Analysis
-
max time kernel
1799s -
max time network
1477s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-10-2024 14:40
Static task
static1
Behavioral task
behavioral1
Sample
7z2405-x64.exe
Resource
win11-20241007-en
General
-
Target
7z2405-x64.exe
-
Size
1.5MB
-
MD5
c73433dd532d445d099385865f62148b
-
SHA1
4723c45f297cc8075eac69d2ef94e7e131d3a734
-
SHA256
12ef1c8127ec3465520e4cfd23605b708d81a5a2cf37ba124f018e5c094de0d9
-
SHA512
1211c8b67652664d6f66e248856b95ca557d4fdb4ea90d30df68208055d4c94fea0d158e7e6a965eae5915312dee33f62db882bb173faec5332a17bd2fb59447
-
SSDEEP
49152:ZEVAbJqaITViU3qLkr7toP9KT+uv6WC+5uxe1o58:ZEVcqeUaki9oBqt+
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 1 IoCs
pid Process 5736 dismhost.exe -
Loads dropped DLL 9 IoCs
pid Process 3316 Process not Found 5736 dismhost.exe 5736 dismhost.exe 5736 dismhost.exe 5736 dismhost.exe 5736 dismhost.exe 3316 Process not Found 1972 explorer.exe 1972 explorer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 32 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: cleanmgr.exe File opened (read-only) \??\F: sdclt.exe File opened (read-only) \??\A: cleanmgr.exe File opened (read-only) \??\I: cleanmgr.exe File opened (read-only) \??\K: cleanmgr.exe File opened (read-only) \??\Z: cleanmgr.exe File opened (read-only) \??\D: sdclt.exe File opened (read-only) \??\E: cleanmgr.exe File opened (read-only) \??\H: cleanmgr.exe File opened (read-only) \??\Q: cleanmgr.exe File opened (read-only) \??\W: cleanmgr.exe File opened (read-only) \??\F: sdclt.exe File opened (read-only) \??\B: cleanmgr.exe File opened (read-only) \??\J: cleanmgr.exe File opened (read-only) \??\O: cleanmgr.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: sdclt.exe File opened (read-only) \??\X: cleanmgr.exe File opened (read-only) \??\G: cleanmgr.exe File opened (read-only) \??\L: cleanmgr.exe File opened (read-only) \??\R: cleanmgr.exe File opened (read-only) \??\S: cleanmgr.exe File opened (read-only) \??\U: cleanmgr.exe File opened (read-only) \??\N: cleanmgr.exe File opened (read-only) \??\P: cleanmgr.exe File opened (read-only) \??\T: cleanmgr.exe File opened (read-only) \??\Y: cleanmgr.exe File opened (read-only) \??\D: sdclt.exe File opened (read-only) \??\D: sdclt.exe File opened (read-only) \??\V: cleanmgr.exe File opened (read-only) \??\F: sdclt.exe File opened (read-only) \??\D: sdclt.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\LogFiles\setupcln\setuperr.log cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\diagerr.xml cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\diagwrn.xml cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\setupact.log cleanmgr.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\7z.dll 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\descript.ion 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\History.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\License.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\readme.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 7z2405-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2405-x64.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DISM\dism.log cleanmgr.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\INF\setupapi.dev.log cleanmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7z2405-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 60 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\ cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 wbengine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\ cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID cleanmgr.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 sdclt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 sdclt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 sdclt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom cleanmgr.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002fc80c284bade0450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002fc80c280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002fc80c28000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2fc80c28000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002fc80c2800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 sdclt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 cleanmgr.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2405-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems." explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use." explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Mode = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings." explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-101#immutable1 = "Customize your mouse settings, such as the button configuration, double-click speed, mouse pointers, and motion speed." explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers." explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption." explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2405-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel explorer.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2405-x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Mode = "6" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer." explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByDirection = "1" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByKey:PID = "0" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2405-x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 0c0001008421de39080000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MaxPos1280x720x96(1).x = "4294967295" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2405-x64.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupView = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).x = "4294967295" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).bottom = "670" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-1#immutable1 = "Troubleshooting" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByDirection = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Rev = "0" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2405-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer." explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software." explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupByKey:PID = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer." explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874369" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings." explorer.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2388 msedge.exe 2388 msedge.exe 5944 msedge.exe 5944 msedge.exe 3232 msedge.exe 3232 msedge.exe 1668 msedge.exe 1668 msedge.exe 2228 identity_helper.exe 2228 identity_helper.exe 5468 msedge.exe 5468 msedge.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe 5368 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
pid Process 1972 explorer.exe 2300 cleanmgr.exe 5368 taskmgr.exe 4260 sdclt.exe 5800 sdclt.exe 908 sdclt.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2452 firefox.exe Token: SeDebugPrivilege 2452 firefox.exe Token: SeShutdownPrivilege 4012 control.exe Token: SeCreatePagefilePrivilege 4012 control.exe Token: SeShutdownPrivilege 2300 cleanmgr.exe Token: SeCreatePagefilePrivilege 2300 cleanmgr.exe Token: SeBackupPrivilege 6048 vssvc.exe Token: SeRestorePrivilege 6048 vssvc.exe Token: SeAuditPrivilege 6048 vssvc.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeManageVolumePrivilege 2300 cleanmgr.exe Token: SeBackupPrivilege 2300 cleanmgr.exe Token: SeRestorePrivilege 2300 cleanmgr.exe Token: SeDebugPrivilege 4920 taskmgr.exe Token: SeSystemProfilePrivilege 4920 taskmgr.exe Token: SeCreateGlobalPrivilege 4920 taskmgr.exe Token: SeDebugPrivilege 5368 taskmgr.exe Token: SeSystemProfilePrivilege 5368 taskmgr.exe Token: SeCreateGlobalPrivilege 5368 taskmgr.exe Token: 33 4920 taskmgr.exe Token: SeIncBasePriorityPrivilege 4920 taskmgr.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeCreatePagefilePrivilege 1972 explorer.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeCreatePagefilePrivilege 1972 explorer.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeCreatePagefilePrivilege 1972 explorer.exe Token: SeBackupPrivilege 4260 sdclt.exe Token: SeRestorePrivilege 4260 sdclt.exe Token: SeSecurityPrivilege 4260 sdclt.exe Token: SeTakeOwnershipPrivilege 4260 sdclt.exe Token: 35 4260 sdclt.exe Token: SeBackupPrivilege 4260 sdclt.exe Token: SeRestorePrivilege 4260 sdclt.exe Token: SeSecurityPrivilege 4260 sdclt.exe Token: SeTakeOwnershipPrivilege 4260 sdclt.exe Token: 35 4260 sdclt.exe Token: SeBackupPrivilege 4792 wbengine.exe Token: SeRestorePrivilege 4792 wbengine.exe Token: SeSecurityPrivilege 4792 wbengine.exe Token: SeBackupPrivilege 5832 vssvc.exe Token: SeRestorePrivilege 5832 vssvc.exe Token: SeAuditPrivilege 5832 vssvc.exe Token: SeBackupPrivilege 1044 svchost.exe Token: SeRestorePrivilege 1044 svchost.exe Token: SeSecurityPrivilege 1044 svchost.exe Token: SeBackupPrivilege 908 sdclt.exe Token: SeRestorePrivilege 908 sdclt.exe Token: SeSecurityPrivilege 908 sdclt.exe Token: SeTakeOwnershipPrivilege 908 sdclt.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 2452 firefox.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 2452 firefox.exe 2452 firefox.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 5944 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 1972 explorer.exe 1972 explorer.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe 4920 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2452 firefox.exe 2576 SystemSettingsAdminFlows.exe 4260 sdclt.exe 4260 sdclt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2452 2840 firefox.exe 85 PID 2840 wrote to memory of 2452 2840 firefox.exe 85 PID 2840 wrote to memory of 2452 2840 firefox.exe 85 PID 2840 wrote to memory of 2452 2840 firefox.exe 85 PID 2840 wrote to memory of 2452 2840 firefox.exe 85 PID 2840 wrote to memory of 2452 2840 firefox.exe 85 PID 2840 wrote to memory of 2452 2840 firefox.exe 85 PID 2840 wrote to memory of 2452 2840 firefox.exe 85 PID 2840 wrote to memory of 2452 2840 firefox.exe 85 PID 2840 wrote to memory of 2452 2840 firefox.exe 85 PID 2840 wrote to memory of 2452 2840 firefox.exe 85 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 5104 2452 firefox.exe 86 PID 2452 wrote to memory of 2488 2452 firefox.exe 87 PID 2452 wrote to memory of 2488 2452 firefox.exe 87 PID 2452 wrote to memory of 2488 2452 firefox.exe 87 PID 2452 wrote to memory of 2488 2452 firefox.exe 87 PID 2452 wrote to memory of 2488 2452 firefox.exe 87 PID 2452 wrote to memory of 2488 2452 firefox.exe 87 PID 2452 wrote to memory of 2488 2452 firefox.exe 87 PID 2452 wrote to memory of 2488 2452 firefox.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7z2405-x64.exe"C:\Users\Admin\AppData\Local\Temp\7z2405-x64.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4484
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:3980
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2828e7b-a4ec-4598-b7da-547474e0479c} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" gpu3⤵PID:5104
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {705c4b3c-ec06-4810-9494-a611789fc9ad} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" socket3⤵
- Checks processor information in registry
PID:2488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 3048 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b175372-8687-4758-a26d-31a13c062b81} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" tab3⤵PID:1620
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3392 -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3032 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d133c0e-5abe-4762-ad63-8660a3b59ec1} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" tab3⤵PID:3860
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4772 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4760 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5b7dbd3-9bc8-473c-96aa-ddeedea4a13d} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" utility3⤵
- Checks processor information in registry
PID:5200
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5356 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {384c2bb3-a5e5-40eb-92ec-90af0bcd80cc} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" tab3⤵PID:5676
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 4 -isForBrowser -prefsHandle 5568 -prefMapHandle 5564 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b4e4558-cd9c-47e8-ac27-331342983102} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" tab3⤵PID:5688
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 5 -isForBrowser -prefsHandle 5464 -prefMapHandle 5468 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6e8f94a-6b5e-4f24-9e6e-03a804ba37bd} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" tab3⤵PID:5700
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5944 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc5e13cb8,0x7ffdc5e13cc8,0x7ffdc5e13cd82⤵PID:5956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,10164575597011404154,1257299608317985104,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:22⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,10164575597011404154,1257299608317985104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,10164575597011404154,1257299608317985104,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:82⤵PID:3428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10164575597011404154,1257299608317985104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:12⤵PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10164575597011404154,1257299608317985104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:12⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10164575597011404154,1257299608317985104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:5164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10164575597011404154,1257299608317985104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:12⤵PID:5156
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4876
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:5048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc5e13cb8,0x7ffdc5e13cc8,0x7ffdc5e13cd82⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,16258798965375211790,10831413176515257871,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2068 /prefetch:22⤵PID:1392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,16258798965375211790,10831413176515257871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,16258798965375211790,10831413176515257871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:82⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16258798965375211790,10831413176515257871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:3412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16258798965375211790,10831413176515257871,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:1224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16258798965375211790,10831413176515257871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16258798965375211790,10831413176515257871,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:12⤵PID:1652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,16258798965375211790,10831413176515257871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2060,16258798965375211790,10831413176515257871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16258798965375211790,10831413176515257871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:12⤵PID:3036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16258798965375211790,10831413176515257871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:12⤵PID:1256
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6104
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1760
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:4620
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1972 -
C:\Windows\system32\cleanmgr.exe"C:\Windows\system32\cleanmgr.exe"2⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\4C6025F5-D39D-4DF7-869E-C643D3B2E078\dismhost.exeC:\Users\Admin\AppData\Local\Temp\4C6025F5-D39D-4DF7-869E-C643D3B2E078\dismhost.exe {439B0360-09C2-4AFE-A1B8-F9A366CAE1D0}3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:5736
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:5080
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:920
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4920 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /13⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5368
-
-
-
C:\Windows\System32\BitLockerWizardElev.exe"C:\Windows\System32\BitLockerWizardElev.exe" \\?\Volume{280cc82f-0000-0000-0000-f0ff3a000000}\ T2⤵PID:4236
-
-
C:\Windows\System32\sdclt.exe"C:\Windows\System32\sdclt.exe" /configure2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4260
-
-
C:\Windows\system32\sdclt.exe"C:\Windows\system32\sdclt.exe" /BLBBACKUPWIZARD2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:4664
-
-
C:\Windows\system32\sdclt.exe"C:\Windows\system32\sdclt.exe" /BLBBACKUPWIZARD2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:5800
-
-
C:\Windows\System32\sdclt.exe"C:\Windows\System32\sdclt.exe" /configure2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:3480
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:5240
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:1884
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" RenamePC1⤵
- Suspicious use of SetWindowsHookEx
PID:2576
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BDESVC1⤵PID:2400
-
C:\Windows\System32\BdeUISrv.exeC:\Windows\System32\BdeUISrv.exe -Embedding1⤵PID:1204
-
C:\Windows\System32\FveNotify.exe"C:\Windows\System32\FveNotify.exe" \\?\Volume{280cc82f-0000-0000-0000-f0ff3a000000}\1⤵PID:1888
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4788
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3044
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5832
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD53428b9967f63c00213d6dbdb27973996
SHA11cf56abc2e0b71f5a927ea230c8cca073d20fc97
SHA25656008756553ea5876fb8aad98f6f5dbca1ba14c5e53f4fa9ec318e355e146a7e
SHA512b876b39d030818ce7879eb9bb5ff4375712cf145b7457a815880bf010215bd9dcde539e7d0877c56558e0d23a310bc75bfb9d315f9966cbda4ae02a7821980cc
-
Filesize
152B
MD51fc959921446fa3ab5813f75ca4d0235
SHA10aeef3ba7ba2aa1f725fca09432d384b06995e2a
SHA2561b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c
SHA512899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06
-
Filesize
152B
MD5e9a2c784e6d797d91d4b8612e14d51bd
SHA125e2b07c396ee82e4404af09424f747fc05f04c2
SHA25618ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6
SHA512fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1
-
Filesize
152B
MD5d6e5f14f7b4667ee1a759a359944f312
SHA106c87d6825a2ec24382c216267a201923e2566b4
SHA25657bf147669f19b61be76a538e20e11c94d4cd3df3e7eb60d4eb322d71397e559
SHA512ad84e078e972c9d59774bd108d5bf1603e5028f87eceec9ec668efc389af1c701df885379e95f4d8a9639365fed2798e2c9dcfc3f8880766b6f4f1e0211c8c90
-
Filesize
44KB
MD5d7896b90f704e10fcc7adb2ea3618d6c
SHA1521465b737c8b662e80b6b96db89a580287c8478
SHA256914cda7b20afa1cb18065587c25b9566e4ffd4248b2877d3fe3b52523479d7c5
SHA512d40862097969a7ece9a89aa3e82b75619623c44edbfd73fc4a6147bea7b745ced65fb969cc6c9c0eddb39c5b19e130c354bd0cdcd9e835c34289b77e9e1e63d9
-
Filesize
264KB
MD5befe04c16625c02de870c0900f95e942
SHA1d9044a5e08c6a4838bcc3a8b8ae886f55ae34185
SHA256f867fde128dbebe6f441c7442254bf673ed6dbdc5f9f488054087188af894350
SHA5122673dc08ebbad9049281fb457a189d81a66d046226a1e434b9f9f8daaf734862fad31dae53a97ad72d4cdb7b59fe25ee3d7333359addd7813fb2a6107b512b48
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize744B
MD5dc333eeb343659d37b2a112cf146f62a
SHA1982838aea543107b583d2a88e5d8c2b8ed5ece7c
SHA25694b52894956e07feb1dc6ae25fb636f2c92a521e837b7522275a7ff84a469cec
SHA512490598801fb24f894c833c26ce5be0b434d16082df5951a550ae5db78e1fc86e8954442ca1639d150a2155fdadcf6eb8c366c85fc64adc20834cf2b284dfc2a7
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
Filesize
331B
MD5873c068758af3a5998346372b8360088
SHA1ff99bc0a647e65a0bf80f68b749f49bc7476b930
SHA256584d6cf56569033232b9d0b23ab7f376d8f70da3013265adc2fe78989967171f
SHA512a761414782b38e35f3749437c55240b9e464c6fedd8731a56d0b39cbc48199b85d80f3583949bf11d9203eb6acc814ee850b7a72f7121fc87b5e3ea2d4e40607
-
Filesize
248B
MD5aa5c9ef101e0cca61678dcaed524270e
SHA194f9882349038ee458e04301b6ec123b0952860f
SHA256cf77a8227d134ac5fec1aff2b71ab2d8ff3f89b588639ee06904b6578eabf404
SHA51281717f814dbccb17f1dab5c07b48c63a43ab326bd764e7ffef704567a99356bdf66bc47e3a06b3cf9ae9c0d09e872d5d7415fff1282d7ef759278832a8fdfe1f
-
Filesize
5KB
MD5065d2cb00fa55f4f6ad310d5631d47cd
SHA11eef337318d9201732acb9aa06edb8bcbd8e2699
SHA256a511ddf9924ed040e00abd633cd762409e4bdd171453713303de6b1d4511a3b9
SHA5128b024741b3294948d62556e56d2b5724788a46db593baf91ee7ff2c5115f80c19233ec014c0ee090bc65eb291186afcfe75c7f13968c7d398295e4930ef66560
-
Filesize
5KB
MD55c889722e88ba47462b6b2ceded5e6aa
SHA1fdae440d5603ff14dc51d4f4023f01983ab7fd46
SHA2565b6fefc93fcda807a3626ac3b51d02297ed9c151889c22664daa4206b30edb98
SHA5127643bec44f946991df51ffd6a68db9f2b7bd56e8446827544c8132d859eb58d7b67bdf2d86240c689bb463acbac17fac590b989d7d9d13da7710801b89cd882b
-
Filesize
5KB
MD5b2f155b084723a48d48c57a8ae675962
SHA187e8ed0ef5a15dccae8aca9746f805286261cf10
SHA25623bdf693f04c06d6912a2bc72fe413245e4da80c2e8fdd14f49e43adcfe06e07
SHA512f9df223b6a16d5680b2ec31af9c924dddc7f563a7b9eb1bb68577168d9f4e5f0c00d60459fb7adeab051f6f00268b2ba84ca150773bfef3048c18ae136cdd6a6
-
Filesize
5KB
MD54e4cce81f94e132aadf37cd73e284691
SHA10e75aefa207040a4e82d35d155733cae13bc2084
SHA256f109cf5b35854e4c5d0f893324e65cd2c6912ac55494500852a7c4c925423c66
SHA51298d9930f8178e2e1208e1806edbca165e0bae20014be5a0d3d2c9a5969425f825f8fa862460918ae3b6f36f45a84ca32dfddb09e530379832fa3235c708bdbbd
-
Filesize
6KB
MD5f122c41dec365029dd33523255bf524d
SHA12bf7eed7d669f20b1dd2d74d639fd8a88461fadc
SHA25694cc712697c61d286b7b8b5029463e30c052014473a496ef06b7743b8fdb29e3
SHA512a6407705658e435b8d736a06675b19918a0968fdea4b627997fe645a6ac03e3fdadfa3eb244f2f895625b60ce8591b1bd3be0ad0133e3b9a8b944501151db59c
-
Filesize
137B
MD5a62d3a19ae8455b16223d3ead5300936
SHA1c0c3083c7f5f7a6b41f440244a8226f96b300343
SHA256c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e
SHA512f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f
-
Filesize
319B
MD5587247b63f9d75803c79017a356b04d8
SHA1c7baaf36cdabc1659adc8e95a7bd499b814fc488
SHA2565617600ac722a8312d199ab8adbbbf293c602842aa0d4d7201f5212ccef10e6b
SHA512519411cbfc37d7f16c91ba775300f82de150081bca5cad8b8e17e46469e6f20a2f74c71e9aa48e3fd476dc93bc964a8bc09e56ca13c5ca7b6738dd54d44deb20
-
Filesize
1KB
MD52b1d28b4ea20489899b59a5877a1f5a7
SHA1bfd046e384ca02e2b1c3be02bb9e9102f48b0d6e
SHA2565facf974db68303d307bb7bf887d5bf63e1d05eb9dd62ff906fe6bb3170ef344
SHA51271567cdd1302dc23527b699fd5f7418e3ad8f13614f321cb5eb83edae02e478e7d46e78d12a5892810dded9d37d0593e4243e994f4d228b064ea40b56baca134
-
Filesize
1KB
MD5030078cbdb0ad59e3bdffc3acf41c7d4
SHA1608b279d669ce0af93440fea8900bc011933dc65
SHA256f39a052a557e607477858c295385fb4f8d00f8c61b50a4335e23a7ae87ecee1b
SHA5124105c664b2152c3b073dd1c6ac5648e56c208b6e1e1d9a131893c4c67c380e05831f806cd469cddc919f714f75d039e9e0159f066f2d6eb9799e5c72af397e5e
-
Filesize
350B
MD5dcc039fd89bb76793d1ddf68bb0c8819
SHA1ada73bb06b514176d081198995f89271ab7a2fba
SHA2560005b883dcf323426bb64adfc58847a3829840749de7ee6988332dbb6974e754
SHA512ac8d52ab831f77f00827c4f567b263af32086c214aa2f7dbbe5d6a4b6264d6a9e36c06486a97ca4046f98727b15ba885c57c2ea0f1849bfc9e1867d52e4517f4
-
Filesize
326B
MD5aac1fafa3f33e71da08c1996c772ef43
SHA1fc16309dfafd335908794efd4689a34899ad1364
SHA2560b52be0dfad616c232aa223b3245d1de9a440260429187640f2d556b57810e82
SHA512e2d1b431101096d18f63febb79ad35db2294f53988086de34e408389e9042178f54b19c06d8b8af5ec322d65d4dee810cef6982b702028c633740d6784fb9ebb
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
44KB
MD52ace002627cb92b6a78590b1a012fc36
SHA10031b694b30f26ab2d0214e7a447f42db1e6682b
SHA256e7037d1ad1d99476f4088b0c0e28210efe44fa3c42e70e237cefd8607f8a1cd9
SHA512583caa2cc03eab6bdbd353cc96d67a6e53651883fdad2a28997998fcdc8d86e6238ba393a3a17d3d046c1d1283dd2ffb8d1885e4b3dc21703e077a7fb01002ad
-
Filesize
319B
MD51cb48bf94748f774cec644bc33df9422
SHA1f748a3364418c1271bc6f94a6c80f423babae145
SHA2569cef860632adcbf0d315237b11e2e329f6187aaeba953d168a3e45129f1175e6
SHA5129cf64dd41a00a1a5c90fca9423bcb23527852b8b1d4fb085a58fc657102f65fa691142bea8c3a188a3d3bd68ff86ba31e22d7c93f3b998b4aa17ce08bb388444
-
Filesize
337B
MD586778ff0d382e6fee86865ca62557146
SHA1ad50aa2813e059a9750f27e77f1fc3481eea6350
SHA256bb8cb5e87bac830c89e7499a8b5fe990e40d51a49709f1d9917db6536b999b86
SHA5127a7f9ce1c69707364fb9525db34944e285ea8eb1533000b1a45913e7c91c22788799022e27ce7c7935e74dbb073827de58a451db13f0606a33fa67dc4d130508
-
Filesize
44KB
MD55f6b18fca62dec47d642874c9cff2dec
SHA14b94aa47d80152570cbfc821fb18ad829d8e1e69
SHA256f4b7495ce0192b45eaf762ca8c2d2d812f6eda08b63101d611a38eaff4091a94
SHA512e1cd4941824b8f099d4b938dfce44ec11b553292a38d8b33e78cad08fb13d311aa3d8f726801d72c7eeed693b435385f8cc868d8f625fbeb6fc14acce765c704
-
Filesize
264KB
MD5f972666ceb58e41c52203552266653b2
SHA1fccdb2f1647fc0bcfffd2bf6559d80b6a3203e9e
SHA256b0a869ca9897de854d0986b8af5587e22f33e37a604d52b2c1f0197a4abe9eb1
SHA5120dde12f6eb7a93bc2a8a39d1a07d2e0a44193ab18d96abde71ee32e3dc3732c584910a639516c99eeb4a2e888a5942d069050a1d8842f8e89aa911a984c90c25
-
Filesize
4.0MB
MD5aa1422eed05fb22f404fc7e69f4d5a38
SHA1f3714e7dd102f4dc781ca3f02556e9f0ae9bc7e4
SHA25605ba6980721ec7a4b39c1d365e3331f5008c545bc21eefe2cf2a0c575d298fa9
SHA5123592b9411e475002af2dc9b094c182365fe0365ef727c139f0a96dcdceb74d3ac3b6a0c9b5ce1b43fbb203ae763d644dbeea3136c22ee96500d5b4a035c61e6e
-
Filesize
20KB
MD5ef9588ca82f853399e5968af99985e74
SHA180d9df4f75c3e789ddf10584d9ff9de2b6154cb0
SHA2569d550015f47a4d5d502f8a2f5b33bd9cbd136f4fea7c64754c8cc5a9651f7fe5
SHA512a77b6b0bcea459ab4fc1e5d0983e85b86a6b0835849345f6afbfb27a5e84d8d1a38ff16e21ecf862e95d0a74e3fe97fda28bea66752b8bd64fd44c8ba680a5c1
-
Filesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
Filesize
11KB
MD56ebf04157104ea59d1eb22f0ba19ef62
SHA184d15ade5a31cf53b265736abbe4285b47b432e3
SHA2568cdeb76c844c919551483380933737a2fdb8c976c9199b614c9ea7e7e54e3b04
SHA512f1d13d921a98ea9bfae5630fa93b8734ef9c68ee8d5a1325ed49e9c91e9226bed64ca318360373221164c0e99a607ff89f115eb1cafa21bcb33e129935a3a034
-
Filesize
11KB
MD57581b1fcaad8d3504a0da50fb09cf956
SHA18646923c74c74d541b9fb2f91876c09b341e40d6
SHA2560fe4ce9893165078989a5289f5d15d28c4536b6532ca6e2dac31cb81fc5b4da8
SHA5129fe67e1277a79cf527a8bccde0f5a6a723b70a9c6f65dd6b178eae760c9377def23188233d5c9230b541eadb7ec08385680582ff4f5de90771c2dcb1fb0d16e6
-
Filesize
11KB
MD56a6ccf7703be3460a8c8a83d244cb1b6
SHA16ca214cf5e4f1aa5bf4461a12c05d52a16ecdf5e
SHA2567b2b3f759b834622d74c653f6e03fa3664862f3a0eae50269f46c5ed575d20d4
SHA512aba8b2c96677d90e2f8d8774ba68cf589e12bcdbc826e44f0f8a6a22a923207d3e39f275d0a548a08efb5be1b96f782e4790d87170939609a3b93ddcdf797eb4
-
Filesize
3B
MD51b0cb513f2ac66101ba793bf6072d1cf
SHA1c54e9c30011b3201d38fb98c3fd76fa8efb065ff
SHA256ee0821d1b8433ed22d0d739b16c0fc1759f0afcb8597f353e4d9a0268dd47e3f
SHA512f498f1c3daba7f6c6103c35dda01fc777a894b650adbabfba1bfc19ce7731dd6eec79af9b0fef626cd1dc1182001cbbcda9156db778935c11fcc19f35bdf553b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\maevrvll.default-release\activity-stream.discovery_stream.json
Filesize23KB
MD55772fc7be738e700bb5cf6cd58df4693
SHA192c88b42d4f9cfc34afdaae736776fdbea2b9424
SHA2564f4ecdef217439e53ef18d294dec3da3a391c6f0b89e5119dbcf0858a2468789
SHA512141d2b4054c32ad694ad3e5cb8e17f612e898ef5d91f9af1110a753881c525b88c404ab8caf3dbc90e21c102a0ac9b2d2c51d45a1af50b313b79b4bd8d9a7237
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\eaeadb6a-c709-45b9-8388-a47e61d95b73.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
664KB
MD5a31cb807bf0ab4ddbbe2b6bb96ae6cd1
SHA1cf63765b41aee9cd7ae76c04dfbb6151e909b3c9
SHA25637f45e6fc1e531279dcffed70c420df7b073504efe43bbb99a33a9ec24b75a47
SHA5126a83378c7e88fe04dde20685889d76fd7efdf4e02342a952ba2e6ab0fa354e3293560986e5fded00718e4c14417970db0c06e6384277ae1e50021bb4dc87fad3
-
Filesize
136KB
MD5702f9c8fb68fd19514c106e749ec357d
SHA17c141106e4ae8f3a0e5f75d8277ec830fc79eccc
SHA25621ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358
SHA5122e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9
-
Filesize
1004KB
MD5f51151b2d8d84cddbedbeffebdc6ec6a
SHA1adc9c19aa0663e65997f54835228968e13532198
SHA2567fe4e4924fbbfdf6d772cb9d0a4963d49f6aa18b3c86a2e8df6ca49e22f79884
SHA512802b58617be5e92bfc0c7f8c8d7443128d81908ae99d9a4ce0a785f858dc7832c70dc305f2ad39c9f57db01c05f483f6bf949ad8811fc6fb255c5aee88c729b3
-
Filesize
444KB
MD5c73ee8f61bce89d1edad64d16fedcdd6
SHA1e8fe02e68fd278fd4af501e350d412a5a91b269f
SHA256b1045fc7dce8fcf5612f82f8f97f8d243008e4c6b7389187e6babc554dd1e413
SHA5128a5960e6bf35cf07e555558db13c89bf940c92d206adae0eb6e28404b7e499500a8158d29f3400f0b24ab8cedbacb75a28b0138be2e029b70a5cc66cce7cef25
-
Filesize
200KB
MD57f751738de9ac0f2544b2722f3a19eb0
SHA17187c57cd1bd378ef73ba9ad686a758b892c89dc
SHA256db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc
SHA5120891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb
-
Filesize
168KB
MD517275206102d1cf6f17346fd73300030
SHA1bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166
SHA256dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6
SHA512ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3
-
Filesize
108KB
MD5c63f6b6d4498f2ec95de15645c48e086
SHA129f71180feed44f023da9b119ba112f2e23e6a10
SHA25656aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde
SHA5123a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc
-
Filesize
180KB
MD5e9833a54c1a1bfdab3e5189f3f740ff9
SHA1ffb999c781161d9a694a841728995fda5b6da6d3
SHA256ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85
SHA5120b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9
-
Filesize
292KB
MD52ac64cc617d144ae4f37677b5cdbb9b6
SHA113fe83d7489d302de9ccefbf02c7737e7f9442f9
SHA256006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44
SHA512acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7
-
Filesize
23KB
MD5f70750a86cda23a3ced4a7ecf03feebd
SHA11c2d9d79974338ce21561b916130e696236fbb48
SHA2568038c5177461aef977ac6e526ac0851bf7eff5928972462657176ff6b6d06050
SHA512cfb6b5cdb451b12e7aee6e69ab743b91bec8bd417d4d2384def03010851fef0d7f2a65ff6349c4e62e564b44e742597aeb108e71a962a48020b1988a6c6f1a9a
-
Filesize
8KB
MD53a26818c500fb74f13342f44c5213114
SHA1af1bfc2ca2a1dcbc7037f61f80a949b67a2c9602
SHA256421bbff0c63377b5fd85591530f4c28d0109bc1ff39162a42eb294f0d0e7c6bb
SHA512afa1d62788d24cd6d739ad78cff19e455b776a71904af1400a44e54e56b55b149eca456db9c686c3a0b515d7fd49d96dc77b217ec769e879b0937bedad53de7f
-
Filesize
53KB
MD58644aa200968ce8dfe182f775e1d65c4
SHA1060149f78e374f2983abde607066f2e07e9b0861
SHA25646b59cfae0ea50c722718cdb8c07b3f5d6f02174cc599cd19a157eb6016c6030
SHA51229b4299ae749587c4fc9fd4b9cf3bbe3e9677088b159a40506a2cbd5796808e7432e7af08f0a2eef6c26bacb39b23afa65d0143c72774f38d55dedaef36eba1d
-
Filesize
7KB
MD50a4338fdfb1adaa6592b8f1023ced5cf
SHA1b96bd2067f43e5142e19f9c66e4db7d317d9cd2e
SHA2560b6ac5a720dc9163dea36e565c82da1e375041688e6594de15d97652ab7aca80
SHA512cf8cbb592dc5f09a95892d897680d4ca4f59e74afaeea2701d7258ace84c4c1182e032e7dd76cbd52a77ea08c8d3858e9b5f900691a6d80c728f5e56701382db
-
Filesize
2KB
MD5bff1ff3b5a6dba20ce82214fd626dc2b
SHA1affa7a6f6f1bec42dafe0ca868463eddffcc17e0
SHA256f307033265151affded4af3dbc2527bc16479468af740ea913f84a2a3a557c46
SHA51220dfc62f92fc8ab8c7f757a078103414c4e359b744a603f8b655dcd2340677fa7d5fd2acf3c544a3409d31194df788e764c262ea7c625019276e1d00d3f6de19
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\AlternateServices.bin
Filesize8KB
MD549e17556e0ea0213d7d422a6df8e9217
SHA180119054edccf63a71435ebb461b1d706374996f
SHA2560d717b261385b515685864ca33d195a1c2d902edefa2d8606341530d4f08615d
SHA5126079902029e587bcb2850f9be29052dc0d39a672b759200fc67c2cd3e723675805c190d62db86f593266daa1bd8747255bd05243ab263883f9ac2b28893ee1c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD52225f252d27fa4f42c434ce565520f39
SHA1a86cbd84ecef1a080fff48975203c543ac515f98
SHA2562eadde426bcb102a36ffd334f34ee8901046ad7d485c1df8d6ca856e66599dc9
SHA51245059ff350a47d39822e18d5a3cb15dd07576a2d64ea8601cab48ab513dd115a0973bcd6910095c3297b0b2165075a59d1f213649918730bbf1ad049ad44ceb8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD56d40cf6ea221714c61f7a25861007140
SHA19501c046b521892f565970e6193371a246cc6e3b
SHA256b9f755a217d6c7e34d821d13c2eff0f97f3640ceddc641bb6e6fa3185edde56b
SHA512ad0d526b102ff6c9201040d53dbea58a76f83b006f427931e6738842394255eb48810ff3fb74fe0e8ee0898195701558a196f6386d2657df15e980fb295f55c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5e5d84cc3a23e1118ede0e4a3dba78b95
SHA128b53e1c3afda286e0a24a160f78c9319a85097f
SHA2560a20716bc0956652c6f82a85dd8c90df7faf0caa6585027d30536eda85371b28
SHA512d6275dea3232c4c6a39e562f4551bfb6f2e10b99e326885e7540e64228445aae51be0c1e7570339593bd80ab81c905b6ba80fa1beeec96d82bfbbc07b524849f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\32999a5c-c010-4b75-9a26-a13c72a48347
Filesize24KB
MD5d02439f765384ccb9110280c9f8f0e1e
SHA1d90bbc2c77f6221e61e1b4d0e1f6259096927971
SHA2561f5022ba0b9d3cb3a15779e83366565884e664fdb4294e9126e040e31bdd6389
SHA5127a0235adbac132fd9e021b677aa0ce345f8ae791e5448c9c3865027fcd26e71faafbe36daef59636e9441996da4694fd64b3daeacf4dae484e90dfcb9e22b38b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\aac1501f-7b09-4d89-96c9-e92b71a1c50d
Filesize982B
MD5c81ad3ea9b203b600a7a8e17e6bd7c79
SHA1880124398bc6a01cade7374f69ab2e32ac3bd344
SHA256cb694e3e54eb53a65ac47a5e3c507facfa4c1fde5368e04396cd03ed627ed1e1
SHA512d65c4471024743837477aec776b9d15818cef07f904aa61c5c8dce86e55d0462d39925ed0e941c09ecd540cdcaf8b7b29527ac7ad5d46e02666c31158bd41bce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\cbc2ad1c-05f1-4900-b86d-cd4a8f255649
Filesize671B
MD5b18aaf541f86a2e0496a8f2490a03f7e
SHA14271c34d44290396990a782b8c82388441387bfc
SHA256692884c263e1d45631a5c2987c178002c948a993a8115b275a443f09c6db3629
SHA5129f5b6281eb7f0e39063bde12ee88c2c0b7d2f4786d30631765125e7e25c096c2d3cc885910a6a59e813fe266c9fee1cc2a5c7dc845e6f18194f4e0694e8a6b22
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5e64ef4186752e14dc057872e146658c5
SHA10a093e2825ba1e739f7b559aaf6190cb6d89c2c7
SHA25673ff905ed1010cba941b9106a9683a4550fac2ef26eb09423329f5951b6138c5
SHA512c438e141f1b0a75273c390cf19153a1ba65b4e62ce8015df1388ad46dc0b1271ed8a6872b247feb79cd10923dc57157efb7ee34750b2bf259c00d3db02397ccf
-
Filesize
11KB
MD52b241baa0559f47a4e19632309c65490
SHA1cfad4aa374997c1cfc0eae04b58261512bb0fb39
SHA256cb484a6072111cbe15ff38553dfb1bfc3ee0ea764ba3f3fe4cfdcee311508e61
SHA5121e9eaf09a65158637d0465e7a399c66d3e2cc6c27ca075105f80d58515d192cd1efc36afcb5161d2f81a8239d0eb53a3b79896b154787ec8d2ca3ff512b782a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
Filesize
272KB
MD5bba27986798d796855f76ee6b70ecdd8
SHA135a77cd3a9d28e8e6bbcd6ce44e1c3629baf3ef3
SHA25681a5ce82335a62ee58499b2f944c77513bfe2481eb42b72483cc1351018719ee
SHA51269880f263e96212a9607dd39e24c740fb400530024ba47c711c9331447647a8c07a304afddc7cf9019edc6578248439742adfc901fa1846f191d0ddcbdee2aad