Analysis
-
max time kernel
406s -
max time network
469s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-11-2024 23:43
Static task
static1
General
-
Target
GbzzvH9bwAI8gEC.jpg
-
Size
50KB
-
MD5
0a377a3b32363c1590c9462b3c02cf68
-
SHA1
d40852727460f977e31cf2ce530fec79a8137cee
-
SHA256
f0640d8f08579e40d072e5bc685136ac37a3b2cbca120314480a40fd3ecb16c8
-
SHA512
409b2cef08253c59ce7f3c89d841e8df15f1919190f6faf40db42aca250518049ff321326e6c816cf2fc869941f056d7cb293bbeb03ea1949a5813770fb50a33
-
SSDEEP
1536:+lp7qIJp1xMxxD6PGWNwvFr1MHeIJ2f17:wR9ExMJuvF++IJ2fp
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3712 takeown.exe 3092 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3712 takeown.exe 3092 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings firefox.exe -
NTFS ADS 4 IoCs
Processes:
msedge.exemsedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 606051.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\delete.bat:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 194848.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\death.bat:Zone.Identifier msedge.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 4928 NOTEPAD.EXE 4492 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exepid process 4184 msedge.exe 4184 msedge.exe 1400 msedge.exe 1400 msedge.exe 5320 msedge.exe 5320 msedge.exe 1420 identity_helper.exe 1420 identity_helper.exe 6024 msedge.exe 6024 msedge.exe 5384 msedge.exe 5384 msedge.exe 5384 msedge.exe 5384 msedge.exe 5372 msedge.exe 5372 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
Processes:
msedge.exepid process 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
firefox.exetakeown.exedescription pid process Token: SeDebugPrivilege 4384 firefox.exe Token: SeDebugPrivilege 4384 firefox.exe Token: SeDebugPrivilege 4384 firefox.exe Token: SeDebugPrivilege 4384 firefox.exe Token: SeDebugPrivilege 4384 firefox.exe Token: SeTakeOwnershipPrivilege 3712 takeown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
firefox.exemsedge.exepid process 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4384 firefox.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4384 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 4780 wrote to memory of 4384 4780 firefox.exe firefox.exe PID 4780 wrote to memory of 4384 4780 firefox.exe firefox.exe PID 4780 wrote to memory of 4384 4780 firefox.exe firefox.exe PID 4780 wrote to memory of 4384 4780 firefox.exe firefox.exe PID 4780 wrote to memory of 4384 4780 firefox.exe firefox.exe PID 4780 wrote to memory of 4384 4780 firefox.exe firefox.exe PID 4780 wrote to memory of 4384 4780 firefox.exe firefox.exe PID 4780 wrote to memory of 4384 4780 firefox.exe firefox.exe PID 4780 wrote to memory of 4384 4780 firefox.exe firefox.exe PID 4780 wrote to memory of 4384 4780 firefox.exe firefox.exe PID 4780 wrote to memory of 4384 4780 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1656 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1780 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1780 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1780 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1780 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1780 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1780 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1780 4384 firefox.exe firefox.exe PID 4384 wrote to memory of 1780 4384 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\GbzzvH9bwAI8gEC.jpg1⤵PID:2008
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2308
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\delsys32.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\delsys32.bat" "1⤵PID:2028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\delsys32.bat" "1⤵PID:4480
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\delsys32.bat"1⤵PID:2200
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\delsys32.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\delsys32.bat" "1⤵PID:3380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\delsys32.bat" "1⤵PID:4848
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\delsys32.bat"1⤵PID:1492
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9a39d2e-e0b6-47ad-960f-28e99d09f48a} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" gpu3⤵PID:1656
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2304 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0d71576-cfd3-4caa-95c2-cb676404fab0} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" socket3⤵PID:1780
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3224 -childID 1 -isForBrowser -prefsHandle 1460 -prefMapHandle 1352 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcfbec87-a2db-41f0-aa3d-7645ab861b9c} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab3⤵PID:1088
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3884 -childID 2 -isForBrowser -prefsHandle 3876 -prefMapHandle 3872 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ad2ea58-bf88-48b5-82bf-c7a4343aa96e} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab3⤵PID:3052
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4892 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4856 -prefMapHandle 4900 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c77ac1c2-96aa-449c-99e5-20472b0fc681} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" utility3⤵
- Checks processor information in registry
PID:4848 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 3 -isForBrowser -prefsHandle 5288 -prefMapHandle 5252 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2319e067-b376-4e58-9bff-8283da2987e5} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab3⤵PID:1800
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 4 -isForBrowser -prefsHandle 5552 -prefMapHandle 5548 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28d0a5aa-a432-4db1-ba1c-7dca2c4f0c90} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab3⤵PID:3548
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 5 -isForBrowser -prefsHandle 5640 -prefMapHandle 5648 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1cf06db-11aa-4eed-a464-142d32da0e85} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab3⤵PID:2040
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6132 -childID 6 -isForBrowser -prefsHandle 6128 -prefMapHandle 6072 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35b05a95-6a03-4260-b234-7c41267d129e} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" tab3⤵PID:2496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4184 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8df5c3cb8,0x7ff8df5c3cc8,0x7ff8df5c3cd82⤵PID:2828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:22⤵PID:784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1400 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:82⤵PID:3316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:5044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:12⤵PID:4068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:5172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:12⤵PID:5184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5320 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:12⤵PID:5536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:5696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:12⤵PID:5340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵PID:5456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:12⤵PID:5708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵PID:5716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5284 /prefetch:82⤵PID:6064
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:5696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:6024 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\delete.bat" "2⤵PID:3416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6212 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5384 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:6024
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1964,13414942040238935522,1956879103818144507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3220 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5372 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\death.bat" "2⤵PID:3416
-
C:\Windows\system32\net.exenet session3⤵PID:1684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:240
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32 /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3712 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant administrators:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3092
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2640
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4644
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\delete.bat"1⤵PID:4880
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e11c77d0fa99af6b1b282a22dcb1cf4a
SHA12593a41a6a63143d837700d01aa27b1817d17a4d
SHA256d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0
SHA512c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3
-
Filesize
152B
MD5c0a1774f8079fe496e694f35dfdcf8bc
SHA1da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3
SHA256c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb
SHA51260d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b
-
Filesize
37KB
MD5908677684413f5278249c1b08127d6a0
SHA1df54a142c7eb47537509a54a8519f1c6c82d0965
SHA25649910739da15aef97cf1b1fab8a1c6817991542d296c3fe6619248258626330b
SHA512d6458614c8cf209da33129d5672f4eee9923bb56e91692c87a0f82a0e00c0ed0c03bad913e3ebfae7dab32f76465e58289e15e579bc5f8af37845ab250301773
-
Filesize
20KB
MD54e786ef6de6d058a7ee21d714b5878f8
SHA1a25cf3a4ef2c4208064a295fc00bf84be1557e8d
SHA256fd7a0097dcdb4360e99e3131665aaf1cdddb65f638323d8dcd86832ac1c65b57
SHA51279f32a2fe5204c324bcdfd5b11b3d7423cb8961e61350ef8b1a40390212bb1f2125be11aa9a8761edb2fd4c760a39c9f18394a8bd8bc55148ff2937b4ea67bac
-
Filesize
38KB
MD5084a7c45c750134bc52120929e4adfa2
SHA17caa207a66cb97095da77cb26bc03c05e3e3e3ef
SHA256d897e13540624694573d596496a442f317069973a8bd8f9464b2ee91406fb990
SHA5126aac3796f0435096a86e81ef9bdcd0186ecf74d35a38dbcd9d5c08662fe707c50d015453bf7eef1cbdbade8fca2779aded56bf3a2407a5ae97fb2a6eb1092f2f
-
Filesize
19KB
MD546c65c348f90aa174bfc5f9dbacbc3a1
SHA1f3f1cb408e89e48b14532730632dba27858d2676
SHA2560b36587fac66193c3e84fc32c4edfecf3b9a8717aafea51178f5480239bfa008
SHA512e18be3c74e039ff4297313b12abae8719e26eb852724a46f119121d008a7165e249bc17d17b3275a108e6de14b1bc443a7827589bc4fd46d616de699b8294ada
-
Filesize
22KB
MD517a3b62be9665b1d0e411a8d87565ecc
SHA1be09b90a1a121126dab9689f156c51f77bee1ac9
SHA256038deabc8e304a2d574cfd4ed4aa515f8f174f7b3f8b80b416a4354d60b4f311
SHA5126de650c1d46b2d19c14f1b8d21c8589ee276caa2a30654436176295dccea7f619c450ff1cbd01fe94d174cb032eebffed18036fbae4e10dcb17fa228d23850fe
-
Filesize
10KB
MD5b1939c393246d97c909b2fec0a55b3da
SHA10c7f01bec122ad76fb4f959605b2b4fa13a8dd24
SHA25679d5926d5e5c873e9e182bd85aa070990b68ec76a375f8820b432a7bc5a3f7ab
SHA512530ff756b9fd41481f29011d309220cf6abf78f10d634e7506e6d884a390f91518313edba2bffcb00d99cc7b7fe13ba5037bb92f47bb17f45aeef9ec9d0fa9f8
-
Filesize
20KB
MD58495d0a3b5bfe3671baf5b7320702b68
SHA1a69398b809a87db7cea5bfa4f7792ee5e9bd9516
SHA256b7f9b17a917eba56b9da40cbc2164a8d5c39207673a82a7fe772bbc126639827
SHA512627d51e75f3e660855a60ac2a19e85863ffd57e59bb10caf52791f4881cc9b0349428fc6beb0ebaf65fdb358140034e33d0235f34e59baeae322ec5e598b0f32
-
Filesize
57KB
MD5ff21b732b9170c12fc34e52e152aafd3
SHA147e38e60669391afde31f90561cfe1da8b71739f
SHA256b308244bdac3cb95c18d8de962a49479016c48fa357e2d51d4c9da2ecd146770
SHA512929bf64ec6a10ac22bbbf18b0325c955a064151aa1f442bac15f0d9deb1ee22d352892b0e7be025bb42fb9055bdda643f97e14d29b366844d1317386d6f3c26d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5f279f6b1b298e562eb9a4183037bfe50
SHA15d4fd6accfe0db822aaa1429855385039facbd99
SHA2568fb308c3435fa5ecad1e07f335f8228d2bfb99253bd51b2ea190ed84fb14f253
SHA512c5d3e6f7b102b7bf775264a925fe354d7b8ca9daa130b5e87439ebb6617780314e440cfcc400b2f32912db98270c24fd69b4e9494721260ebe5aad5671aa60fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD517e30a39b00093b5aeb67be507f778a2
SHA1b43b016dce1a308103df49815bc2836095897d29
SHA25619bbfdf986f1888c066b3b64b9eb58036b51238affe25aec9da92f6f96ca0036
SHA5125ff8ba54b2b34959b44dad811946308bf0aebc5d142b05e5362568ead9413637d2a351485182ce30cf7f2851ade5cc7e5fa287fdf15355987f9dcbe9f7f5fcd3
-
Filesize
649B
MD58a1277dd0a75abfd6885cb9f4f7a1a97
SHA17db995f8453103fc37c6ee4da7f9396aa364c242
SHA256a59d87897b3a2b50dc012edf8c4a13d84e7ca64a205d32ceb83de9c2099e37f5
SHA5129a9d8806b7308cfd40e8f4a39cc64cc2bc42ffee78db58adf44295fea00ff76de55af5f1e80ae82596d1c774efd1ca224febb5cabfae4e272a59b8357e244c72
-
Filesize
6KB
MD50306bcd0daa8466e42d2adb33c4c03b2
SHA1ab708ebf6bdc238b317e3602beff1893a5413a85
SHA256f887efe6fdbeee5d7b0a2bf1187061218d1d23a8b69518812410e62640e13145
SHA5125cd1fe7ac5feed6fe4f54492296e01e07eb166e065da9ed4d2a4aee0e39ec4127d51317e8f57e9f6d7735489a377cc31f8ed498d98f08aaeefeeb795c12d1a7f
-
Filesize
5KB
MD52f60386ec960a66edad732cf6c3eee0e
SHA1b579a17d9c3cb019de211416d375c922b6599269
SHA2563718094746d72dec92bf60dee27e05516f58c7a8d93fc4a7326c8a474c1f616f
SHA512d104d1b5e1155d903f78a1e4626ec0cc31eb489f99ae5b8877d5c7ccefef17e22a49d0049b11e094a68d36ee76dccfb754f717adb86d67d82ec6fdc513008a36
-
Filesize
6KB
MD535e1bf2683b41aae43ced71bc9187d37
SHA1d68ac97edf57adbef39d7f3c25c9a53288da38bf
SHA256fbbd8fad3d8f77efac0042334da2f3f32eea42e929a9c077f1c0bab8cac6efb7
SHA51283b192016dfc1f0e202182b5f9d513e6c401cee2d1bbc3aa1f29a0d73e4936c8e59cba44725ffb5ccfd64049c3cc1cc50c0ae2314e8f1143a827594aa627c051
-
Filesize
5KB
MD549f17e38843b2139dbea6a920237efdc
SHA1e0a1c8abc01a4136ed19cb5a38392e3fb1edec8d
SHA256458a00c34b4e1129261a525a8149fefba7960c2037c37e52d9bc93f671994e0f
SHA512217efbcebad25dd796a0c9dd065465fa31c0bc52bdbca8878e6eb4ba95eccf1f08cc1ae97ecb2da8c24b102558d236e0f0497263260f24a169f007c61bd85f7e
-
Filesize
6KB
MD5197beb9c97eb9622dd27e216988eadd6
SHA1d8829d36da308e76521b4122d559b554953318da
SHA2567d9fc44736a9970e6f8d4e0bf1ea0fffd54d0488979e80ab995d079050909bc8
SHA51207b2d8ab0b8034777eea3731c9f2c7ba632bb6f9e00f2a2f24cb4a2a3081190ae78d69e8b8732205a12f4d3d9f23a03c282eaa191dc4dff9ea8def2992589413
-
Filesize
1KB
MD5a05a9ee1f847471da0cf386b3869078f
SHA162e4b88eb7336e604d6cc4201942defa9f5dc7b9
SHA2565d4a20f86d4a190075eb97bec6c65a7732ae07f328f78512ac90d37108a8a10b
SHA51222e78bf39b8e2fcd8a9b5376aa79ba01146322624737e948d207fb54609cd6da32d415cd411f16c0afaa7c19082265fa6fdf0dc9c30f357b1fd47d85d0ee8102
-
Filesize
1KB
MD59459ea7df768bff9ec59705fe986fcf1
SHA1f64428fb1ab04837e581e7420a0d76bb42a4abe4
SHA256606e6558e276017fa8251f50b94b8c662f0537e787d24a352d4758c8d259028a
SHA512a23fc615d8666f816e6b792a49b559589fa834044b85756f17b4a35b1f7b5ba757e626e9c11f4169b6552eff27536748dbfa8e253d4a66ed38f912afc4ff7463
-
Filesize
1KB
MD51b89f06e499853587a2792b500588e41
SHA1a85980f9f92e2b959916b72bad20256b6e9add60
SHA2569beb3192f4ac38011ef42d1c08c7f537887c03dd0004e66edbc14c839ea5ca84
SHA5127071d4ac5a1d1a148eee3e84b06a409d9b5fc034368afd1e3e1247b765d2fd2a548948f697f6887942d16d34514fc38b0fed48313b216d1f3a0cb7a8e5d0c167
-
Filesize
874B
MD534869d1b8bb1f9c87eb2cb64a43cfc91
SHA1f779087a5904c9ff6ab6f0f2783b22ba0157a3ca
SHA256d2882a082567020a670ddc95ab28ea64a0cde9d57d84a5f41258873786ea3f2d
SHA512c3428d1cb88936c5050b69cead6568424ecb66b3444556c77010e5028311fc4f4fcc2757944e4eaea420e5e06d7de3747e82bbae7204aa486ad4a8edb7e57176
-
Filesize
874B
MD52d3f1c10cba1f8c3bf3ee67d53b026bb
SHA18f1c348cdedd6841ce650b6e135143bec71f7883
SHA2565de7b50966b79695da78d0732080b735cf28d6b3c81ee2f8148a9f09d1549cb3
SHA5120bd72362d8f56703401f440b97deafdc5707049860f2189f40342d97cec96b1983869e551ed71a35d90c71b70c0719453ed610fdb51c5e4c7db3dd751b693c92
-
Filesize
874B
MD5eb05c433e3ad41ae3a1cf5999c7b9e80
SHA1a89f318aec16b950381f05d6e53331067b399a89
SHA256cad81cd2840074dd5961e9d8d7fc04cb10ef0468c373f4398f5f648f4355720c
SHA5121562e2b31231a864291a602805898046c62ac9f526477ca8302851b50c1addde84e21df8f3966f028b29d05df5e022099041dc4ad0aa91101c230369c2c6be20
-
Filesize
706B
MD5a1902faf5a176d6e8057460c17f7e835
SHA13b2546c7aec8ef5aa549e572873045bdc5c0e33d
SHA256daa78e7ac0ee93c06fd834995912b11f9ddbacd521e4c5221b62c7e82663dd4f
SHA51236e5c1297186ce5f6ee309992af7875b23fdc96412481a55101d9de999e54df954f47064ea3b2297e85254cc1639b2b12695ff1d65de8cf875a024ca980f6386
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5ba35f5e6399e48b7ab4c512dc76d3241
SHA16209bca509c613de78805bb7006bc9a18e6f5998
SHA256a157a16794d0071972029c4f0d96a9431532a6c754422afae30d169123694412
SHA512ee21af545522fe870034b709580947454c5913ea08dfc3de4bbabe65fcfbaa0e14451ef3308937942f9099a8cb8c49bd946e8f918ef0d54f0a86ccad7eadf76c
-
Filesize
11KB
MD5456053aa23ca115ffd3fd092e9479ad9
SHA1a6bcc38959e16ba89207c3e3cd72a0ebcff1fcd7
SHA256b50087f870ef973af6f736c83be9c0da4f5b1019ac52a53bfd12089feed97154
SHA512266758316ea92e93100d81b85e2b594ebf562ddc347eae05f74be71722c21869fe0ab7660907a02153c2a51749b9c9af2e6f393fe71526a528af34e53260a223
-
Filesize
11KB
MD5a27b31cdd95fb6acd455800502c50d7f
SHA1cdabace314d335ae762ca0d3e6726751662515b9
SHA256a98ee8a86704bf4c2affbf0da534bb9229755625841712679b84c7e93d74d354
SHA5121f46a6190e4ec7f62720c2edb79ff38f7f63a17b8f4f55ec7230d8badd0b51920619f6407a247684377136709a4710911dbccdc85a17f164c00728457ff6e3ab
-
Filesize
10KB
MD556ff35ba3f2d32e1a9d35a892db04e9e
SHA15f9601a3486182d7b05c5d95bb6e8c243cada385
SHA2564d384a1551fb1db4f5274868c9ffae09924e13bede161e0b05e5af7e63a7355c
SHA5127ff11f79016e3c818bc508788e226568de49543d2eb05ae7ce2ac15bf9b4078f24b0a7786e49ae77739d7152928d4f37c587aa0ab9a22f7b83713994698a80ff
-
Filesize
10KB
MD519791bb3ddb91c6d35aba9442dd4109a
SHA19f167af95fa17348d7ae150df15e2e21764afcc5
SHA2562264847d204c4cf4890863c55572850be3ab0c9a7db3c80c8a268b2abcd30209
SHA51251530a64124ffee09d2ac43d5fc7800f1907c5a5a5092f0d9f4f299318bffe2098bd194c5f33d3a8881e1c25c3cdf7ca61e328e2d1baf29878105ddadd19319f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD590131dd5b76dbf8494044ee174ca2108
SHA173a933a929fd35f5cf3ac7425d1bba143ccbd153
SHA25612d440326e7b3adadc51b7fa54fb3b808082ce22931031ee3e6e274a4e432a73
SHA5126de14fc2f4e32ca6ecfa46d6d3d9b503035426d3af7b6fbb1f74df5fdbef76f6b45306113376a4f8b50b088af27906b9352ea859581f1fc9b311114d8da81b60
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4DCB4SHXUOSOAN2JOZO3.temp
Filesize7KB
MD55fcc5111b4480fc62c459a4cfa3d7cb8
SHA1b987894b7d252f28ec836697d3de9e3014307563
SHA25662d194637e4dd6f3ef32196bf5066d2e6dce7d533f3d9f99845379a62d6f3b28
SHA512842f88d820173e44a28159b7a16885fbe1bcc7cb529175d3fcfbf8c51e9b8a97eab1b9435be9be87f42846b5e4c8ea4e73ebe08769aed96dbf80228fd8c20764
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\AlternateServices.bin
Filesize6KB
MD5f02b06929ac5a56adc6bd0d779937de4
SHA18fca3f85efd3e60a53c9b545f2c9ef6345607bca
SHA256f17078e122bcb5e66d5760c331d2bf0d6879825e204a4c23776fee3c3da3c944
SHA51227b40c5b689d4b8d29b59a61f2d8cbb9e51d5dadfa43a32d0f46eef9faa03fd490d2f2522b107d2f8f9fb4089df614decf73ab4e864a8cabe5bea8dbb14240ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\AlternateServices.bin
Filesize6KB
MD56ec5e4f464d129f213b0c5ad308c897e
SHA1af81af64c26facb0523be660c48e5f892455303f
SHA2560ae2c05e76819182e9bec78b62cc6c1b081743e4f35b4f871e44e95e52daebe4
SHA51240ae3d7a2b38eb39d6d2ede97505175b663a6f5757676ea859e9b0c3a4520f9d99b768046140ae2622f84cae41aee916169ece6073422a29880a21479fafd058
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\AlternateServices.bin
Filesize8KB
MD5a1a1107b985476501289d61804eef11a
SHA1a35a7c692fbca618f0f469a79f4dc4df404052a3
SHA25673475da721b296a3fe31bae7728582a54c37c1a7923b30fa326510d29c849ebe
SHA512b0855a5a405ce002b75a65a98231d28eec706c91a760b4a569764adb55765744e5141e2b749282dad8aa8711fa0118f0ad3350fa8b09a73ce923cf116f46e85c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5adfa57e6de27b062e95c7e97a0257eaa
SHA1003691610af59c9736732682052fcd5e43d800aa
SHA25641406ab281cc74f3e9a0601b649432406c1e406c0953c36f5a2adcd596c1907b
SHA5124e157968d005a2aa8c05ffaf6dd4b0f0fc181bc1fef9b4c6f87d09c589fe05812c4c5d36a0229b81a8976d795c4d3936b04a389f9c67ed8aa5563c3cd2af8362
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5c7faaae94c3ad070b644554c33b68aaf
SHA1ba2c3a082c8490197f9d84aa6212ae9f80e9503b
SHA2563f61fe26eb76012fb4ff1b31936d7fb883b2c69136b6a6f4b5d4bc14c0f755a2
SHA5121c28dc454ab3c234818301d6c559b28cfb76bf7652bd38c0421080abd8fd7661c04b9b504787333dc30b9c2975ddbe44329f90a2e4db6f55a4243d74035858a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5590945ad2bb545bbafe090017af599f5
SHA1122dd23734a78595d99a8d38d238cb7bb67574e3
SHA25630fb6bee860cf1dcd43f04ab2cc90b31d65d5427ee0c2cd8ac8e9d84227fba76
SHA5125cd3ec58b40fe160039aaaf75b26d597f647be9c2ceb84d7c16f423b801e777c7722a79d4a85f1d0ac6b6b6233e1c9760abe912c678dd5fc6ab219c914929d93
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\0e01d9ff-4a14-45ed-bf59-632532de59b3
Filesize671B
MD5f69c285f481f83a6efd372612509f4fd
SHA1ac65d6b89e5de0efdf330620751ba4769278e73a
SHA25605e7b2ab2b5f813c5667b16581a3e5f82b9c70c0cf651cff01c17394925caae4
SHA512a1931ae40c6c459ee4ac7d0e4bfd461d9e0e74b90ecbffc3e3d09e0bd654aa08bcb99976ec60ea4d735fef9bd0f0926227c763d4c03042feb03e61f6d47e36dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\44bbea4f-422c-4d03-b58a-87d04deff60a
Filesize982B
MD5652233cbd4dc0443aac8738c1d363836
SHA188d275f3df5a85dbd098442e11bc2246df2eac2a
SHA2563e1cb7c146d92ad88f68d0a5df8e39601daa6a2a3fa0af3cceecf4c662bd821d
SHA512ba1a9b9b87e1ff884fee646369a9924de3d95baa2fa43b596870d0a16a5b317e32bf5ccce358014c6a3cb42baa623a20298b138e7cd3b65d7681af230d7f035e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\c3fb2572-79b1-4950-b961-3c01b30e12d9
Filesize25KB
MD5867e60544d0bf3706672770f2ce8486a
SHA19d093600c5ebd30cca55652d3bbbf3eb750ecc99
SHA256025df9718f6aa8802e01173727dd0c98e0fb64910952eaca8be4a300be23c8db
SHA512a9887aebbfcd13cc59c003f8fe9c10e68f26391b6efd9d76734f678fb17f83575a015f42753857438d6a2af614888839415afefbe545e0238f1e0b5bf45da3b5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5bfff1fcb5c7ec22dea8515042449a5b7
SHA12c6205317a6b30a2ead3e0a7582209d76d2449e8
SHA256aec27c9dd4cc0e961217ec42baa1e0ce361b8a35018360ea1b65fec371d1aafc
SHA5120e0b2c67ed55c510e505e4b204a110b7ab57b296268ecadbae6920977387ff3383812541a102bebe02f32d9df052b4ce3ad53a7bca5ae7de13c0968920b8e973
-
Filesize
10KB
MD578402a03f6e0a7f00284ecf895ba5bbd
SHA1d4dcd6c9e74faaa675c2c7d4ad3d4d7b154abbea
SHA2562887646df91f56d6b114a5ccf0591a3a326c29a3e93b0a631856b56d11032cbc
SHA512552438ec89fbad3396147aa416252e9bd5945b6b80a5e3bbf38d4a2175a2a4666f36afcb2054422e0a577fb0093192d160879c276004609d82a2a1b0c5dc75e6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD51e1934db26eeb14c19ebb54dc4331727
SHA1f0470884997b377de69526ccfb284f3f56539691
SHA256af57bd768e8828da3929191576cce810f174b63157bfe97ec912c5cae989ad7d
SHA5124367cd772f7c8f621e3d30104bb9845ef168475c0e9d4b3b53f109ad42af2c7667620483ee5ef7be03990fe77febf426c4ea33517aaf323ff18e5db571a1c0a4
-
Filesize
1KB
MD579458fa61b7e5a1d43260d43f1cf6bfd
SHA1ce6311f4d199ebcaac0d6caba34cded115b04461
SHA25691d9ddc3ca1de34c47304c6e5490ffcbb8253ab32ba4a1c0c4784bfeed326b50
SHA512a7d5217aa589d32efb627345005897fd5cc22d80d8953138b79e6c03f7aea683e031b0e24ca160910149720e51a02ee30a9efdb66ac14f6d6870dfeefcfcbf2a
-
Filesize
34B
MD529e02aa5d8ad5248c24f2ca22632e911
SHA12fc3f7b5e390e858d3f633c49656ad91abce2f42
SHA2567165fb9ffb5e283af11952690b8b74956027723103d49690b0df27b317bc824e
SHA5124e13f787209d203b1ca81dc1493802eedfafa8c4f26cbf9060d9ab366bccb485b7a54b37d5d6ee9b5a68d3492806f9fe4f9fee7b65680fe237b40e8667afcae8
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
33B
MD5fae862d57f8907e997642377fe7156fa
SHA19cbd0dfe12003f1fba088f88e86cee7083be0b15
SHA2568d217d80b841b6c28a3bfc7ffbbb3b85e336f7ef71e79c5c41175eaf172ba839
SHA5126641bbd7fae441831f8efcf4d721e4d444c4ab640110d1bf68180b4b9c689ce4f5809cc299a4f7742f7451a33598bdc80113abc81182f682a269b42bc47e0fe4
-
Filesize
42B
MD5fff79d7820e583ae0f34a18833ef999c
SHA10b69a6741f9bc5d42014f260a1ce2aa3571be3ac
SHA256a8453086caaa2c8873cec23fa224f6a7aaa8af425b8bbf1a2dd629ed27084da9
SHA51229014498a595a2ee7292d547211704d3054688b163bf448ebad8780e18f755bbb3080927bd02787ae726f1b7f61e8c99eb26aeccb093f732dfbdd074ef8c35e1
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e