89cb6ab537779b091838faa23fe35c1271ab171038a54b91237465d85faad3c91a43c4023bb03ee00ef892d1bf1950db4631d523de336e2b3d9558f8f157ac86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
92b2086dfafa572c2265de96ba48e39d

SHA1
656ee68026ac8556529f27d43df7cf3d9b097c3b

SHA256
735da733e3039a8b56f9e45a4fe8b54d7cf3ebb85cee7aebd4482e8bdd6bae94

SHA512
807e267bf455d4f6bbbc0bb04a03fe644750dc957337e83c40b0792236d57b2027757dfe631e235215d53e7b5c7c3f673bfa4faa9e7eb76dd3802badd09ec196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2ede67739a44e2893c8e48d20bf2308c

SHA1
777ad1eecd66af2fd470796a08a5480d4c01cdef

SHA256
ed987c2fe59aaf786dbe3208c206990dbc1f7fb913284b7309ccb6f53beebe0b

SHA512
ac88aaad257e95cc0ed4e628816ee0665783c9dc224ce51a38abd323ef60885ffe37c9a926434aad1b1e0c0207a915db0b5468d8466930e3aa353fa81ddae34f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d227f06ee21b25b9c35447a2c6ca3396

SHA1
c0183f0e8458f07b993e67dc1a71508472bf02b2

SHA256
2e288aca9acf1308a989830d428a9290982369a195e7da2a4fd8169c34ddeb79

SHA512
d4cadd1efe814b52c0ca112852964a58cf04813c24ce061de76253916e422b3699858261202efa31d916521bef5cfd421aa8b1c38adb2d72efea7a4718786d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a92717676160a12088ddc98bf6e4ed47

SHA1
111769e9f5427ae81428e28a8a77583b3cb78ede

SHA256
57a7851dc27c2c1592c9cba8c35e4ea8f6ee2e07f3484ac460fc7b3aedee7deb

SHA512
356c015e0ce9a69c8fc0f33daa3377f1b3f4eae2a98662887d2182cfe0726b173f898237fc1cdd6fe5d49d05a4a5bee765ff4a0007ab8790cbc5e5e25da46863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
65fa8df2616af0e5cb7cdbfb10533624

SHA1
c372c28c81b2a8e1a77a373234e933d633a33072

SHA256
e31aaa60f8c295d755a0d991e0b8cef5d8dabb0672e0af0c67a9439c9f7f6dc3

SHA512
9e61bd80ad525351450c56bbfa791365327bcbc6583f9199d5116f8ae51e4203e7647d8f67c0b3dc96bff99359c0bb9d1e1bc008092bf3190064935372089fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
c5c675b7ad53057ea95a78cf6c104d47

SHA1
3c2169c09f81f94621bce855ca625cdf8b5303f8

SHA256
9d0b79caa310daa1aff05f096a23e47c5343e9174f0471e0236aa7b901f47e89

SHA512
816b5c1ff53bc4674dbcb2e14944346ed79a3fee3248d2eec1cc3f6e166274375c8b3d294b4a6ef978075e7b4cc8d78beb253cfafecfb39948e94631e2a7074c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
f16964dd700c0d8540a5c535ef8e104c

SHA1
48addf7e51578f1f45a5f56bb42d7bdacb829960

SHA256
8b9e864133a9da0ce46f82e7b6fdc8fd8653c2893dda6966e1a7f066289cf114

SHA512
51af94b136f328dcc5c0a665a1d39e4660e0caba444e1c3fb61a864ba4f34383fad01c7a920a0c5bb3b540155bcd6f4531a4efd981df022030e1470d14597239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
cb260b358f6e5935b3b22eeefa6b7ec6

SHA1
7d89fa58d324c650b7a9c40aef96428ddf4ab152

SHA256
bace5100780bdc65088d643ea062778cec7df8765ab06461db557930c76f0e8d

SHA512
edfa63250e1670fd6cb199750f54e2cc9b91db5ac9de0379f3d8b73f3089a174178d6271c2ad182a6967052bb1b4aeb291df2e73092a53041a48fa3cee6a6c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
4a9dc2dc6068e8c2c2a3c7bb56e8f4ba

SHA1
5820745746a520a71bccb5c7f44b21f63c8177dd

SHA256
723f5a613abb0e208fabdbdd5e7426d9b60f724471570d5f3b28242604b7a990

SHA512
9534d29c5b88feada45cf7bfb06407a0d9e612f46a1f9a11d36d7c24b3c5678fb8cdc5d5ca81840f6d860f14e3de4ca847a39441bf0b42bf21be574d8ae17601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\eb807650-3937-4e3f-ba63-3889c27b10af.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
43595ada412f2ec60d3ea4fe76455362

SHA1
cafcdb82c2041c6b56b32fddb386ede636253b66

SHA256
4c24af1aacfed78fd7cc7a5933b9a7a0a2464e506defa84097909159ba6a69b2

SHA512
a591805d8e69837c29ab1d95eb9b3e8934656926faae3c6bbe7f0be01b78c376c00f6e8110691c61c739bc2d3c828d61f360dace7342e6933c9d1f2537313939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cba9c0610f573ee6cecc513275f5dc8f

SHA1
ba754a7242e5119798c33a961ac9f731d1beba0e

SHA256
4b46fa590a843ad090774232ae3d820bd5a54fd1a8ab33201c7e6559fd513db9

SHA512
baa689d919a49bfacec977d6a13d2f657e15e0a682369c815a3d14f890516387f7ffcb212383fcae6ae668e6f958d12978887a390696e350b5a9dcbe6c4b1323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
b3155f4ae67015fddd36b94093cfc1ab

SHA1
1780c681d7b909c41527143fad734dcde826fc46

SHA256
5de26176689130a8b0d064d151b954455a66ab3efbd9a7b00a459546a962a8a6

SHA512
877cdce15c12bfba41af37b99054e09cfbc4dc437d6667e2fef030cebb9dec7b4c5ea8e328cb15a352cf369e54e0429afa103f04a179218cddb9923d81383f25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
709b805f80091c902e4985312f4b0646

SHA1
e63b78f9fe2171571cc81355825bd13ec5f39d00

SHA256
367f4246b9ddd0060c0bf6c3b9892b7cb2d6ae948c025668f2cab71db7452427

SHA512
bf7fb9df0f431022eb52ff21acdf58ec9eb463045161bdea8c2058affcd8e02e7bfbaadb43ad1a9c42cfa642324df50873d0f09f04b22d248309e1706a44ad72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
608b1fa9bc26fbc376e97aae0c07f72c

SHA1
af0b495e717a344d88425b8629e51946f41a2608

SHA256
3d90d35efe0895db98fdaeebb3824034cc6617b38cf009b850855d4f159cdb5f

SHA512
5a772868944effe296374caeed23238c5afdde1e278c5dd6b6093d93b991ffbe1c4c949ed4d6853dec9de2b79ecbd92c7dc1e7e1e03e694b3d0df18a4eaaff26

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

Filesize
36KB

MD5
54b808d68191a5642491fb3795b1e21b

SHA1
20122349f1fe3d4bc05ac5c63ff42cbeb8a676a6

SHA256
415033c43493e9c93848de31f7ff8eb3317528d8cf40bbf636e3f539ca40064b

SHA512
32c0d36748e6aa79d939f97a682f90d10c185b7a9d8fc8a4990ad0debcbf90b2ea6b1441e1e94198a15e38588b4dad7436a9dec4a6533baa6ee1266a6b2104b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

Filesize
6KB

MD5
91d3c7ac1aa40d2731fcf79805524475

SHA1
5710e00630734474a62fc2ba1609c99261cfcba7

SHA256
bdbf882f0388e8c4568d14497c56eb70f32785fbd1219627e867619261e9cddc

SHA512
e3b41ff81beb9391df74cc45e9e22eaad3e003dc3b9e5c829a0d1bce4f0726deac633c4ec39ec0ea51e403bd82e4bcb3d921bb4b7061cca45f2f5a1c9cedb6e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b5c6aacebf713a5130abdc0a5b6cada3

SHA1
a8966917780b7471f54069e266c01fd3f1faa8d7

SHA256
667cf21c2b62bc7bed9910b59feab164e94dbe0bdca3b1a6bd2ad50caf161485

SHA512
24773e9fdce29f6bb18ed48327ff0c081d2f44463ba69cc9952314cb05daab9191afa8e519a6693a427cfee399b988be8f6720397e5b6b46ea9a3458badeffbe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1fbd54d530f0c3de9c3fd4c2e3b213de

SHA1
730d3588dfb2621ce095fde4f471e990ecf4822e

SHA256
7f8f6d4fc2437f5109312a245e9fbf6aac2b57c58d2b62e632c6dfa6b9e0f3fe

SHA512
a236845af06b3d938ca282f13750588f5bae3ebcd81d5090dca9297a385c4ca26a4b844290a18c1dc42c4ceb73fcd608e59c0fb9fc508f0b88bdd8f1d0209ab6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\87706ee2-d7ae-412e-814a-c5c7beb8aae0

Filesize
27KB

MD5
aa197ea68f5a3aa8450bb51696d7b509

SHA1
94730a987bb326765b8ca981cd4ee431daf023c2

SHA256
0d2f9a8c208917f2f34c102e552d5884192e11e358524994418173de019798cf

SHA512
a585622906409d51b0148a48533c56ec9ae846c5fa077dad3d810d67ccadf751e93b9eb62eeeb8e4a59426b63cdae2e270a1774fe2927a82faa833049e0e14b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\de1b1f91-00c3-48a4-b7c4-1d336fb6d2b4

Filesize
671B

MD5
232741669e39d69b215bfa0cbf7edf53

SHA1
f445653f692e1fc3b3c8975445cdfd4c4a1dd627

SHA256
d6030c8c177669be840eaa0474259aab05aedb5778b8f5eeee677a8f83d85397

SHA512
d2c44c73f067d14f04f31d0837bff24179b8dbe5e6586cf3a8376e46e6aa4b02268de56d6778eef43b5433594442fc807c632257a59f6a97c93b882377caa6da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\f35957b1-7427-4ae8-a1a4-d06cdcce256e

Filesize
982B

MD5
faf606b98bfd625c6531d64016431a65

SHA1
2360360317abff9443d92bda7cc7727d32f91ce3

SHA256
09f3ebdd075f00926e20a0ed058a6a7d6a0c70f10c84db9452c8f65789cb98ee

SHA512
82fc0259219894cf9feb126c81a4f24a9ecd53501533664013e65e68d02a641c0cc4af069d8af85eea28faf4897fc66be63066c46d5fe02dfe1cd7ba79fcef78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

Filesize
11KB

MD5
594a60a68d4d91772fd70d56c7f6ca86

SHA1
0d3f2abc92037b88737a3976eafc7485547d777a

SHA256
f70f0e85c254382660d46f68d706784690a758e64da0ea886c7e8bc364cb52a4

SHA512
de7446a60249bca260a0f6f4bce2055fd3567bb5ec909528d722c51d08b4534a955b5882e0a4e5c9311ae6fbb41bb45f013d856f35597c44443f5e7d8db13dc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

Filesize
11KB

MD5
3b2c7b3d222ce5596b77a63268358228

SHA1
bcbedcf94eeef2aa08b137338a3aa38a7c1f53dd

SHA256
be252da6a16d731d36d53631f2323694e9dee01ec1c0426504ec0a50930f06ac

SHA512
175cd0330402e70db28d4dd34b58845da20663c2d88451959d10c152d92bfcf72da5c190166043f01979c2a42a5e2d44b63a000f3debeaefc4d907858fbd920e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
\??\pipe\LOCAL\crashpad_2668_BOBPTKMWQQKIVPNI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4068-216-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/4068-218-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/4068-709-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/4068-0-0x0000000000D80000-0x0000000000D84000-memory.dmp

Filesize
16KB

Download
memory/4068-888-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/4068-25-0x0000000000D80000-0x0000000000D84000-memory.dmp

Filesize
16KB

Download
memory/4068-234-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/4068-927-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/4068-960-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/5704-898-0x000001D3EAE60000-0x000001D3EAE70000-memory.dmp

Filesize
64KB

Download
memory/5704-913-0x000001D3F3250000-0x000001D3F3251000-memory.dmp

Filesize
4KB

Download
memory/5704-894-0x000001D3EA5A0000-0x000001D3EA5B0000-memory.dmp

Filesize
64KB

Download
memory/5704-905-0x000001D3F3130000-0x000001D3F3131000-memory.dmp

Filesize
4KB

Download
memory/5704-907-0x000001D3F31B0000-0x000001D3F31B1000-memory.dmp

Filesize
4KB

Download
memory/5704-909-0x000001D3F31B0000-0x000001D3F31B1000-memory.dmp

Filesize
4KB

Download
memory/5704-910-0x000001D3F3240000-0x000001D3F3241000-memory.dmp

Filesize
4KB

Download
memory/5704-911-0x000001D3F3240000-0x000001D3F3241000-memory.dmp

Filesize
4KB

Download
memory/5704-912-0x000001D3F3250000-0x000001D3F3251000-memory.dmp

Filesize
4KB

Download
memory/5772-930-0x00007FFB3F610000-0x00007FFB3F620000-memory.dmp

Filesize
64KB

Download
memory/5772-929-0x00007FFB3F610000-0x00007FFB3F620000-memory.dmp

Filesize
64KB

Download
memory/5772-928-0x00007FFB3F610000-0x00007FFB3F620000-memory.dmp

Filesize
64KB

Download
memory/5772-931-0x00007FFB3F610000-0x00007FFB3F620000-memory.dmp

Filesize
64KB

Download
memory/5772-932-0x00007FFB3F610000-0x00007FFB3F620000-memory.dmp

Filesize
64KB

Download
memory/5772-933-0x00007FFB3D5B0000-0x00007FFB3D5C0000-memory.dmp

Filesize
64KB

Download
memory/5772-934-0x00007FFB3D5B0000-0x00007FFB3D5C0000-memory.dmp

Filesize
64KB

Download
memory/5772-959-0x00007FFB3F610000-0x00007FFB3F620000-memory.dmp

Filesize
64KB

Download
memory/5772-957-0x00007FFB3F610000-0x00007FFB3F620000-memory.dmp

Filesize
64KB

Download
memory/5772-956-0x00007FFB3F610000-0x00007FFB3F620000-memory.dmp

Filesize
64KB

Download
memory/5772-958-0x00007FFB3F610000-0x00007FFB3F620000-memory.dmp

Filesize
64KB

Download
memory/5800-923-0x00007FFB74C40000-0x00007FFB74C74000-memory.dmp

Filesize
208KB

Download
memory/5800-922-0x00007FF6A7830000-0x00007FF6A7928000-memory.dmp

Filesize
992KB

Download
memory/5800-924-0x00007FFB60F70000-0x00007FFB61226000-memory.dmp

Filesize
2.7MB

Download
memory/5800-925-0x00007FFB5CE00000-0x00007FFB5DEB0000-memory.dmp

Filesize
16.7MB

Download