Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 08:09
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1RBD8R7H9cVXRxmAa4QApZkyInlgRE1aC/view
Resource
win10v2004-20241007-en
General
-
Target
https://drive.google.com/file/d/1RBD8R7H9cVXRxmAa4QApZkyInlgRE1aC/view
Malware Config
Signatures
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 4 IoCs
pid Process 6516 7z2408-x64.exe 6368 7zG.exe 6432 7zG.exe 1628 7zG.exe -
Loads dropped DLL 3 IoCs
pid Process 6368 7zG.exe 6432 7zG.exe 1628 7zG.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 drive.google.com 8 drive.google.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7z.dll 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\descript.ion 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 7z2408-x64.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7z2408-x64.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 21 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier firefox.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 6616 vlc.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1020 msedge.exe 1020 msedge.exe 4552 msedge.exe 4552 msedge.exe 648 identity_helper.exe 648 identity_helper.exe 4288 msedge.exe 4288 msedge.exe 7088 msedge.exe 7088 msedge.exe 7088 msedge.exe 7088 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 6616 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 5312 firefox.exe Token: SeDebugPrivilege 5312 firefox.exe Token: SeRestorePrivilege 6368 7zG.exe Token: 35 6368 7zG.exe Token: SeSecurityPrivilege 6368 7zG.exe Token: SeSecurityPrivilege 6368 7zG.exe Token: SeRestorePrivilege 6432 7zG.exe Token: 35 6432 7zG.exe Token: SeSecurityPrivilege 6432 7zG.exe Token: SeSecurityPrivilege 6432 7zG.exe Token: SeRestorePrivilege 1628 7zG.exe Token: 35 1628 7zG.exe Token: SeSecurityPrivilege 1628 7zG.exe Token: SeSecurityPrivilege 1628 7zG.exe Token: 33 5420 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5420 AUDIODG.EXE Token: 33 6616 vlc.exe Token: SeIncBasePriorityPrivilege 6616 vlc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe -
Suspicious use of SendNotifyMessage 49 IoCs
pid Process 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 6616 vlc.exe 6616 vlc.exe 6616 vlc.exe 6616 vlc.exe 6616 vlc.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 5312 firefox.exe 6516 7z2408-x64.exe 6616 vlc.exe 6616 vlc.exe 6616 vlc.exe 6616 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4552 wrote to memory of 3648 4552 msedge.exe 83 PID 4552 wrote to memory of 3648 4552 msedge.exe 83 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1668 4552 msedge.exe 84 PID 4552 wrote to memory of 1020 4552 msedge.exe 85 PID 4552 wrote to memory of 1020 4552 msedge.exe 85 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 PID 4552 wrote to memory of 2052 4552 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1RBD8R7H9cVXRxmAa4QApZkyInlgRE1aC/view1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b7646f8,0x7ffa8b764708,0x7ffa8b7647182⤵PID:3648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:1668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:82⤵PID:2052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:1472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:1868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:12⤵PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5524 /prefetch:82⤵PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵PID:2512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:12⤵PID:7080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:12⤵PID:7056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:12⤵PID:5892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:12⤵PID:5904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14117744991413649514,10589329371547733871,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5088 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:7088
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2012
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1056
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:5244
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5312 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0df9937-18d8-4aa6-a924-eb02cbd1d12f} 5312 "\\.\pipe\gecko-crash-server-pipe.5312" gpu3⤵PID:5484
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ced53df2-3722-476b-b0d2-41c52f18d76b} 5312 "\\.\pipe\gecko-crash-server-pipe.5312" socket3⤵
- Checks processor information in registry
PID:5544
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3400 -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3284 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aa98bf0-ad32-482b-a098-9165e9cd0c8c} 5312 "\\.\pipe\gecko-crash-server-pipe.5312" tab3⤵PID:5948
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3200 -childID 2 -isForBrowser -prefsHandle 3192 -prefMapHandle 2972 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c7c8e60-b62d-470e-99c7-3924fae5a345} 5312 "\\.\pipe\gecko-crash-server-pipe.5312" tab3⤵PID:6084
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4664 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4656 -prefMapHandle 4640 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af094d69-b584-41e3-aa8f-9da0c02bd4a8} 5312 "\\.\pipe\gecko-crash-server-pipe.5312" utility3⤵
- Checks processor information in registry
PID:6592
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 3 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13122e7a-c2b0-4044-8309-1cf0000aa22a} 5312 "\\.\pipe\gecko-crash-server-pipe.5312" tab3⤵PID:6952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 4 -isForBrowser -prefsHandle 5400 -prefMapHandle 5404 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cfec9ef-5249-456a-9b4a-477664d04d12} 5312 "\\.\pipe\gecko-crash-server-pipe.5312" tab3⤵PID:6964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5172 -childID 5 -isForBrowser -prefsHandle 5168 -prefMapHandle 5008 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9032dde-f4ef-4e5c-8d95-eb5076f10923} 5312 "\\.\pipe\gecko-crash-server-pipe.5312" tab3⤵PID:6976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6220 -childID 6 -isForBrowser -prefsHandle 6216 -prefMapHandle 6212 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {162be855-54a1-4d18-9858-17d23b3ce223} 5312 "\\.\pipe\gecko-crash-server-pipe.5312" tab3⤵PID:6352
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 7 -isForBrowser -prefsHandle 4216 -prefMapHandle 3120 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {769be91c-d940-4328-b621-13236885ba20} 5312 "\\.\pipe\gecko-crash-server-pipe.5312" tab3⤵PID:6852
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6692
-
C:\Users\Admin\Downloads\7z2408-x64.exe"C:\Users\Admin\Downloads\7z2408-x64.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6516
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap5101:114:7zEvent242251⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6368
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap21215:114:7zEvent262401⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6432
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap15684:114:7zEvent27031⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\Serato Sample v1.4.0 Windows\Descubre Serato Sample, el mejor plugin de sampleo.mp4"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6616
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x384 0x4e41⤵
- Suspicious use of AdjustPrivilegeToken
PID:5420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD51143c4905bba16d8cc02c6ba8f37f365
SHA1db38ac221275acd087cf87ebad393ef7f6e04656
SHA256e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812
SHA512b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894
-
Filesize
692KB
MD54159ff3f09b72e504e25a5f3c7ed3a5b
SHA1b79ab2c83803e1d6da1dcd902f41e45d6cd26346
SHA2560163ec83208b4902a2846de998a915de1b9e72aba33d98d5c8a14a8fbf0f6101
SHA51248f54f0ab96be620db392b4c459a49a0fa8fbe95b1c1b7df932de565cf5f77adfaae98ef1e5998f326172b5ae4ffa9896aeac0f7b98568fcde6f7b1480df4e2d
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize456B
MD599a254ff03f3cc790b93933d35803a32
SHA16d1d3c3a5f254288babc1753f64438952cfba0dd
SHA256c42dd08c82452d889e5f748beee7ecfe3344d0ccd64277d394ebd8d90e2c340a
SHA512cd386634595dbe5515aca74da64b96dfa482608edaa7d0f01efadeab24d01540a7abf4efa367a95a41f30d3d0c610394789134b4c96ea0ea5951e8bcbdfd8153
-
Filesize
3KB
MD5c57cb1ea2f1fa05b2f20a4ef9d2edeed
SHA1b08acd5168450d10eb05c50b38be4feb0d5181c0
SHA2569667d13acfa7435c6b5614606401477078182828fa701b1b3a1862a8dbbec42c
SHA5120bfab588b38bad3f360c017ab0ebf1fbb55d37a12f26725de79314abae7740c08ca539d0e6577061b9ad77acc46dd3238ec4ef07d9149a2980a4c542f0c6a1ff
-
Filesize
3KB
MD5f97cdcbd0217fe1967e5dd97a846c148
SHA1f3128b5286269b23c8f1def616f634465a09d719
SHA2563b71aeebc757dba6bb2bad9ab33f8fa4174c65b7e5f9d7b7b0bd22b89e82f6de
SHA5123f4700de974ef4486038772664be4bc2a2bb5f7487a94bfe617b60dd8a4a6ccb5f2eb65a7a062c625995c6a7587e215fe29e5e6196a2831288c75a6e91db4ea6
-
Filesize
6KB
MD5df392355a4381e77f20e58b0056d4c3e
SHA12d95a11236d6ec36d10ebe0c4cfec32ec7d116ac
SHA2567fd6d75f10b694f3972f9001b54507ad8e9e5bfc77f02cb7c17916493342bf15
SHA5123af49a6cdb4c135799c91e1d90808c5903f6abe4eb4b7e9ce93ba87436253d2900cc1b3820022e3d4b299bf45f7b620c5c5c6167d714982f5fd024cd60faac18
-
Filesize
5KB
MD590002452f478bd9619306bdb646c368d
SHA127a2fd005e579a4365ff5360e2cbf58022a84ccf
SHA256c4581aedefd95a345a4bc708c7ffc59f46b1f3b979c32c625cb117ceb7486aa5
SHA512e2271dca92f4a1ee316bf90051959ba861baa28ee81b343a2aa18803589e5051e3b1368488e368a9ca19ac63b73d6eb5708913edc29ed1f4db538eb3d0d6e80d
-
Filesize
6KB
MD534a709cb59e9e2a8f6f0b67795dc9208
SHA1c64a7a7fadca95b2675f4574d6838c4ab301d5f6
SHA256016a990b07f91c1d3af196930c99ca9dfe2965d553046d32b3c31d95ed89af7d
SHA512e3104eed53980fb1e6f26e0dbaad8506efe2dbd225ad014ca1b9dbeea7fda6257d2ab332c79baaf6a22e1b66c5b5ad0aa0e5d570be301d4ac86ffe70fe6fa619
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD51b6417698a9b294e6912ced5f6b67bc7
SHA1bdd1c7f25ea3686bc7cead278cd2098f4e118a78
SHA256f4a25072db4f667c9ee85ac30fc1fc8225b8d699eac3f2cccdcab3eecbc3db36
SHA5123bd2014b2510f9a9ea3327d83369607643350c07d06426c9c2524254e9dc93a20a7d964409275ead6e993be4ba9734cc94162f8cca87d19f08caca2bec338bd5
-
Filesize
10KB
MD5340ac98e477b0e177302db775e861e34
SHA1ed90db75858a509b5d517a48d82f9ad0c6ef5b77
SHA2562d6aa665cd6fd735c6a5a15e5227589cdae2a0d5455627c64c366355e88a25b6
SHA5123aa47bfbf9b17bbf5908e3c0b7546355cf1aafc1162dade0dedba2129065d9495ca0bb280585586d931ad5c135b249423a84a97a0064892c1557cb39ef910d5c
-
Filesize
10KB
MD5b2897281e1bf346dd2b7e4d7a73821fb
SHA1438b2e5ec64ab7062a6ac66efe2a02a6c0286c4f
SHA2560f16c4ecfca423685faad9a62dbe63586a01e2e36bb72b178a6d2cf49ab861a5
SHA5128bd2554c3f58439a01502a453125238ca338ddce73c99b98e0c31925bc31967aedcec0edcaaaad9b082f87659aedb5bd7f6352dcb5dbab51573655e4375ae409
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json
Filesize21KB
MD5314e8b941a7c8cc07965cba00c9109bc
SHA1af701b7aa222a0e45c9bd9efd564e2c843e6d480
SHA256ed9e3b878ed9140cb8f9a83aaa19cdf7c156ca1cd0642e2d3a623574cb5a42f7
SHA512eba40c7cedb91084fafe14b4c46eb23b6b09458a9c03f4ecd5867f3b89a8b3e887a17ee6090f269739b86232a471c8895e43471d88320e17f2e852ad74bc7a78
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize8KB
MD5005bc87ed23add4e742ea6dae99cd09c
SHA1797e0bfc32b1e98127f3823c10da3f980c399b53
SHA2564888505e4ecfba898d180caa8540135ebb90a0f2fe536d808780af632ba20d4c
SHA51284db63c065b87eb18c6d6b7b47f4b8e6e59a72414026d1e79bfe112f979bf06577971320f49c91b0c8de8d339a6a268bdfe1a7bdf63f60260b87a594a21c22f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize17KB
MD518c292612ccd4c6b230e8b7b37202355
SHA17efd31407bcf876cb2f669d5701b3abc95928045
SHA25667100044ebfa24079117584c05eb660c7bfc9752f1e79d291676cf51c1d0fd84
SHA5121d2575e5c30de4bf55835ba8273997b6026283918ecb5c7aefbb34443180c163d113305f891b99c03aa1d84942dd985279625c6671d851e4f4333dfb56e1a9b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5960baf903f6430adf930cfd6d68858c1
SHA1bf1227b8f44338e263ed23200289fa48dc229ba4
SHA256055ee48e504947cee1550e0f7f33d5bb0fa0cfd542c1f327a3afca5d95c285af
SHA512add97968a8642783d68753fa54582f8f2765a5d1cd99accb5d65e7f4cffc4bbccb0fceae9696055a8dc3b817f5acb5b5e0c8a814ab1bcedc78cb9183ac27fc9b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD535133868e31ba4d3d9f9e7e12e732aa7
SHA19880793508b7667f2bba78c4c297a698f304ba11
SHA256f5b9f5092d177f311fdc186d2c514c3834d91a859d931d123e49acc10e24b359
SHA512fe105026594507ea968eb9d344edbe6c2be71c2163db07ccc13e626357a75e27aea1a440cc3871cabbcd01dae7705d7642b6ba8936a778c28d1952255d4af825
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize20KB
MD577adf6ba27de71d63bba452d8b66a11b
SHA183e6ab2d01f3e3280dd2c15299f47490df7cfdfb
SHA2561b3033e5c85e91d78c3db66b3e047342a5ca1086970092bdba8b93a2224c3060
SHA51226da3bedead678d794e0a0ccd903ec799613f70e26e5ca2a1777ac60678541ef31d7ecaebbecd93321a50f65410faffe73d68090f7a784783863452a2910dcb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\14c06cbb-ba6c-4e4e-9ca3-09d2a4f316e0
Filesize671B
MD5b967ff560e61a06ef4a0bd6a4946b384
SHA1da055c89e64123c9cbd59aa358f7b79ee8245249
SHA2567ba02c6c3972f634116c4118a889f5f66e173232804e5de5575993e67b9e55ee
SHA512bad3ec364064c258629c0ccc4a819c97cd49997c2d5130fc826ad9f64a16abfce36668722061411dbba6743264996cccd3250c5136ab1c50fb5d17a3605a4fc6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\afac95c9-cc47-4afe-a4e9-40a8056acf97
Filesize982B
MD5c26f55a690ce4a28608bd89e58c945ac
SHA1a686ccc356b4da4c9019f968685e5ef2100b25bf
SHA25641f51467f8e2b0c065ed048d550084c44d8558a53b55f6bdf084029f0f486d29
SHA5123f5fe29bc272ba5f294220c688bc4605b959f40cb58ca2a7731982650ae1c978fcd5dbf1675aef9e72122c1c889da73471bb21e6ca25e350a4b612f6aaa1a593
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\e494472b-4e5e-4e1d-a1c9-8a62bd541b70
Filesize26KB
MD5616c117173f433c06fcd05d8f8c92f1c
SHA1b798ee0714050e1c6754572a8a4601c31e00bacf
SHA256e3aabeb99526c151f20bec8ff993af69aa2b5d4b9bd74247d13567acca74b2ef
SHA512b3796b399cefd82ed37eb683aae5346f5074cefde62d11497910bb7010e242629ea6412f9bd170cd00ea65701e749845b6f1589f6f715ce2515400e92b56b745
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD58318ee644a5c94fd412031f9254d105d
SHA16982372b56a883061edb3cee78b58419726ee964
SHA25651c0aa002e1c237003b5a0e4d08f2772051aa6508928f8c569eacc83c2e5d1ab
SHA51204d0ce891cb88ee6300ed7a951fe1a08d5e2a4fa8d180328b09eff74b3c3cd96aaa786eaf8c0a2f816fff5b19c72d42e147c8606b7e75c5452d9b3ab9cd01b23
-
Filesize
11KB
MD546f250f1b5d9ecfc33ca808d2357bf3c
SHA14d272d72ec60e75143857af55a1228dcc6cd6c7a
SHA25619d3d20dcb092959b8772e96192e2793606d1bd457919b06ae1d2a4aaf7572c0
SHA512cdfd21ece9f8534ea5e00a28bf4c528e9e291aa8e717b7794cb1e25d8e1c3b105f5657448325c5312300b0bb622e9f15906b62666384bb776135fb30d0f83c9a
-
Filesize
10KB
MD588e7427002583d35328758b01c19976e
SHA1a8d7a29f7ec318508a70437bb42ac402645c519f
SHA2560dbb46d7348532f48b71c0bc4c02eea7354797c37d526256650f96b1b73e3ce0
SHA5124bb6938d04557d3a24a1ed22bb3675b09ea73cfdac954394a683bd2919ac046d2e086292d183fd34b46b514e7654c114ead9b9f2c948cad641ebf4157d17cd64
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD539043e7bdcaf5b0685eb32e339289d1b
SHA1585320505dac4efb05768812b76d88b1552d3985
SHA256fc059dc6414ab0e37b08d6fad858a9dc605a800c2eea98816e308a0432b5ba46
SHA512ca799719a0594fce3bed0d6b89167b2bab3d2c6504fb1d8f0046eb797483e0d5f7e890e683e0c2d33645690b127634cd8a007b52995bd1013c89cebc7d44b5f3
-
Filesize
1.5MB
MD50330d0bd7341a9afe5b6d161b1ff4aa1
SHA186918e72f2e43c9c664c246e62b41452d662fbf3
SHA25667cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b
SHA512850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1