Analysis
-
max time kernel
269s -
max time network
282s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
Stix Free Utility V1.bat
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Stix Free Utility V1.bat
Resource
win10v2004-20241007-en
General
-
Target
Stix Free Utility V1.bat
-
Size
131KB
-
MD5
d462b3ca2cd9939e1fb3c07eeb274908
-
SHA1
47647a8243481ecb25906b14b332a8cb49c83b8f
-
SHA256
f00fd97e7fd408ae62cf810d15765743072f43ab8d2a09a1f098626fa4a044c2
-
SHA512
aeb879aedbb051af4c614d9cccd6dd646dc05d817af7a73a5969b35f1eb0671dc44c8df60fdcc9776bd6c91a5a20f09834f6c32d53f18078f6423089a95553d1
-
SSDEEP
768:aaX9bjzKBWQq+jAcTtGiZQVr6r6Pk6PUXfCV1nFLPqoCR0CQxwyUh1ZIA:aa9zzQHdCbF6uxwt
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 6252 winrar-x64-701.exe 7096 winrar-x64-701(1).exe 5748 winrar-x64-710b1.exe -
pid Process 3012 powershell.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\winrar-x64-701(1).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\winrar-x64-710b1.exe:Zone.Identifier firefox.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings firefox.exe -
NTFS ADS 3 IoCs
description ioc Process File created C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\winrar-x64-701(1).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\winrar-x64-710b1.exe:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3012 powershell.exe 3012 powershell.exe 908 chrome.exe 908 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 1136 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1136 AUDIODG.EXE Token: SeDebugPrivilege 3012 powershell.exe Token: SeBackupPrivilege 4840 vssvc.exe Token: SeRestorePrivilege 4840 vssvc.exe Token: SeAuditPrivilege 4840 vssvc.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeDebugPrivilege 2616 firefox.exe Token: SeDebugPrivilege 2616 firefox.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe Token: SeShutdownPrivilege 908 chrome.exe Token: SeCreatePagefilePrivilege 908 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 908 chrome.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 6252 winrar-x64-701.exe 6252 winrar-x64-701.exe 6252 winrar-x64-701.exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 7096 winrar-x64-701(1).exe 7096 winrar-x64-701(1).exe 7096 winrar-x64-701(1).exe 2616 firefox.exe 2616 firefox.exe 2616 firefox.exe 5748 winrar-x64-710b1.exe 5748 winrar-x64-710b1.exe 5748 winrar-x64-710b1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5112 wrote to memory of 1716 5112 cmd.exe 85 PID 5112 wrote to memory of 1716 5112 cmd.exe 85 PID 5112 wrote to memory of 1436 5112 cmd.exe 86 PID 5112 wrote to memory of 1436 5112 cmd.exe 86 PID 5112 wrote to memory of 2324 5112 cmd.exe 89 PID 5112 wrote to memory of 2324 5112 cmd.exe 89 PID 5112 wrote to memory of 4320 5112 cmd.exe 91 PID 5112 wrote to memory of 4320 5112 cmd.exe 91 PID 5112 wrote to memory of 996 5112 cmd.exe 92 PID 5112 wrote to memory of 996 5112 cmd.exe 92 PID 5112 wrote to memory of 3012 5112 cmd.exe 94 PID 5112 wrote to memory of 3012 5112 cmd.exe 94 PID 908 wrote to memory of 4176 908 chrome.exe 103 PID 908 wrote to memory of 4176 908 chrome.exe 103 PID 5092 wrote to memory of 2616 5092 firefox.exe 106 PID 5092 wrote to memory of 2616 5092 firefox.exe 106 PID 5092 wrote to memory of 2616 5092 firefox.exe 106 PID 5092 wrote to memory of 2616 5092 firefox.exe 106 PID 5092 wrote to memory of 2616 5092 firefox.exe 106 PID 5092 wrote to memory of 2616 5092 firefox.exe 106 PID 5092 wrote to memory of 2616 5092 firefox.exe 106 PID 5092 wrote to memory of 2616 5092 firefox.exe 106 PID 5092 wrote to memory of 2616 5092 firefox.exe 106 PID 5092 wrote to memory of 2616 5092 firefox.exe 106 PID 5092 wrote to memory of 2616 5092 firefox.exe 106 PID 2400 wrote to memory of 2824 2400 firefox.exe 108 PID 2400 wrote to memory of 2824 2400 firefox.exe 108 PID 2400 wrote to memory of 2824 2400 firefox.exe 108 PID 2400 wrote to memory of 2824 2400 firefox.exe 108 PID 2400 wrote to memory of 2824 2400 firefox.exe 108 PID 2400 wrote to memory of 2824 2400 firefox.exe 108 PID 2400 wrote to memory of 2824 2400 firefox.exe 108 PID 2400 wrote to memory of 2824 2400 firefox.exe 108 PID 2400 wrote to memory of 2824 2400 firefox.exe 108 PID 2400 wrote to memory of 2824 2400 firefox.exe 108 PID 2400 wrote to memory of 2824 2400 firefox.exe 108 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 PID 2616 wrote to memory of 1032 2616 firefox.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Stix Free Utility V1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:1716
-
-
C:\Windows\system32\fltMC.exefltmc2⤵PID:1436
-
-
C:\Windows\system32\cscript.execscript //nologo "C:\temp\popup.vbs"2⤵PID:2324
-
-
C:\Windows\system32\reg.exeReg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:4320
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f2⤵PID:996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Checkpoint-Computer -Description 'Stix Free Utility Restore Point' -RestorePointType 'MODIFY_SETTINGS'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x344 0x3081⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc0486cc40,0x7ffc0486cc4c,0x7ffc0486cc582⤵PID:4176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1788,i,10789433011000472215,515190596778643150,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1784 /prefetch:22⤵PID:2516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,10789433011000472215,515190596778643150,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:32⤵PID:4352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,10789433011000472215,515190596778643150,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:82⤵PID:4396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,10789433011000472215,515190596778643150,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:3972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,10789433011000472215,515190596778643150,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,10789433011000472215,515190596778643150,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:12⤵PID:3944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4444,i,10789433011000472215,515190596778643150,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3752 /prefetch:82⤵PID:4940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3748,i,10789433011000472215,515190596778643150,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3712 /prefetch:82⤵PID:1228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4488,i,10789433011000472215,515190596778643150,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1800 /prefetch:12⤵PID:6748
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d001019f-2233-4f32-81f3-b880a2beb42c} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" gpu3⤵PID:1032
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08dfba3f-6701-447b-954a-08ecafa0f838} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" socket3⤵PID:876
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 3164 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8ed81f6-2332-4ee2-bbc8-a9f480191d48} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" tab3⤵PID:5140
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4384 -childID 2 -isForBrowser -prefsHandle 4376 -prefMapHandle 4372 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dd5426f-b7d4-4f57-9960-e970b5941c33} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" tab3⤵PID:5568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5056 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5048 -prefMapHandle 5044 -prefsLen 29278 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0311871-d62d-4c01-a159-61bf8fa68352} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" utility3⤵
- Checks processor information in registry
PID:6444
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5076 -childID 3 -isForBrowser -prefsHandle 5068 -prefMapHandle 5064 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90245b23-0f3e-4359-ba18-645f3413a52e} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" tab3⤵PID:6460
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -childID 4 -isForBrowser -prefsHandle 5088 -prefMapHandle 5084 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {848fddc9-7129-4894-908d-98ba8bd7ca85} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" tab3⤵PID:6476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5748 -prefMapHandle 5788 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9db7d41f-7d48-4567-9d50-cae7448f7e6b} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" tab3⤵PID:5972
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1664 -childID 6 -isForBrowser -prefsHandle 5596 -prefMapHandle 5724 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fef590c8-ee72-4dfb-b491-3dc29b0ccf0f} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" tab3⤵PID:6168
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3936 -childID 7 -isForBrowser -prefsHandle 5708 -prefMapHandle 4960 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72ef3e1e-54ad-40e3-bcea-590111ef5fc3} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" tab3⤵PID:6836
-
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6252
-
-
C:\Users\Admin\Downloads\winrar-x64-701(1).exe"C:\Users\Admin\Downloads\winrar-x64-701(1).exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7096
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7172 -childID 8 -isForBrowser -prefsHandle 7200 -prefMapHandle 7196 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad759111-6015-4ad2-b05d-fb499f1e213c} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" tab3⤵PID:2564
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7360 -childID 9 -isForBrowser -prefsHandle 7216 -prefMapHandle 6136 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45e9f9d7-c478-4461-93cb-10b70c9ab84a} 2616 "\\.\pipe\gecko-crash-server-pipe.2616" tab3⤵PID:4228
-
-
C:\Users\Admin\Downloads\winrar-x64-710b1.exe"C:\Users\Admin\Downloads\winrar-x64-710b1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5748
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
PID:2824
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2576
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\cf4094bf95174d94951d1953b87f9476 /t 3400 /p 62521⤵PID:6980
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192B
MD5e8291148cdfffbabb42b96a3955b41bf
SHA16a42ba47da37e6446f34da8a64cc6f4f17e9ca3e
SHA256bd45df8511b82f4ce0d9cade96ed07c55af2b6f5c7f23b9f2f452b65afeab78f
SHA5127eacbeb030f9d155157ac57d308eca914c80bbe6dcac8911e7b36e344a33b9c3006f5ec3e9171a249728a5897391f792406b4baf36ed46b83fe75b9829387026
-
Filesize
9KB
MD586e9f7dddfb6ed61619f705c6cf965ef
SHA11500b56a8ca950e56ba4612388e74cdf74f94837
SHA2565858c93b38f7f710c4adffb0df367cbce70543f404726aceaf79d90f462daa23
SHA512d3c81c8bca2716b86d88de743cc0006ef4afa47556e8dd63cd43c99f06a4c9c0ca49b7993e1e2ec3007447372f9cbe1c01124a26b5db40b1a2fd2da98c43a53c
-
Filesize
9KB
MD536792b98c489c31d0220f1090bcae0ec
SHA13113d11694c67574c73a9e8c1a8d5fde8b3ed637
SHA25603dabcd21a79fe8c49b3863671816050290398512dd2d0995018d4aa61302501
SHA512fecaf1858492b142a2f25faf0fd9eb8b9ebf80465f8603db55e89aeae570e91fd14fbbbebe1b3711f6edf8f0005afd91efeb5fd48df6e0f05c5fe019cac879ba
-
Filesize
9KB
MD59e7e5edf1b1d2b5aff1175f14203809c
SHA13da0408331725bec1302032399a0049f82f5611f
SHA256abc29f1c896460aacdba79a002bdf7bdbf3965e992dca1547d4472f1c36a3940
SHA512545e7c650a7787e104fb346e76ebb2939c7cfc7f933c3c3fe7b35729802354cd23e0a341278e5ed325bf3c28bae3b2f8d6afb8edfa6168a4e87712edccd8ea81
-
Filesize
116KB
MD5c402a7078117b7c84f08b729c0401f42
SHA129c53fab838645399e472815e4c3c28dd6e5199d
SHA2562203cf8e069f496acd439ae28f8a323885899d561b54ab6c7a21b241a4b30d98
SHA5128db9ddce48b9efdbe9497ae072be4972bef1df0b04577cb391da774d67c89742749509c5676118c7613cb7d349411e50645ccb1d6e9b4fbaf96c0d8282915c95
-
Filesize
116KB
MD53b18d83375d8e6e1a70a88a0120c2c28
SHA17c94ef93e2c69a9ba9f3a351f1273c4c62a4aa34
SHA256b48b9b15d14155947f96928c2fcffe5988682395565b74ad1ab41c41e0bc859f
SHA512f9e5fce2d1d6b803fc9b5e301c1387893afd297ac3f23db079893cc1d83ff5bd85f6d7ea49ccbcf43a52e7b4aa6b41d75a2b85baf5a1f243badc88b353ace5d4
-
Filesize
264KB
MD5a773655eefb7acfc239a1d904dc9f444
SHA12797d95fcbff094df59eb7aef729eff2c1db2539
SHA2560b4071f0a515ca27a5b8b65273e49ae00619ed5a421f7b2667dea272b88879bf
SHA51285b185282a66254b722bfedf3a8f1bf28f54d2e73a6745aaddb97f60207c4a930e9b41831c396bf3bb68fe319b5c7358ccf987fff8a949a834e496c0100a3d5d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json.tmp
Filesize19KB
MD590ad8548967e2f3779a6506b174b8d3f
SHA115e86c178590733518cf07b7783fab6da1c0d565
SHA2567c01f4a2aa9cad3078b74449b241a3660acd0c515458b850729b416cdac268f9
SHA5129396163edd9a4d587ea3ca713b0a1ca4ea1ed0b89da2b47b35126fba4de9d42e63a1ddeadbdb96a813074affcff336545b047cd4bb8b68709e9f3ba81c4aa617
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\49829F218B1B7DDF88CD36607FD0B8F5540550E0
Filesize165KB
MD585d03dfe7933b8426cace839299d819e
SHA124e64170e5728737c130ea93da13cb28e86105ed
SHA2562969315adc1357a511e3c1d1c4151fedd2cb4dbbadd10a715f1d943e93ce56aa
SHA5126b411fc400fb5fd09e8a2af22fc011246845edf9c50d4bc7aad9792dd7d7cd8818fa20196e7e580ba32961d982ebe49ec9f3538a766c252e36da62be6454b8d0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\startupCache\webext.sc.lz4
Filesize107KB
MD56315aabb6c0dba0b90b68871f230232f
SHA1af8a457452cfc5262b771a3c47b64d8e66286197
SHA25681e360a9bc4dcb8b027698bed7cbc6680315ab0dc33328e5e16312fcc8a311e7
SHA5128451ef00b142ae6a6aea4504831e3570015acb84df1e9753c1a094789b9fe60b0960334fd81743c923b4c6991b6b2767adae4e0285f1f941188c8deacd0ba32c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize13KB
MD520392de290d2940819806f31c5e3d360
SHA1dace5be1b873ecc691992644cda1cdc6026c6bc7
SHA2569dfade36fbcef796bbc03d7dbc77c318884fb8cd54d73e2727e833aae0efbd2b
SHA512a4847313b35565ea3df6801d21e75a8c5c5829396c01bcc754282af7bbd97a2ae22ef30fe9a67c63c0665b5f01b70d0a3d974552d6fbad5beead48f4628b6c9e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize18KB
MD53f3408f42f8dc4f66c0c8d4a92d17ce1
SHA1b29a8ff9876d1cca4d014b1bababc2043b0605ae
SHA256c89b69bb8e0ae39aecd273eb080ba5b92dbf1805593420deb72255c40e41eb33
SHA512fb8e553f80393c00736d209ef3d9ab98c417b3b35da505b93b59a1076b7d3a66609d80f95558813bccd3f5cc6f91fa2faa5cedc3fd5aadb39528efe897238614
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize6KB
MD5373735a8cbb3ce9f16d3600338c393d3
SHA1600c0b00743e150c35e74ca9bc0137f16c452e18
SHA2563f4f399578c16faca1404d1b9d04a972ce5feefd1dcdc3b5d764288bca62ad0f
SHA5124937658a8c2bdb9ecfb4cc8f20f5c65f760114bd515512d555f61c6461ce0ff1d97c49251007a2e47d083f52b0691829b3057927acb8ce9af413d7facc1cf806
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize6KB
MD59391bdfcbc78003392d2d1fb50664aa7
SHA1210d5906d4c907b063a54f56768210cab28a9877
SHA256e83e659589d93a0018f5b92f532fec3e8187d95a888e341cc78310b565b00f82
SHA512f1d581826e6fce2a8970889cf617ba63e4630f34088c91d1e0b8074e3211e28741363817af718390e307979e568392e5ea2ebe951b59c972f2eb3b2b6496e839
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize12KB
MD55e7cc1f3da598255ecb57c5a5743cab9
SHA16e24a9974024eb5b40ae741d5dff17ab8bf913d9
SHA2563a678597aafb748c1270b54869fd3f6fbf91535a704aee9866a4c058f84e6ce4
SHA51231e7a4eaaa877fa719a888a7b7cf648829374197b49d3b13987216f1771352102da62336cdeb93a5b7c14322333cdb4a1dcd38228d48be123f690c70644de86b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD55366b08f51a585c18a48482d1d8a3601
SHA1218fda5f41ae4b2829847a0cd3885423ba7aae28
SHA2562c4fbcb6cc1a5292f8568df838827df9763472ca0321e1059c66f3058c295dcf
SHA512c64737bb3d57c5b29b01a62550a97b33185fbd07e112513a99809ccd15fd919330d4e7dfc8dfd07bb97be23142917f2694c030bbca5c655ba11b4b261719377e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD525762617124247a81aa936453dff0567
SHA1b21a45ec39480a3f4d80076aefe1c7b20a197d99
SHA256650d26a323e4d93f84714f6529f16b62439792ff9193163c76f9e7e358ae100b
SHA512982f1f34ec74bf3ee8194429e47418bdaf17ca813c7b3574c94994415ea35c3f312e4971d8d019e0580c9b7a2a53531665845446d199fce231fc8c3bb0c6c03f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD52c521d9b07050c8d79550c2a70083aed
SHA1f80d389d46e3c5a272bb8c7bf19fa819f365a467
SHA2568d12c1f17035f220ed42f0fbebf363eb45c5c585f180ba9da89f7c16d37c934c
SHA5123a392179c47e7f69a6d634d39274851526b78cff75597f60c8fdc02ad30dec510357ee79963d4db4d836add8786854d03eb5b81ab2c1f022d93caaab66904970
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5c0e8e2e09df0bced67b6253200a77834
SHA1b5f676e4bfeac6424d36a086980402c3ce17e620
SHA256e4c21a1c6d309b7202e20f1f4dadf33f20c5346b729dedbeaef8c7a9256660f7
SHA5124932a48ca4f071c862e392226f7ecf73fc74611dbc240c003dce23169632616e222ab4c7176cd094d1d460894c47b876101efdc68bf51180abbf5e94bd5870d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\79e8d4c2-b5a7-4a54-9dd7-623caabb9357
Filesize982B
MD53b31eb32533367bcf9a560e980d22820
SHA1150fc3b600dffd41620af39b9da606bd7e888a53
SHA256a72c2620142bcf08ea49c014b13fba0e389b2720b6a9b4b1ad774d4806c11a84
SHA512f920ffe5ae6ae945b0134465c0ae416eace42669a07e6dfad400f9683e0406195934d73884ebdb05634c4734126f5183c5eacb41e3c10174793852c10071b6e6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\c953f711-22f5-4af7-aa2e-bcc0bae30eca
Filesize671B
MD51bd4ae70f7f105a3712750e8cc52f1bb
SHA1089b8967606aeaf54793cefdbd14e3deee87c45b
SHA256f50440caf3013ccab296ae793b6abfa83ed1cd75f4e1a4247e270a76080acecb
SHA5124033653cec51f0edff8b92b3c3b8efefed3005dcb572ad7fcef0e35cd7e4e659980139b8dc61cfb69025f63da3a181f2a871dfbc59176dbd26504308bb41521d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\ee129de0-36b5-4bd3-97c4-f87fa2f9d2e5
Filesize27KB
MD55091c89a705f2b86ed29c3ea7f4de355
SHA18584630226edeee04fcc642e96eb0daf6f7a5180
SHA256ace8b6f435a481e47e72881817ef7d9ff771a49c01918196dbfa37dde6e4296d
SHA51289f9e8df572d8d80907edaed55a9bf382a6983d77d7800c97c4cb9871deacfa46ed7b3388a36aad5ce639617fc4ee1aaf75faea77b98988e5d87b93a26572a38
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD50bd7592e0c6e28542ade3ffc063509a2
SHA1c3afeb16a99063e5efb1085d2d83df739008ef6f
SHA2566bc0b736a5c8124c978100850c7c5a1612c5ac95723c9632e1fac30c40b3ee6e
SHA512da8e76e5b0c13d03f828cbcc7db7c23e268464459315881729437ffdf49e6e9f1139d8802215b1ae5bb8461b2ca670f91b9c26e5fc5fa8c776b363d2a00dfc3b
-
Filesize
10KB
MD53c25835236866b13500bc16f3e74f85b
SHA1a07e31e7b7298fe9d7ba2a3ef52693e7cec3b7dc
SHA2560f1c470e148010a5149dd7952146beb636254489ddf35404efe1173a3a7b1699
SHA512e1e04310bfe935b5c320dcd32312b0128c8d1c03edb6d3296b387fa172336614b935361d5531de7d4faac2374d69a6bd30bbb163324db7a257e0ff6d8234c563
-
Filesize
10KB
MD5449a752ecfdc2009fd92e9348847fdec
SHA161952d2d0895c4acb0125b7720de00f0a2f090f2
SHA256515cdae2fd0f7a7383cc240b08fb59166ebd074f4fcb9ac3565125f8d5b5b587
SHA51256ddb59f8757ae347dc46fbf04e4adfa931fa2f1cdc456191f53223d636c159b1038dc663753c6d958f2af7a9c515c570ee3561653492fd27c8904bd67b51fa4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5cfebc229d03ce5a600a5ad09a807cbb2
SHA19967325df8c12869f907344f1f38289a48dd9699
SHA256d1252a82005eca6ad399168ff131cca5c7425d0a948c217f7d142558e0062328
SHA5128693f19cc6c25c06022febda0bcb476fc23c78be1972defd367cf75da852208cc91f36526553eda4b9638d7e373de25bd224a04384e0355100651ad5f181c743
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5b060e2ef5c83cfa00958539461386e92
SHA1eb23d3acc81e39178eb9694413cb3e44c4965d02
SHA2566bb15a996ac8917fd8b97c400c1b7401920b03d7f1628690981942e1b5448976
SHA5127668834d69beef50f7d362c27781f613b5ffcf177d654d2341cfeec2fd82289dcfa7c07cfaa3459b6221907cdad9bf2d0cf3ab4abc26741d011112e66a98801a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD5a9daec4a7ab98dcbf5a3116cb70c4225
SHA1652da81fad1f63796c09182e946ad632fc704ef7
SHA2561d548504247c546d24275409114c06dd34eecdbced84360a57729288722b6d49
SHA51222e31571e82d118b5b980211e09d58db293b11a8261451b2bb2878a9201d3b702428e2430034b594c15bfb7f697bd6f2cdb808c48704f5ae3cb0b7b2007115fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5d86bdcb7dd97865191564a558ff813e4
SHA14d593b0a149739dce2cfa54ab9334fe014271251
SHA256cc1bf68cd85c9e23a020604162a778a385ec055edc1a902ba6b8d2db25daa07c
SHA512b2aaa085f34513a30fbbce4c9e49e45067909ca001cfbcd65373f890005121f83099450cde06723f0b95d49970780bd386170c6e8249b66fb67a086234191cd0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD53e02c2c69a3c751db86bed25db5e8704
SHA1ed65cddadb2621059ac86c431cb0eebc2cb2da1d
SHA256d0fc123a4a2f31a05b3db772f321aa02f6ff092a87455a9bff46fce720cba650
SHA5129001cae1ffc862e73db7ecfeab694d266477f38cb4be90a937db77ce7b83f3da7b9a722f7eb6459f998c8b18254d766f42f5816b0a5dfebd55c3b3f08f179367
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD52744a373c77b2da736e27a85520c7ee1
SHA1a7812b6821f4319779e89aeae1053e335c3d7c3f
SHA256dd0cbecd2974da2025a08ba4a7c0168e8c04fcfe004bc3e325ece9de36bc3c18
SHA5120c7dd4c0d24c16a5a00925897f4281f5fe2bf7fcb2a098ca6b6e54c0788ac06c2a7d42168517d5adb11f865e0d07fd2c6af6e098ab4efa08eef5f0f380a4d54b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5f3ea7074a2e86d53c92af270210bfeb9
SHA11aca6344352db5f563beb647db23efad52da34d4
SHA25613b564a9fe0f63c677883bca42f32246770e20dd361e6468afb073daac1877da
SHA51200ec62054387cf2d39e25aa2c19de5406a00e5feaeff7630a38ed422f76fe886332171deea54bd8ba80c98789c3abe44fdc904540d456742a52cb3b4873d3898
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5dd6dadd16551b228f17d10246ef63f41
SHA14591ea9440cceb76c9d981a526270aa0c1416b8b
SHA2567eca9b9148ef5554cfe8aa532151abe88fd2ea9de17b64d940495fe0d79261b7
SHA51276b13b75375ae86b5a8745f4a6d6fce52e2451a0a761346fa0a05fd330cba2380f70dc848e8bbacc0813903c031dccf0c79f6b3401b65f7413d00e3d6f620ead
-
Filesize
167B
MD5b4397fd9120f8b57b58e8fb76b10c2df
SHA1591f19a1cd61d56f0448148cdb276b15aeaa0ba8
SHA256f21d922c177d3ed923db12c9fd6e0cd83f7f4ffa9447653afd60d5c203bd82e0
SHA5121fded971f2ff01ec4ff6a21a78736b4148503d50b23aca6d147cf5f6e43ab63cf3ec1c5e496d2feec3b1809ceabc2379ad779a3aca9104d58bc5964af797bcce
-
Filesize
3.8MB
MD546c17c999744470b689331f41eab7df1
SHA1b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
SHA5124b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6
-
Filesize
3.6MB
MD5f44faefccade073a278594fe03a23b37
SHA1b853306db8e7f6569b27d1323c366fbc3ac06c43
SHA256e1f40f00f7a9d1b1f32a4359ee76a2815c2f2083c05db833ad4a54b0526a0682
SHA512635c9341c92019c890ab920c91699a8fdf0e627293885592b8f514ddb4a70b817ec4a2543b0109843855aeb4719983dce267c13c5c410643531851d7ad7c60cc