Resubmissions
10-11-2024 01:42
241110-b41vrswgrj 810-11-2024 01:38
241110-b2c1xswkft 810-11-2024 01:32
241110-bx637swjhx 8Analysis
-
max time kernel
250s -
max time network
251s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:32
Static task
static1
Behavioral task
behavioral1
Sample
fnaf plus restored.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
fnaf plus restored.exe
Resource
win10v2004-20241007-en
General
-
Target
fnaf plus restored.exe
-
Size
937KB
-
MD5
10fccccf042d47d4bf56bb1bc5e04273
-
SHA1
42268e93106a8b9831f1750dbda236137d37542c
-
SHA256
60ccfd2af3e5f68d1b1fa36140e97a65411f0ce26da19768933cd5128fe342fb
-
SHA512
ef5f4cca065311aae4b3d35c74de5d2daeebb36396e0a15fa5a544460ccb8ef82dd2efa7efae1afa0bb76468e9986c2e3dfa37cfbca1c01ca212c9379b3b36a9
-
SSDEEP
12288:qUDU9hdC/8PqDaPcUewtn10Gkt+Tu8mTLUyitik5ZEXhttD:qIU9hB5Bkt+TmYti8ZErtD
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 386 5152 powershell.exe 388 5152 powershell.exe -
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
Processes:
MicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
A potential corporate email address has been identified in the URL: [email protected]
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MicrosoftEdgeUpdate.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 11 IoCs
Processes:
MicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 2748 MicrosoftEdgeWebview2Setup.exe 4020 MicrosoftEdgeUpdate.exe 3988 MicrosoftEdgeUpdate.exe 3096 MicrosoftEdgeUpdate.exe 6016 MicrosoftEdgeUpdateComRegisterShell64.exe 2168 MicrosoftEdgeUpdateComRegisterShell64.exe 1636 MicrosoftEdgeUpdateComRegisterShell64.exe 5812 MicrosoftEdgeUpdate.exe 1008 MicrosoftEdgeUpdate.exe 4060 MicrosoftEdgeUpdate.exe 5404 MicrosoftEdgeUpdate.exe -
Loads dropped DLL 16 IoCs
Processes:
MsiExec.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 684 MsiExec.exe 4020 MicrosoftEdgeUpdate.exe 3988 MicrosoftEdgeUpdate.exe 3096 MicrosoftEdgeUpdate.exe 6016 MicrosoftEdgeUpdateComRegisterShell64.exe 3096 MicrosoftEdgeUpdate.exe 2168 MicrosoftEdgeUpdateComRegisterShell64.exe 3096 MicrosoftEdgeUpdate.exe 1636 MicrosoftEdgeUpdateComRegisterShell64.exe 3096 MicrosoftEdgeUpdate.exe 5812 MicrosoftEdgeUpdate.exe 1008 MicrosoftEdgeUpdate.exe 4060 MicrosoftEdgeUpdate.exe 4060 MicrosoftEdgeUpdate.exe 1008 MicrosoftEdgeUpdate.exe 5404 MicrosoftEdgeUpdate.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 368 raw.githubusercontent.com 369 raw.githubusercontent.com 370 raw.githubusercontent.com 371 raw.githubusercontent.com -
Checks system information in the registry 2 TTPs 8 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exedescription ioc process File created C:\Program Files\JJSploit\JJSploit.exe msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_en-GB.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_hr.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_ca-Es-VALENCIA.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_gd.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_sq.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdate.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_cs.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_is.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_it.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_nl.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_sv.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_tr.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_mt.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files\JJSploit\resources\luascripts\jailbreak\criminalesp.lua msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_am.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_bs.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_gl.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_id.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_pl.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_sr.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_nn.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_sr-Cyrl-RS.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files\JJSploit\resources\luascripts\general\multidimensionalcharacter.lua msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_iw.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe File created C:\Program Files\JJSploit\resources\luascripts\general\noclip.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\jailbreak\walkspeed.lua msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_bn.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_fa.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_hu.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_ro.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_mk.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_ne.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\MicrosoftEdgeUpdateBroker.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_es.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_ja.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\MicrosoftEdgeUpdateSetup.exe MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe File created C:\Program Files\JJSploit\resources\luascripts\animations\dab.lua msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\EdgeUpdate.dat MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_mi.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files\JJSploit\resources\luascripts\general\tptool.lua msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_de.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_ms.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_nb.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files\JJSploit\resources\luascripts\general\fly.lua msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_pt-PT.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_cy.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\psuser_64.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_fi.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_ko.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_lv.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_quz.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files\JJSploit\resources\luascripts\animations\levitate.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\general\magnetizeto.lua msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_lo.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_bg.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_gu.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_hi.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_te.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_eu.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\MicrosoftEdgeUpdateOnDemand.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\msedgeupdateres_ml.dll MicrosoftEdgeWebview2Setup.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{108D448A-5196-4E2F-917E-B502F591C9BA} msiexec.exe File created C:\Windows\Installer\{108D448A-5196-4E2F-917E-B502F591C9BA}\ProductIcon msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\e59ee9c.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIEF77.tmp msiexec.exe File opened for modification C:\Windows\Installer\{108D448A-5196-4E2F-917E-B502F591C9BA}\ProductIcon msiexec.exe File created C:\Windows\Installer\e59ee9e.msi msiexec.exe File created C:\Windows\Installer\e59ee9c.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MsiExec.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exefnaf plus restored.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeWebview2Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fnaf plus restored.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 5812 MicrosoftEdgeUpdate.exe 5404 MicrosoftEdgeUpdate.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exemsiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.31\\msedgeupdate.dll,-3000" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C76C02A1-BCDF-4632-88E6-55698920001E} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ProgID\ = "MicrosoftEdgeUpdate.CredentialDialogMachine.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService\CurVer\ = "MicrosoftEdgeUpdate.Update3COMClassService.1.0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.31\\MicrosoftEdgeUpdateBroker.exe\"" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\CurVer\ = "MicrosoftEdgeUpdate.PolicyStatusMachine.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback\CurVer\ = "MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\PROGID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\ProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ = "IGoogleUpdateCore" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\CLSID\ = "{8F09CD6C-5964-4573-82E3-EBFF7702865B}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc.1.0\ = "Google Update Policy Status Class" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\CurVer\ = "MicrosoftEdgeUpdate.CoreClass.1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ProgID\ = "MicrosoftEdgeUpdate.Update3WebSvc.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C76C02A1-BCDF-4632-88E6-55698920001E}\InprocHandler32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\LocalServer32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.31\\msedgeupdate.dll,-1004" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\LocalServer32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\ELEVATION MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A844D8016915F2E419E75B205F199CAB\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\ = "Microsoft Edge Update Core Class" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.31\\MicrosoftEdgeUpdateOnDemand.exe\"" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass.1\ = "Microsoft Edge Update Core Class" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.CoreClass" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17} MicrosoftEdgeUpdate.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\JJSploit_8.10.11_x64_en-US.msi:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
msiexec.exepowershell.exeMicrosoftEdgeUpdate.exemsedge.exepid process 2552 msiexec.exe 2552 msiexec.exe 5152 powershell.exe 5152 powershell.exe 5152 powershell.exe 4020 MicrosoftEdgeUpdate.exe 4020 MicrosoftEdgeUpdate.exe 6704 msedge.exe 6704 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exefirefox.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4656 firefox.exe Token: SeDebugPrivilege 4656 firefox.exe Token: SeDebugPrivilege 5476 firefox.exe Token: SeDebugPrivilege 5476 firefox.exe Token: SeDebugPrivilege 5476 firefox.exe Token: SeShutdownPrivilege 5656 msiexec.exe Token: SeIncreaseQuotaPrivilege 5656 msiexec.exe Token: SeSecurityPrivilege 2552 msiexec.exe Token: SeCreateTokenPrivilege 5656 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5656 msiexec.exe Token: SeLockMemoryPrivilege 5656 msiexec.exe Token: SeIncreaseQuotaPrivilege 5656 msiexec.exe Token: SeMachineAccountPrivilege 5656 msiexec.exe Token: SeTcbPrivilege 5656 msiexec.exe Token: SeSecurityPrivilege 5656 msiexec.exe Token: SeTakeOwnershipPrivilege 5656 msiexec.exe Token: SeLoadDriverPrivilege 5656 msiexec.exe Token: SeSystemProfilePrivilege 5656 msiexec.exe Token: SeSystemtimePrivilege 5656 msiexec.exe Token: SeProfSingleProcessPrivilege 5656 msiexec.exe Token: SeIncBasePriorityPrivilege 5656 msiexec.exe Token: SeCreatePagefilePrivilege 5656 msiexec.exe Token: SeCreatePermanentPrivilege 5656 msiexec.exe Token: SeBackupPrivilege 5656 msiexec.exe Token: SeRestorePrivilege 5656 msiexec.exe Token: SeShutdownPrivilege 5656 msiexec.exe Token: SeDebugPrivilege 5656 msiexec.exe Token: SeAuditPrivilege 5656 msiexec.exe Token: SeSystemEnvironmentPrivilege 5656 msiexec.exe Token: SeChangeNotifyPrivilege 5656 msiexec.exe Token: SeRemoteShutdownPrivilege 5656 msiexec.exe Token: SeUndockPrivilege 5656 msiexec.exe Token: SeSyncAgentPrivilege 5656 msiexec.exe Token: SeEnableDelegationPrivilege 5656 msiexec.exe Token: SeManageVolumePrivilege 5656 msiexec.exe Token: SeImpersonatePrivilege 5656 msiexec.exe Token: SeCreateGlobalPrivilege 5656 msiexec.exe Token: SeCreateTokenPrivilege 5656 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5656 msiexec.exe Token: SeLockMemoryPrivilege 5656 msiexec.exe Token: SeIncreaseQuotaPrivilege 5656 msiexec.exe Token: SeMachineAccountPrivilege 5656 msiexec.exe Token: SeTcbPrivilege 5656 msiexec.exe Token: SeSecurityPrivilege 5656 msiexec.exe Token: SeTakeOwnershipPrivilege 5656 msiexec.exe Token: SeLoadDriverPrivilege 5656 msiexec.exe Token: SeSystemProfilePrivilege 5656 msiexec.exe Token: SeSystemtimePrivilege 5656 msiexec.exe Token: SeProfSingleProcessPrivilege 5656 msiexec.exe Token: SeIncBasePriorityPrivilege 5656 msiexec.exe Token: SeCreatePagefilePrivilege 5656 msiexec.exe Token: SeCreatePermanentPrivilege 5656 msiexec.exe Token: SeBackupPrivilege 5656 msiexec.exe Token: SeRestorePrivilege 5656 msiexec.exe Token: SeShutdownPrivilege 5656 msiexec.exe Token: SeDebugPrivilege 5656 msiexec.exe Token: SeAuditPrivilege 5656 msiexec.exe Token: SeSystemEnvironmentPrivilege 5656 msiexec.exe Token: SeChangeNotifyPrivilege 5656 msiexec.exe Token: SeRemoteShutdownPrivilege 5656 msiexec.exe Token: SeUndockPrivilege 5656 msiexec.exe Token: SeSyncAgentPrivilege 5656 msiexec.exe Token: SeEnableDelegationPrivilege 5656 msiexec.exe Token: SeManageVolumePrivilege 5656 msiexec.exe -
Suspicious use of FindShellTrayWindow 53 IoCs
Processes:
firefox.exefirefox.exemsiexec.exepid process 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5656 msiexec.exe -
Suspicious use of SendNotifyMessage 50 IoCs
Processes:
firefox.exefirefox.exepid process 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 4656 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
firefox.exefirefox.exepid process 4656 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe 5476 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 632 wrote to memory of 4656 632 firefox.exe firefox.exe PID 632 wrote to memory of 4656 632 firefox.exe firefox.exe PID 632 wrote to memory of 4656 632 firefox.exe firefox.exe PID 632 wrote to memory of 4656 632 firefox.exe firefox.exe PID 632 wrote to memory of 4656 632 firefox.exe firefox.exe PID 632 wrote to memory of 4656 632 firefox.exe firefox.exe PID 632 wrote to memory of 4656 632 firefox.exe firefox.exe PID 632 wrote to memory of 4656 632 firefox.exe firefox.exe PID 632 wrote to memory of 4656 632 firefox.exe firefox.exe PID 632 wrote to memory of 4656 632 firefox.exe firefox.exe PID 632 wrote to memory of 4656 632 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 1572 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 2624 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 2624 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 2624 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 2624 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 2624 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 2624 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 2624 4656 firefox.exe firefox.exe PID 4656 wrote to memory of 2624 4656 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fnaf plus restored.exe"C:\Users\Admin\AppData\Local\Temp\fnaf plus restored.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2652
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2044 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b640045d-4c96-489b-9e6b-2ce3a6a9d3d2} 4656 "\\.\pipe\gecko-crash-server-pipe.4656" gpu3⤵PID:1572
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76e573da-f83b-48e6-adc0-8629096c2ad5} 4656 "\\.\pipe\gecko-crash-server-pipe.4656" socket3⤵
- Checks processor information in registry
PID:2624
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdb30fb9-ff6f-4abf-b4be-dd0173089776} 4656 "\\.\pipe\gecko-crash-server-pipe.4656" tab3⤵PID:2204
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4224 -childID 2 -isForBrowser -prefsHandle 4204 -prefMapHandle 4192 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e27558ab-697d-48cb-aa24-a5b074e6e54f} 4656 "\\.\pipe\gecko-crash-server-pipe.4656" tab3⤵PID:1452
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4832 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1624 -prefMapHandle 4928 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5014a675-20f5-4918-94be-2c94998569d9} 4656 "\\.\pipe\gecko-crash-server-pipe.4656" utility3⤵
- Checks processor information in registry
PID:1924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 3 -isForBrowser -prefsHandle 5372 -prefMapHandle 5276 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c289a402-4a5a-4886-912b-36ed7311f833} 4656 "\\.\pipe\gecko-crash-server-pipe.4656" tab3⤵PID:5584
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5d53988-0a9a-43cc-b020-71824fe32413} 4656 "\\.\pipe\gecko-crash-server-pipe.4656" tab3⤵PID:5596
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5740 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be54337c-0349-4ab6-beda-0c92f6c4148d} 4656 "\\.\pipe\gecko-crash-server-pipe.4656" tab3⤵PID:5608
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6168 -childID 6 -isForBrowser -prefsHandle 6160 -prefMapHandle 6156 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc9890e1-6f94-4add-afa7-b3b0f3ea3531} 4656 "\\.\pipe\gecko-crash-server-pipe.4656" tab3⤵PID:1928
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:5456
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5476 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1964 -prefMapHandle 1956 -prefsLen 23680 -prefMapSize 244705 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbd16746-29ce-4152-9824-18977ff51655} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" gpu3⤵PID:5724
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2424 -prefsLen 23716 -prefMapSize 244705 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9855953c-cb34-4d26-ab06-34311e239a96} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" socket3⤵PID:5840
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2976 -prefsLen 23857 -prefMapSize 244705 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f0bdc9c-c4f5-4bc4-833a-0b523a06072f} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" tab3⤵PID:6044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -childID 2 -isForBrowser -prefsHandle 4152 -prefMapHandle 4148 -prefsLen 29144 -prefMapSize 244705 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcbcf877-9754-403a-b89d-7c920745ad15} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" tab3⤵PID:2336
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4696 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4708 -prefMapHandle 4692 -prefsLen 29144 -prefMapSize 244705 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1947da0-f403-4ea6-b876-6a4d19cde1a1} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" utility3⤵
- Checks processor information in registry
PID:5788
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5012 -childID 3 -isForBrowser -prefsHandle 5000 -prefMapHandle 5004 -prefsLen 26998 -prefMapSize 244705 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c627616e-0737-4454-b7df-eed41a21029f} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" tab3⤵PID:5336
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -childID 4 -isForBrowser -prefsHandle 5140 -prefMapHandle 5144 -prefsLen 26998 -prefMapSize 244705 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d84875d0-2a55-4a4b-934f-0c6ff7623f83} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" tab3⤵PID:5356
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 5 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 26998 -prefMapSize 244705 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df622ae1-3082-43b2-b312-355aa6a5202a} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" tab3⤵PID:4624
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4972 -childID 6 -isForBrowser -prefsHandle 6172 -prefMapHandle 6168 -prefsLen 26998 -prefMapSize 244705 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fea4cc5-1e0d-4e83-a16b-ec77da221a2e} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" tab3⤵PID:6036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3692 -childID 7 -isForBrowser -prefsHandle 3684 -prefMapHandle 6196 -prefsLen 26998 -prefMapSize 244705 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9f05b27-57d7-43aa-b89a-a158991a7ecd} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" tab3⤵PID:4604
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6860 -childID 8 -isForBrowser -prefsHandle 6848 -prefMapHandle 6904 -prefsLen 26998 -prefMapSize 244705 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c562cbc2-58fb-4fb6-9525-a40d1a922078} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" tab3⤵PID:5248
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7072 -childID 9 -isForBrowser -prefsHandle 7152 -prefMapHandle 7164 -prefsLen 26998 -prefMapSize 244705 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a2c5f03-91c7-41bc-a645-c324a52b80c5} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" tab3⤵PID:4432
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6500 -childID 10 -isForBrowser -prefsHandle 6400 -prefMapHandle 4384 -prefsLen 27785 -prefMapSize 244705 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1077b66-ebc9-4b87-8165-e86e18f276e6} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" tab3⤵PID:5056
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6216 -childID 11 -isForBrowser -prefsHandle 4972 -prefMapHandle 6460 -prefsLen 27785 -prefMapSize 244705 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d1cb51a-5f35-4fe0-8015-c9ec77366dd0} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" tab3⤵PID:868
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6492 -childID 12 -isForBrowser -prefsHandle 6916 -prefMapHandle 7156 -prefsLen 27785 -prefMapSize 244705 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41d634c0-c467-472e-9a7a-a3fe098b8bc3} 5476 "\\.\pipe\gecko-crash-server-pipe.5476" tab3⤵PID:180
-
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\JJSploit_8.10.11_x64_en-US.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5656
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BDC42C08FCAACEE89BA4C95786DBE801 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:684
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5152 -
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUCC3.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4020 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3988
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3096 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:6016
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2168
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1636
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODk1OURCRUMtMTM0Ny00NjM5LTk5RjgtMDFEMzU5MjJBMzBBfSIgdXNlcmlkPSJ7NjFDQjgxRkMtN0YxRC00MURGLTkxQTgtNEIwQzU5NjY3QTc2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins3QUVBNTIyOS04RDhFLTQ5QkUtQjA2OC1EOUZBRjIzNDA4M0R9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNDcuMzciIG5leHR2ZXJzaW9uPSIxLjMuMTk1LjMxIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2Mzg4NTI1ODIxIiBpbnN0YWxsX3RpbWVfbXM9IjM0MCIvPjwvYXBwPjwvcmVxdWVzdD45⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5812
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{8959DBEC-1347-4639-99F8-01D35922A30A}" /silent5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1008
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3316
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
PID:4060 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODk1OURCRUMtMTM0Ny00NjM5LTk5RjgtMDFEMzU5MjJBMzBBfSIgdXNlcmlkPSJ7NjFDQjgxRkMtN0YxRC00MURGLTkxQTgtNEIwQzU5NjY3QTc2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7N0E5NjkwRTktMDhGRC00MTIwLUI1MkUtMzVFQjkxQzFBN0VGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMzMiIGluc3RhbGxkYXRldGltZT0iMTcyODI5MzA2NSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzcyNzY1NzI2MzM1MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYzOTIwMDI3MTkiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultae9903b8habadh41e4h9ea7hd9265bbf91931⤵PID:6464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe0e8446f8,0x7ffe0e844708,0x7ffe0e8447182⤵PID:6488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,12831373416021954786,4646381414580325606,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:22⤵PID:6692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,12831373416021954786,4646381414580325606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:6704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,12831373416021954786,4646381414580325606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:82⤵PID:6816
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6968
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:7000
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201KB
MD535a79bd6de650d2c0988674344bf698b
SHA1a0635c38472f8cc0641ceb39c148383619d221dd
SHA256a79a81da2b8dcbe39609a9e1b4e8c81ae0bc54195c0c854b77bebe7bfa7f10c1
SHA512afe33d38785afe489845654ba1c3ed6648b36b1ebe5f98b3d5d4bf24eba3af9bb6676af5a79d2ec570bf2b4b6ae40d14fc3d4b872c5d4577aea40f6d1a26c0cf
-
Filesize
9.7MB
MD53d1cefc5a3c89bf73a020ddfe0f692a8
SHA198204ac266cdca20a8a53c45eac5f8a066c7ee94
SHA256e346d6542b0e696e068773b6769b3004f8cdef78e5812a5d00a1c7e0a9b17f56
SHA512ef2f3541fc26d916f4364499c11bdf8500d3f6c6d55c6f785ab22ed3fe601fddec7b25e67993737140b579d2514f0bcb94d3715cd997ef4720365036014a1528
-
Filesize
91KB
MD55c7e8f14eb2ffc92a4a84cd6a25f7a28
SHA1c189f3236d8ab06da506399a0f5d4986dff32a2e
SHA256d24cc8911d60df4a2129a49e034c8f5b5fe39ea3f72d33b92e720c1ace212623
SHA512333db39ce9c81651445c739e7eb570fc3f04ae6d9cfeb0d9980b9fedbae97f98218670ef647ad0b904a2123422f207ccf833911e7a3b3ac36593f5712fdb524e
-
Filesize
1KB
MD5fb6f0088621ca552ca8c180d11b9e4ed
SHA105ca663f979f6598ff05d741082a2b9df026508d
SHA256e56e02e8b255cee7ae99a63baa8789334db253c74c5359d2d69bc1607a63968a
SHA512256636f4e84b291c79354871b245ac86a5b1afd74229ba6b58a29be6a9faffdcf88ddc37ae55bfac8fe9a7cf9d8c725fb85d0fe5b244d6cf288e86704abe0e94
-
Filesize
1KB
MD59db325099e7e85655bea602d6f67146a
SHA11cdc7c325bfc70de0aaa4e94efe9d1af5a63aec8
SHA2568eae9251c7e58a7df7aa662a0a1ad67be684d8f89452e804e25fb8e4bdbffef3
SHA5128f8bf94150fc21db5bf596720e841bc1de1cb56eb880871525a76b46a4ff73aa8a7346bcd1f705b715dbc705d1d14b3ad885904cf69dc6bce15d43b65b61a8e1
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
5KB
MD5c0e54baf100740dc84563b13a8bf4a0f
SHA1a9cf049cde7f0c8726206a9130522d8106d259f7
SHA2565db96473d61650cd0f4812ca4870440009918d16470ddfa8a34e24f65cd568b2
SHA512fb7d60a13b072d530ae5a34180705d0281ca1e760e49c9fd7ddd7c46ad2cf7aa97d5dff6089f5ae5ebebdd9f086ecc116c95ae6141a28ffbed1ae34868052d21
-
Filesize
8KB
MD5a89a5327c5e274320fc9b48a938640e2
SHA15941bb8f711303d51661434b72c729c2bb378249
SHA256b0ccd4adde589e49f95a4c0f48c5b4344321293ae4c03b24124003d87a52d174
SHA512926140c021b5487d1ee30b2697a1a640fbe6349f6d51090e2b4ef964b124aa3df33b6c4b63335f55413879d031506a662bc0775500017b8c4e8b3617dbbaec10
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD57b02e915c39cab6fe1f627351737cae4
SHA1f69b89adc1de032b4129ba54b87a52d23c8607f3
SHA256ccbb55b315ff2b5951c3ac04eb68e1e63774605602485cbca970953d1c238446
SHA5126f6dfbf847bf440185a93719486010355003276ae9fe652ee0ef5a7388e055344f50892bda96923f59ddfc111823c04aae9e488fe1a21bc03e68bb684ff69cf4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\009555156ED9F89F57B2FDE1C16F5E63120DB4DF
Filesize139KB
MD587ae0ebae2a1c3f53e838d7ea447cd18
SHA101280bd68622d3961db6017716fc0b280a6b4b6d
SHA256120e5fd6e4e8d88efbed14c960785cab9b1994a3129bc98ceb7313f2507853d6
SHA5125a2135137af90ac0df7260a2586350bc18e52b421db2ecd03ecec98fde4afd81e6c7de73804b79488b16b840e0b6fc51c9ef06d15d2751bb8ea3b7cc7acc1229
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3
Filesize13KB
MD50796bb3a41b98c4a72288a6a33a43762
SHA13bc29ed12389abd3ede578ae5d870ab5d66508c2
SHA2560894ddd252fb5003b48c208cc8ed727fcace4bf5cb5a1305fa3843937bd5c68a
SHA5120f5b1525cb8f78fb556549f41d4bf46ce12b56362e8d4cdb46e1a0f69af347f4a0de8fe6bb8a33f0210bf299f8ac472e07cfc8719b3df50402306e99b9522774
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\213E9B9C0CA79F5ED15BB0E8465CBFABD5DF3A2D
Filesize62KB
MD593fb419b5f60f57a35f54df7f1b4977f
SHA1900c483ff93bc77284ee8b0995c10b10dcc6d0a0
SHA256c0619301a9a9ebe07c31f73f19313638138c255584c4cdefdb9283327f5dc28b
SHA5123dc0d167c62b97673a02c8ace5191c203651bfaffd11a0f7ca4fdadcdb2d9f174f60c26a2ec85920b5d6f1feba0b3c44a7699b0c7e11648bb00f18309223a0a2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495
Filesize9KB
MD5bda66ef81b2db81bc12dcf8a4c3fc957
SHA12e372651ee95b3500e924970a4e7bd81b19ad030
SHA256c6b7eceeb823cd1f884d3d439fd13077579f764079766ca77be9bd46e99fd0da
SHA512825e7447ff1dffd1a4859af42ff4e2c24816efae9f954598d0e2111c60b7efdfac2141e958a295070cfc3293236bb941693424f23ed65979d0cdba3a41e0909c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\2B16ACC15AA680352D12943E950AB926A085A466
Filesize224KB
MD527b6a03559aa14e4cab6ab431c7c6031
SHA1a4c7f59d893041b2b1ffb9d557f6fcfdfa0eb1f1
SHA256301c385ec508bc989581455ff4c4c4ad8353151279771d7f5a3f1c298ce821a9
SHA51298138b6a6a5daae8cec121f8b51c259c7276de7c086017753b51a82b8288c9469b903b63864692cff05ae91fc1c4475b5b58e99af7ee944de118b301f5aea12b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\2C2CB353008FAA8559773FC209C76F11DDEA3573
Filesize13KB
MD50fc2dae890bdc0432c5b6022bb06590c
SHA1ebe08287a5a857043e73d79cf96988c50d84afd6
SHA256a9eabb355ff9847a3ca1550519ae6577e2926385da6a205cf1f13d429105c0f5
SHA5122bcbffffa465bb578aafd2eed0179ad7deafdb0e9366398c34374580b7fc9ca88609c0d70e33be96d4a1c89ac71a3a1f5c8238a7d0ad9ae4b1343cd3110310b8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\5EFB7B0E6074226F79A8AA9919C3E295081C6B61
Filesize22KB
MD52a14050dfcb318ac6cdb4085a7c8355c
SHA1f806cd5a1d3d49d4806873fc6caeb6b60bdcb1d7
SHA256ac130d251043ec63448456e02e0403edc2216edf69add714230668d398ced22b
SHA512dcef6507e50ee28e4f0738e40bac03d047e5c3fec0d35dcea22cf627380306a11a0b7fb141d7c76b9373c694ce42520f2c87ae459a8fec7d4fa1a72a30b1da51
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize14KB
MD56bae9c2d8a575bf2b171b53d5ea625fc
SHA1ab846c8aa8aecc5e83e7172b226b2c55668cff87
SHA2568cdd36de5b4c2ecdcf23685d0d2089834ba7a52e3b2106a05396523d0b4604b6
SHA5123c29215c893298dd99d8202c3f383e988edf4e9618c2ba0cc4fc1cff896141dc5f7d023237dcfa24d11625aa13fb1b9afe13906f2cfee4b752f4b6a65dced156
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\6EA2823892BE2B04EC41A4EDD4AA4E811A006311
Filesize14KB
MD5e93ce2f43c5d69aae7fc869c0366f2d4
SHA1cea539b577f1a6bfc8de1009c72db36ff5d1bbbd
SHA256fdc7030919fa2c69d2c0da68bacbfa74460dadbabb652ca9a7a2d2771d150649
SHA5123ab4dd21302fa2d3bc38c0e33c384c943439d9c0119fedecb0f3161be4c1f8d3d028bf5a0dfb3a7ddf97f8824de569d56a61cd08d9a90e65dd78a1cfe8c63a06
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\6EC2AE770EFC3451D85A600B7DBCCE4A25142850
Filesize224KB
MD549ab10c4ecd4029a048ed0059c05d76c
SHA192cb1887734efbe380c1631bf4931bd912c7a88d
SHA2567d10684da427362d8b94cec62eeca5339d06224168145ff1f64fd0bcdd588d39
SHA512a6370e48fb808df489960c677ec9aa2205f89bdda0454fb8c3791ec130d33a22694088c30dfaa0f0dcd8a87c09ca3aa475e91084e4be6d14864dfcafda06cef3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\74B59C6A1551D74BB99E6CB6A45B631D2D390D50
Filesize13KB
MD58b30ca8e10c82546296ad1b54a13f43f
SHA189729f4bef41bb89ce41859d582ae9b46342eef1
SHA256bdb403b57deba18e0207c156776f60b051072878b8990d1ea555d49182d5cb55
SHA512b375b25432bc83c2a63db3cc7d2d7b4b0d0ba8fb1c9cfb61a06ce593efe40241346198e2f53f2905fa3a69aaf5ad1727ba49962790c43847d0d95cf698ee52a3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\751348728EB168457C9B1AF6B175D7474AEF4FAA
Filesize121KB
MD51a8cc299b26dc0ff1a82ae3a73c66eaa
SHA1798326c228ad8cd898e3f73cdd3b9fc7abf59632
SHA25668c8613631f32ad89d0ac7d31d400f28cc29ab18ef9fda8f663ecde28b02a21a
SHA5126b55e130b6d245a2356f106aac625763b524c038a0884651278555549881c50b6c3de515c053d8c4b67248bce86e278167efadd6d8373ea05b8d05c9799a2ef2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\7BFCF32544F467F973AF267DF4EB4842EDED0C1F
Filesize16KB
MD55b585639d5bf7fb2c7d6cb796e7378a5
SHA1ee520209637eda3335402fc6232805b1c76d52a4
SHA2562a537831e28262ccb424fdbbc38913338870f65342e22dce767e6739a48d28b9
SHA5128c68e9cab81ec3e604184e6fe5718980aeb30704c61d06546e865cd21b65eac56a1c89a33a768bc50e3182f0a79a85ea1bb1a0e0fdfe6659e52edd999064b75e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\8540EC873F08CBAD5DF5121BD3BABF95624B4A14
Filesize16KB
MD5928faa135d293b709b8a355aa57bc094
SHA1cc6e9c7478a2c3e8f19a5481866450e81f8a2fe0
SHA256410d24a23afda274f70e22d0523acf6c7643c3e6dc7fb652121c9ce6140d7511
SHA51238186bb348c1c71b4e15cd6cb0f3f5652675a9870e6133ee43987cecee4f0ef33cbc703f1d0e7de993389da9bc809fb7a62bce5cace0b67035f00d6634e3b616
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\94F72B6F2D0DC3ED340D601AFA278D214906FBC5
Filesize9KB
MD538484e57cb289b10d29f3e969a152b1a
SHA1dbb77e55b751d032d7456357f31819127b3f9353
SHA256f1e00ec32bd01aa1b233bb3bfd910132d5b217d433a987d97912bc81a12b6da5
SHA512504cad65f7f95c4f0fb4a52cc681fee4c42b6d5bf6441600f8d88dfbac3d194f6d115806d7e6691c1305f2a5d8ed814f98c738a42d28681c2e6d835ad599f794
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\9FC8C85689D31525EACE26158B83B464F43A027B
Filesize23KB
MD5d7806988c9f6d90cf914c7726464f5cb
SHA1e3cb68422c1d77d4e126df88539afacd2a745db8
SHA256f7d7d6dba42b60aa0d7e591bd53aee8a201264b3a0029a7bf4e8b04edb3673df
SHA5121e00fd1788e300815b7f07d6ce05bb031c32c9b5e013782f450d07aa8fef87d4402dc165c7bb6eacae3b020dca48891d480be19bb0a787d85dc01a614566c781
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\A73149400505F6C6E59516A03821C85131C5938D
Filesize13KB
MD511403f96dd071468aec1922ed7921a89
SHA1f8d45b7a3938372805c3bc78517f4fd6bcec3243
SHA2562869b45e9a5ccf35bed61f252ba39ddd0965bdab29ed6c0266b8fee3a96eca1b
SHA512f62b4ef951ac4891d337ecc94836788dc413fe79a668a304e8e8885ae7da2dc94abda820519ea33788ed969f638b02f04248ad89100cf3fd10b806a8dcdb41a6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\A752BE816C32A166B4212612D41570FEFDA0B4E8
Filesize24KB
MD5074006f4bd025c267fb151b6900653ea
SHA136d00b286eb5c0cd2cc46a5659f298959fbf88cd
SHA256b92675ab948de1a361093ade3007dae95a36965fec8f656da6b22bb673bb5146
SHA512fce82c47de0a3c24eab4418282ac20b9d2f8884032c9862faea931593e0f7f984d60d03492d953875f111e0cbbb45ee4a2161b755310f438dfdf326b8850513a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\A9FB5E6047697568641592A7A75CA6ED3DBF5590
Filesize9KB
MD5ce7e2c855348fdf2e49f83172cedc78d
SHA1d7a84be5cd5cb72ddaf2c64cc8ba3813d45cd7be
SHA256c00da6650c6e53aaeded01041bfec9d2445efc6ced5269e29e0b2cf3402b34e0
SHA5126428f67658cbf63eff04ad03eb083456a64905a7aa56cbaaacd16629a3c24a522b85a8e40319c1831f538fec907c4986a250279503ecde7b06abb84b7def4c4c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\AE6C91A7A94F8219B78F6FB4AEBCFA5DD3A78D91
Filesize49KB
MD5db4a87f07cd2e5d66a49ebc137ee3749
SHA18ae3286daa0bba169b80df79208232c5de466f47
SHA256e9a1a3553c43f248a9752e54994893960b45d30393ab2ecf5903641794c0e7bb
SHA51292f8de9f01944b9c483d5b95916f862bb466cdd85d733865a419db08f02d513f5f9991d947c220c3cffd8097a5389a509bd949c43ce05c642d19281e015a0cac
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\B403CD48B9B4A9E6E9DE38291F2B8425CC3BBA9A
Filesize77KB
MD59b9ab2b540798d719d26b205d7b98af7
SHA157df20c9843178301610de47b8bfa8cd1aea5527
SHA256fb70141a57422b498b86701e3859b9589572d3ab0ae9f599fde69fd243c363ad
SHA512c979fddef37c979d60038c1b2b6959bdf99d18ffa066376bfff7ca4df03499df0aa27cee8920654e66cafe26f9c781c8cb30d81acdab949cc2a349ad09950309
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\CE30F9E7CB4E0D8AEB054228E581960CC2812E48
Filesize15KB
MD555c94b3b485bae37248c31884b399336
SHA1ed718a6034fc5a7ef13ef776956ded14bbb0d95f
SHA256b734ffc26e266a55928d96688004b957c2ea2787bd41e70427d23f2f95fad382
SHA5120979357fdcc29a6b3c4046536a3f1e6fae222ed7f87da93431a9902fbec03ee69c57b0c2b29326758f75232533e029a37e4109983235ce77050d2568f92d447c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\CF04E6D390ACCF1C56F9F15C2023E3D3C114BE85
Filesize9KB
MD5df828bfa5d4fce464476b6874a4ff04b
SHA10fa0f0a21f0f741b2e968e33afe87ddbc3a7a708
SHA256c3810a64332eec920e204f89948f2e1db2d66bc928be3ce0ef54038361e01aa8
SHA51244881e63547030adf2d3b2d7b94da8c2e442135e0991bc48dbe591a79b8c153177bd2c81a86651339b2eb1b3d4185d87b1a8fa17f168d59d60624a57f0a06463
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F
Filesize134KB
MD5a31e9a4d65a1d1ab7156134b2f3245f1
SHA11f51e51f5b1343ec5cae998105c337da4c15297f
SHA256cdff12f7b4e1a75d950af3b729c09a88afe8a4cf987d45258386d6e5e189f9af
SHA512d8f917e8736d35b56d96a036cbd1d519b030dcdd59f24088c0d4694a3e7c32f92bf048f42fc91fb365519ccee8bd08497d82eb4ad3a75523d5aaaebc682cc210
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\D8C2CFE0485DFC922614553B1999E8CE09530D68
Filesize23KB
MD526d0387ff765867d9c5da579cac97009
SHA18956794c6595d326211fa71478f4c84256867b8c
SHA256e6968512334367f940fdc85d4605d1c69ba65f9153d8454e92b64edbaf554794
SHA51294056a46da2b035d931551a9361d3cefbb80cfa2b4ffb3b38f154f5b38d85e1f365015e91ca20c9382d9962f39c23704700505cf367b1ad66f63cb79ae74651b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\EA6D9BDE7E0D49FE4A6CD50D4500CE4E0B32B2D5
Filesize788KB
MD51314430e2e4a799168369e6799e143a4
SHA1a84e56deb1b8e44486245dd9a0cb087fc014ee25
SHA256874a8758f6cf9b7031b8c896e9112c1e1d151e15c557cd70b2f9441dfa130a2a
SHA5127d386b161c845b3759b607806daf0f2afd12e4c2563c92030506419322cdbb54ff5275e51daa4dd83d400f22dcb62f8f15f1364a74b3438275d6b37bb00ee211
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\F0170AF0AA6273CDA9D105CE8905143FE8159A19
Filesize15KB
MD58321aeb763c27676a96c03907799ea7e
SHA1f5e643dda397ac61ca1aa4eef5c15ac58afd698d
SHA2566a98f5fa8508e5e8bb60b5aed375fefaf8e21687abfa7ba16f7f690ecf76226a
SHA5128ce28467cd7060196c827aaae255f43447d309044e7beecff311f729d1585f3b30024d5fd3d74744731d8ae185434d6b476d064832b46a65ee018388a9fecc10
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\F18D85F52EBBBA2AB081EF739ED0D6E8A76D497C
Filesize298B
MD5741af7bd9d0823aaef92571e0e71c592
SHA1b6d6871812480c1335b2812171aed42fe4fbbc13
SHA256a540c61cd9480ffba0b4bc084943b640cb90a04433977dc4d8c6c510cfbb2ce2
SHA512d909b0220cb54c303d006568cbf1517ebe069c6aec8e05d9216e7cec392873ded30fcb0a752efc091a4754fc60a82e694b5a1473c01b8374e6ca4e491b412b8b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\F21F53293B85556D4D7282B4E507DC37E6D6037D
Filesize9KB
MD52a3203fa0925c1c347dd7ebf6a19eeb2
SHA153b8bcfea2a1a13eb17f673690c68ada4f492d8d
SHA256cbafcf1cc9d01d5e1c0abd972d2f55bb77a64450565618e9cfd753b4e32f1e77
SHA512176f64f2d0811b65281bedc97dae997513dfa605854de64ffdd886845abb2b2ea0ec004b5838812b6c56195f40b09ac3d0770aaa65296e8c8d0da9b7836b7800
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
Filesize9KB
MD507d3833ae90e765aa4500e7c8bb94e6d
SHA173541401d581b529615a18b79cc59614b85b2f13
SHA2565fb87fceadd78fd95d88ff521ec179b41935bbde49452840e05b146f88b66081
SHA512ef7b65b9fadbc9090f14701e0693965421b3e458831389461a0ce1429531b81bec2ae0e1caced18de5eec0f5f0c7c5cd59de1d7a56b9a9ba0a15a8fbb3306c3f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\FD3C8B7B2C5FC530AE8D3FC8050677579C3D2E17
Filesize10KB
MD5fc0d878ade1ec44a3a23fa0fe3cccf16
SHA13d45e003ba7f086c0c304ae39d47624b33037eff
SHA256da1e9a6f66bb709416b9720c23836882e3c078ee2fa036b122a8f9041c6d40c3
SHA51285b27baba6f20d6503ceae7e7a63d4ae65a88d6ce7cba706800c32c6ca44fe6ede14b77cca936951ad0792c945c83c7bcd405ce21fe4668582eb79bbf7265237
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\startupCache\scriptCache-child.bin
Filesize705KB
MD519bcb67b36d0284fb32873aad9382b44
SHA1c2ce4e7798ff2373b2b576ded609847b5a472a70
SHA256df3d383cba8360899ab4f9799f60b21d13514f32d5c5676a94fa985b501377ff
SHA5120c19153c37e4fbeda74b0e32786a6fe99b2fab6c9691843a569f8613095e72b9d8c5a1128dcdfbc6c236dce4e5a514dce3c96ec17f22d4643120c7e00723fd1b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\startupCache\scriptCache.bin
Filesize8.6MB
MD54551573765d73123135582e99c7e4f1f
SHA140705549db265e817657b5cf34a1589298202ea6
SHA256da95fd6f4f84e1118f01c10978bb99401412b706b0143b891895d3313c9cf0ce
SHA5126d6a88e53ec389b4e20f3229307cfabf78f732b8cb1b16ce72a75a1b7ea9a0092e910fbe062151fc98733dbd5830496ebb4d9ae8868de23fc4ac82c0075d799d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\startupCache\urlCache.bin
Filesize2KB
MD55b497b9ae05fad99add047ef442ac0a3
SHA1dc59ae5e443696c014c5f7db10bb53111366f8cd
SHA25684f51002133020eddbcc37fb111243eccb5ec9eab1c8636982a1e38f335fa2f3
SHA51279249a0892ce8b8aabd482220a0fda616e56c64603d56ea68eb0c9917e10d15d557c6c749f6218d2b3f584bf284ed95a3e6ba46132453f8fd6a93e24c05331a5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\startupCache\webext.sc.lz4
Filesize107KB
MD5109296395499eef8040d01ece7aae423
SHA1f504b3f22a4f10fb8ba2180e4a1997c3e4de2704
SHA2561595cd43a72312a95b55ae6aa5e373a7a1210ae9565b96830b76b6b5ebc1c586
SHA51253bffcf35b29aec51e51fc82be478de2e452f7798af0aa101c2e9b6358f44fda7a12f9d2e4523569651e12423a63a79387611b45522d36198da6cc93eedb17e1
-
Filesize
132KB
MD5cfbb8568bd3711a97e6124c56fcfa8d9
SHA1d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57
SHA2567f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc
SHA512860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04
-
Filesize
1.6MB
MD5431a51d6443439e7c3063c36e18e87d6
SHA15d704eb554c78f13b7a07c90e14d65f74b590e3a
SHA256726732c59f91424e8fb9280c1e773e1db72c8607ad110113bc62c67c452154a6
SHA512495d60ad05d1fadb2abd827d778fe94132e5bfc2ae5355e03f2551cd7a879acf50cc0526990e4ccde93bf4eff65f07953035b93cc435f743001f21b017cbfdfd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize46KB
MD5e3092a38f584c2fee2a229d23d6c9e30
SHA1626de8fe01cd043abb15fe065b8a87475245a1a6
SHA2569672537944182d749cd290cfe6f2e1a6254b203346238ee1bc3a50559c89c427
SHA512276bd75dea5a2003d4a4f8d79b3679fd8727fab6882d29619b8f5025c502cdc1a5f47fcd4465c77a62ddb170c8d1a5dec746d6396d90a441490711306cc2aeb3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize6KB
MD57ca6a57edafb87c404747c3c01ac0c94
SHA12d97ebd584b919feab879a4d6d83ed76125f5b2e
SHA2560eab2ceb37f14b6d1dfeac57c11c278ad2d30f5b8989ac7d974e72c030e16ae8
SHA5124464a059d5a04f11215038b29fb2e86f8f3710a25141c34d1b62764c2cf229c92f07c7a5f2ccb2e1b681bed9a36574bbf7629991fa56ab08992ff93ddb42de99
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize8KB
MD5b9f9da891e394e92b61b140d1a110ac7
SHA1d488a9f9f8dfc7863df4fa3a7cf7ace917910d0e
SHA2561e957f72f0219f43eb93385110ce229833a22ee0eb10754436241b33c29a5739
SHA512b073b2b1ae9fcbf8f208d897780494e1d8c6e763e2ae7286327214fb68d9423cc5d64513b42831464da9c1e6aa1009fe5d269bacd2fa90e2a7aadd494d615f44
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize10KB
MD55457b2c4f7dea72c328cf48a21004d10
SHA120f9fff7471d56d8e7c7a62c7770acb37fd1097c
SHA2566e2d713e85b2da63c73417373c08eb25eed9cb9361f9a465099000acb2514a6f
SHA512ffbb1745cd08c974120bcf5708b4682a108523c56cfb165130201c6c7252f72cfc7d9a16f023becb95ef0691c1b34f87e5e28bc7add2677ddc73c266176087e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize11KB
MD5b0cd47cd356a36e6b6f2d09e6e7ca82f
SHA1c978cc89ebae5a96d8b4bbb0614f3546eb66ebe8
SHA2560b71edd6f273cc00c720c244972681fe0f3634b0f05203e9db8707a934a31fec
SHA512f7b4a19dcf1e6cff2c147b54ffc417c63beffa073a88f20309a7f09fee7fd395f8e1e5cd478646e2c5e9ada3afda1e8c4f3d37150979285f3ed706fd59cecf9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\SiteSecurityServiceState.bin
Filesize1KB
MD5a0f62a0f61ce80087ae6c65d825e7a0e
SHA115792e01ca152cd7c3ef7f4905339bd4b6c5dbba
SHA2569f02338b1d426c12309a97f03fc42cb8423f5c7c22b074a9b66f9532acfc10db
SHA5127ff637fad92768fdff84b681ff99051dad5f734b0e4981f9ac8a8159779bb56ffb019dcca05c2fb73eabf58c47a7bedca3cb5c66ab40bfeaadcfb44ad8b15539
-
Filesize
224KB
MD5b9974ea4b213e2497e6c2586ed5c31cf
SHA171b119435535c619ccf48dba2248d0d3a8f09524
SHA2568639c123b6db8ec881ede17d4e6adcff4e2d7c1ed06e6b9c7688de7cff9c8128
SHA512dfc273d3de49e04021da12a10636b3fb3b53d731e1f54facd95fa09e1c08986c0bd7596b8bac655178148cfdc197e9baa4d372a1d61eb2cf9b76c4b6a43bdb87
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\content-prefs.sqlite
Filesize256KB
MD5b5acd9cf58ba89e643e7b2e839e0707e
SHA182c2b9cbea4acb50b446b786818287be7b0b8b61
SHA2564d4fd87f1cdccc9f826ab7de2b3980db6fe4ed328f079ceb24f680557da9667e
SHA5121fdaf5173a2fa956e3793b3643b44d928a4c81a1599bdf4b057396bfca5948ce1097194dbb5f528959c8cf4e34d058922828236c6060b41510e9ea2cb9ed424b
-
Filesize
512KB
MD5e706e8ae80beff97fbce6e6b92fec5e9
SHA1ec60ea38066b6317d63ec9ab909964b0dc482151
SHA256f652923f9201732515e666e0e82fd7e251db7f2e73c8aa6fd87a4977dee17f93
SHA512c9c24cd3006fcef83de0a77c9ed08e304f91340de1c6f61acd5f1111f9d9736328e8e7103a27ede7ee48c9ab94369e7a373be8801949bb05873d940b2d5f8a49
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.bin
Filesize46KB
MD589f56e58ba117e506f11b552d1471643
SHA1916a531dbbfa10b93f8c9a6eab122882fd75a0b5
SHA2563dd8be86a3c7175838fc68fa2916d557416daae2a769168f0d0fc6b8d4f0655f
SHA5121fa1930915de2bc0979691389855a5cebf1a60761531aa6303626e01dad69cc508b65bfff6e00ea0ad8d4ceb0909e91a5fff19fc5a688e17b49e72c880954205
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5aa06815ab05177aa4ce897b99d942ce2
SHA1fea1cedc2307cda807e78008875c4386a7e4be15
SHA2565e15f0e0b158bdbd569349f2db422c7a40a2052616433e778e7ea1cbd1bde88f
SHA5120a45f8aa76571be5429ad70fc9c2d11759656461baf065fb764c26b1f19726afc2972d747b440eef8174f0eb56836444107578eecac9cf65d153e79f2221db58
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize45KB
MD5bdca914948bd46359d9906e6e8b5850c
SHA175f8cf4a0ee8e4a1de7b13bf67d9110ccdba95ff
SHA2569e474258d5eeee9d3777e0682be3ce1411c0088f54d18fdedfb5186a0e431b05
SHA512040345884cabb5007f748aac6c1510c2066bdcc561e45c90f689731a770c1299e7afd8886f84e3704223976c4459bf1d467aa836a139926a8716f3dc21019440
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize45KB
MD5c8d5195abb4708a8fbf3fc83b8516fc3
SHA117131558bc9b7e0300d80e9c7d992c43f38395dd
SHA256bca620a3f7c2559ff422ffbe8d29cfdc61474ae7d4612755465519768a74dca8
SHA5122cd5c78c0d27712b81c4b5591cfe1a2f0da5d4e1ca84992e4be5b175c7d72620e2b486d0de0ce3579479517c80e1c498e7edc323e388d5147f144024469c7502
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize46KB
MD5604a05d15a1dfa83f5eeccf142d314aa
SHA17599965a53cb0c8153466c5266141605d14eb863
SHA256f64de18bd61353a03ab1e59f98c0ade19b5095926d302a4cf86434e552f8c55d
SHA51261b9ff7b325547bfc4c2becf8a8db46c3094e281fdb7d26328cafec28dba8d4b1e9ed6f8bde32cbd1f519c298b09e6e1eaaf8f4d8f5637d0b7c07b77adec264e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5c721cc107b46878f72729b4370ca68d5
SHA19d8f82a1a6a8ba0f62f5fc8f16c35cad84b8d887
SHA2561d288a6f6851743cf2da035a230c139b1c56cade68071252a606c69ef49a4653
SHA512ac1d431f359bd4ec440634ddc7024ad023ab4990343f8a2782a22f75682d7d5be46f64a0178c8a68954f88a86ab9aeaad7e6ac8ba6f8ab9293b2ed98c2b28131
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD550f1bdfcee7c443d6d4b5abb38f92056
SHA12bf5a309af121584b2808911baba3d08c0040927
SHA25603dfbecde7e5579feab1eb516ae44187e85255a703f898e1fe766c2d80ece634
SHA512f6482034c8b8b3d0dab47725f3eaa7f27029a20e9a6b3f4953c5e49c964c8b9bd80cc998e12e962e056780c7955831de13a3ef10361e709b1eb20d3420e0f503
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\events\events
Filesize1KB
MD5f6ea00fd7fb2f9f90e7b9f71c1bcfd92
SHA1db9184345ce3982f8ca3271ddc4ec187fe580d1d
SHA2562390c0ef5d75f034ac0275ac43e5874ae75cfcdab8c7c194d68775e8b3392b45
SHA5123db5f318d9722242c1125c5fab1897839c0231b03c8c7eaff573750ac9d1be7253cade825341d17780c52de134b41c7ad4a43a2ee3d6eb1362637ea477fd013a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\events\pageload
Filesize352B
MD532f6abc2df2d6f2ae8750e4363ad4100
SHA181de341c55065581887c89713fe8e96b069b5534
SHA256fc31a782024a8533e511764bc3d18e13422355d5d045041f90bf3a084b0ed4a8
SHA5127f615aff01aa93323e031d637d87b36f42337321ce7f887ff3f691a584df295769062826357420129e9c4a92442c11796bcbe65ad962c765cf2775cf9d8a873f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\08ddad0a-c5c1-4008-a95d-36350cf4725d
Filesize2KB
MD569574da31e9e6c0297839d3d5bc21a29
SHA1159095f6170d76cb6a8ba24465adc723793d867a
SHA2560ae96579e06adec1912833061b2aa4dee61743185b84df5e172ee60b43813790
SHA5126a9ae7d6bb476e9840c62fe9740591a424845a9bf6ec50a2470356bc44f840d835babb842756ea940d488732a3d0d783b35ddeb6161c3e713ae0fbdb6e0729e0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\31161437-0445-454d-8776-0d1e00d413a9
Filesize982B
MD5cad48de2c644d33eee33f78b0b94e98d
SHA12fd6f08b0cfc8e98d1a8f4fcdc0cf0c180100a38
SHA256ad03e1668afb341fe5782909270b18f6d0511a73e1185a9366e952ca8b9c1ea9
SHA5125ec536cc752acff1031a0a718215b50103810df0342c84c28d96cbddd8446f230a407cf84f67b7f5144f3247876a5727ce63bb41625b8551b2c123051502d6c6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\ce5c8cd3-25c8-4f23-9448-66d4e8749a00
Filesize797B
MD5485c4897bdf139f93716fd951f7fe78d
SHA19439666dd9e706218e11e3d12c0eefa90ef21f2f
SHA25615abb85da4c009620f81f7446a96c5fe4baba0cd07785c08d3431215cd64aef6
SHA512daf05f288456a1a15ad387abc4edfc0a8d82621e3944abd25f5c132796c6f482a02d21bba635524b41bf07de380ac1b2671066ff329215a8abeb7c613e77ab3c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\f0ce64a9-cf7d-4475-988e-897564c03496
Filesize734B
MD5e9579fb827d7608ec9471c4c5ec2ce5a
SHA1ee8754750aef8c6a2dcf097f7d96a4c461eb292e
SHA2568da005d97b7e27bfd88e3ba2b1a0507142718180f5ba989d6b2d20c4523799e2
SHA5121301dab7f90e9c046767487d637221ba1bc848d08e3cba77bcdfe97f68ad3d07062fcc185a3572d5101b482767fd9cb6345f3e25cb4e54fca24f79a248d53441
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\fcee93e3-ee84-48c2-9135-6a34c274962f
Filesize659B
MD58c2abeeade9a5ea96b9f071ab56b4e51
SHA1db8636003a5d06dc8a5e7be1919ad5f34009b091
SHA256e120a3eca6631f608ba8d5dda13ff5aaaca62c3380da1ac1e283c245616d6c9f
SHA512f7dc66190494c5eb5564939feb39819153c8361e87df76022c7ddbee278a8156c9136a55e22b4817a691cf55cbb9ab23d9f8a5477daa3cb4349a36436f7dc2db
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\fe9313b3-17c3-4fdc-abbe-c4c0fdf5ecb2
Filesize742B
MD5ddd6370778b4e1dcbdf9519a47cd3324
SHA14e415afc8ae1499739e0ff51962685ed2ad66c16
SHA2560ba0c0c307a62097b320a5c5f0dc9f1314be30fe2fcd92078101f105737a2db6
SHA5127ee760e015bfe3c645961f4b11c35fc70ae4304a1da54d4c5d1897bfa34120b61ee4234213d55cd3a5ccb6efb37227cf7ac155b5fc2f5d9b34f9aa1322ac321e
-
Filesize
5.0MB
MD5ca52cd4db6f606a95833d94ce7efd41d
SHA10634f9de63a192dff1da2bc22626734dcc90a8ab
SHA256373273cd25ab85d8231c0b1885d1e6d40ee174f4d8b4b6c0adb11d8d5cc89d56
SHA512952de05d921bc5d10c65974c16a126817db6bc59292654230773dfa3c630f6ec3baebdf2820145bf4cecdf538591e2e33af589b125de148957c6dd43a642cbef
-
Filesize
256KB
MD56c54222b8ce9e2f0e1dae68f82ce1a05
SHA1b3fc25e75a9e5c0355d2096e672b44b62bb194dd
SHA256ff9b5fe2e079acc8ea9f5b2d1d4167b51020be9418526b24b931b060888d950d
SHA512f419201042b490988e436990fc1fdc389c47375126c8873e9ea2ef70bf5f42759cc2a397a053234fc38c17aca2e74cc45e2370ee9b6985266c7866dd4d15c7b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
96KB
MD5cb57429e66214892e25b20cdf6bc4f93
SHA1a7dd0b14a1161a32c79a8e11f2241d5c8436b43f
SHA256322b14af41205086efb1187fa7505720339b7debc91a369456a5094dea6c8785
SHA51262f2644a79b264fc6268eaea54324e4335459951b406cabd20da2d24bc11cab50fb5fec9ec2f83ddc754fa7b298c5e302679070b907f4bcf35d659e25f0bc37b
-
Filesize
5.0MB
MD538733559bf860d7df1f30f110efedf26
SHA1ee65c4e773ceb07d19f3bfc2b36ef7e0d7bb0911
SHA256077fb6573ae6fb44d60bbf5074efca0abc59b739dc0ff1f1ae118dfb4086a0ff
SHA5125c4b7241c26975ae81a7b44e44d8f39cd0495ec5a0f6ef773fae8b446c1d96f2b0ba6c9f8c15b69aa647f2476d70efece9dbaf6b222d71c1daa734c7ef0bd26a
-
Filesize
10KB
MD53fd4858ad15a9a698db27a7dce2f08fe
SHA139ec0aaf63b7a7dde1488a26b0424957f9e6af07
SHA2562a1fc3ee316d89e504e5970d9593a8537aec54c87580f9c8ca56f1d77095c23a
SHA512a2c799125f7f70f84ce8f09c96816a1e7fd545c908ff2109dde6f4803802e3d51b6be99c97a1c714b6ec366d71ca2cd08b68f2efdbf0c7046f500689a953582d
-
Filesize
11KB
MD5c6f3ca63f108b9e6f0fb3d357b8eb63f
SHA166512eb4c2f13addb9fdc3c95f018d0076d4330f
SHA25695e87494a3488ac515f0d6197350cc26cc08b16cfed9df61226869c25254cac0
SHA5127df3eca0a54cfd41a35a0390fcec150c41a2dbd6c205d6804f94e9cfa7cccffa256b1598d2152998b78a45ebbe3ebd042c1d90b4a2f25b0a15c99a902f35a4b7
-
Filesize
10KB
MD5b1d91d8c0fc3813fa6107292dfcdbe43
SHA1c795638867ad50cfd5e1d099a7c91c373ebe2580
SHA25645d6b54e61dd79c596f28a67e038822799af3b8711b5ee9e23c460cd23b786e3
SHA512c3ce381df9ffbf7ad98f15e673316b19e0685081476fd50a2113624851b4a414f2b6839a407865d0d7148ee7ea376aef98e5d1524c63269964d913aa531ec9ae
-
Filesize
10KB
MD5c79d388a19ff280411fe58eb1f375dd3
SHA1b84967713fa5c3273ba04cfa4f5c31bfd80fe295
SHA25675d756ef9073e0b5210cc3c60a4ca2d0b6a9d00117ecde1a475c8a8a2e412ec3
SHA512f87bd6177e9a990283674be11d1d0e19793490d44e1d83463e13e8853713bc878f5ef3fe7ec3b390a97c1cc970aca5abe4256a0a0dff4ff0cefa360a91832fba
-
Filesize
11KB
MD5e27dec2b403d27b51a08c8689f732f8f
SHA1e0b21e496677c22ee3720c300ae52a895eaa2529
SHA25672eafb767552fb1e2730f3ed68973a055cbd77534d8f901ae682edab37310837
SHA51296a3a04dd959691d27d01d415a00a726ca094a7a6b21be6bc9a07436dc0adb0e22c415140bb2bc8e4ae10812e32a272fe2655a463b98b584029ab90c5a40b784
-
Filesize
64KB
MD576786a4c0dd19d88d6d3ed95a293bf2f
SHA1b0d6d676127a7694fc6e71ee57fcc2ffaa621ff7
SHA2561a2564c1ba20b8038d35c2319258d94dc15d97914dcf753b31c48b79940dfd31
SHA5128cd3298e2ebba763d3c80ac4b17e44af7eb63b46304967d0c6316d314baf8611c05f7b9979c2c5c329ac167aea0246e8c9f057ffbb272481c13fd5e4b4bcb2d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionCheckpoints.json
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionCheckpoints.json
Filesize288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionstore-backups\recovery.baklz4
Filesize26KB
MD5f67e249ec6652aff0b3adeeccd1c0710
SHA1e9efbca74b2236b3c361316ecdc741e84eb6196e
SHA2565f1b34b699b2278515d979aa45e43f616564bac20d690452181995764351f453
SHA512c2e7ee1d1b10193f7f5f50beea19386f6152e5455916d0d078fd87c06e9d012eb5d74e4041529f8b063e656008f11d0d10e376dbd1c9c902121a8bc343087e0a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionstore-backups\recovery.baklz4
Filesize24KB
MD5553b726ca05495fa5da038ab26e27f25
SHA1f08ed1cb391a8d8a8fccfc01cf7996e8fa5aa9f0
SHA2566bf76f868fe7de0ed982bf0f1d4bad83f60533eeba88b3fd055ea40106ff9bfe
SHA512cbe0dd824e63892aac354c1f73e83a40d5c723992e85925855ea986ef559e6719c4ed9a53a693f0a1e419bb6df2fe02d1dd145598a4b9f4d1e761623b0962a06
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5651da6207959cf511e16cdebb9b690b3
SHA183fc19e39f9805c57c30702d2138d5067eaa3fb9
SHA2561d09801462072302dc3963677137e3959714db0fa9add902d1e48756692a9009
SHA512a69034df32988f07e2b6f8ecaa9dd074d957f94553798370ed92d551a509f771ad32fd053f3f131204b23abdb906bf8e552db717294ecb1471b17968f4f36a0c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionstore.jsonlz4
Filesize4KB
MD5f54bbd6401bea8eadd960a764c82ec08
SHA1889ddf3946532f6e343f68b19c5160d059eae76e
SHA256c0f9df110ace6f8fd238a040e070a5b47f632322ccd3aea4e8816162d5a44194
SHA51287ce90b86603ca11a7d0255a93354e4e2fe380405213d098b0c3b939eabdcd370af9ece9e79d8c8fa6544a299d3eeaf2af7ed08fcf060c2bb7170b1fc5b9e54a
-
Filesize
4KB
MD5ff76ca02139cc795c270231fe9a0e82b
SHA1ee734cbe0b594c2419d1b25ac34d3f02d4de6d1a
SHA256d4aaeb05110a5c52a7cf98bc4850124de466d065ea9d71479a37def180441c1e
SHA5129e9e1a9870e580d84f1db075ab3ac2f9dd6ed1a3c9f1824c0681f08b1c1d35bc3140cd583e64eca11209fd8e148d5170fb95276ec53852fdc18e071fed15cdb1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\default\https+++wearedevs.net\cache\morgue\245\{cc041e3b-dec8-4d81-8427-ec48017682f5}.final
Filesize614B
MD5a1f0f7322e08d29bae25058730fd9e78
SHA19e99eeeeeb484a581cfc64b4f97241d2dde2c176
SHA2566519c3021515fc48b5901c4b3d0c022b1620f1a9d71992e21bb9295eee3b9517
SHA5128b1dc96c90ba25165cca48ac8cc2566cea5e2680f2481ba08ea5c0c068053bd5169aa5343325d05cb458557774cd414719ea38f132eae6b18e9dd7bbe2b57cba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\default\https+++www.google.com\.metadata-v2
Filesize52B
MD5fab00fa1804781e421b1b0a3c43b8dfe
SHA1b66112b5f3823ac801507d0bc3fd5bbb90b612ce
SHA2568a1300db5bbe925f465443e6eed15a11b948e8cd34639ab8f0e7ab8b9540183e
SHA5127fdb90498e8b259812e2397b5350a173a1e0d67c5ce579f39d2c6abfe5d428917046cb0295aeb5edabbf98d4e0f37a11916a5f96bbdf035ce770efeb5fc3346b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\default\https+++www.google.com\ls\data.sqlite
Filesize6KB
MD53daf19c933bdd822c370c5ce0d1107dd
SHA1078f87b495f9181ee6d1f8c54c25f289f7da55fc
SHA256acbbdfc262ff01c06c80e44df12a36674f96d0c848e25a76f655711ed6f6f2ea
SHA512e660e80d043dbf998555a8ef8ac4cadb707a75502eecf192c2232952008b22f493dba711ea8b0b4ee555f7ae5e5e324c8795f50d2f3830773fcd8465b49c245f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\default\https+++www.google.com\ls\usage
Filesize12B
MD54c428e195a2fad0b912480f1aaa48bf3
SHA152a8ec75e9ebe26a80438cfa5b234ccd96f24621
SHA256330e0baa0683f9a1187cfcee449c80c8d142c70ed58f6ed5bff634f23f399a8d
SHA512795d309afb1c8bd2bb3ffa40ad5632fca3a1a8926143a1592a051ec8667bddcb21d0540fd33a898e4f28bfd65e13ae96693d96b11c13adcae09ff1f415a13ef2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Filesize48KB
MD51fe03d39aa7a1d2f044664aecb7d386b
SHA1679e607fc5b9e33c06fbe1e6356cee44bf8101c1
SHA256a508a690e096b2dd62b5952c5e1ed17db50b21c1c805aa7afa5335d51dca99a5
SHA5120c240aee84fcb53120d1a58d38506ee49ef034e970359206e34a6677bbbca0ff437068401a2f31183ca2b0baf81d8e683485504b35d2099cdbe3f9cad9d3da17
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize560KB
MD5656c302f010fecc787d2948fbd535c8e
SHA1feb3c59aa68a5613a6011c89cc0f830f3f330212
SHA2562b875025be9279745052fdacbe79671eefcae5975ad7188926a068693f79f108
SHA51206bb5e9088f67d67fcd41101705791957f00d94b954086baefa33c243ba374e22f5cf056b0f53cea968307cc0e9a003d1ef0a872b515a227e718a0fa07f13d7b
-
Filesize
120B
MD58d689c06cb844185099c0398a280537e
SHA157073c7526ec37e94bb9db44fedc6d50276f7a6b
SHA25696729e9b38f216605ff10715f96f364be32f02e2de23ede7e74b78244605124d
SHA5123c7df326c695143915df1068cb2c0f58e93e4881b2c4d94b33948b80e954fbd4cf944ae53b4d15002b79fcdb8e88f8e9cf4c89ca50f56b7cfd8a13ea7dd6fff8
-
Filesize
5.0MB
MD5190d3be205525ee48e3ca0a3d6fce256
SHA1cdf09c9b04b8e6ed1ce6ea017ee821cbd6e53ba5
SHA256a6f64d8f09f87379ebb9479366d0ec4a56e60c9c7b2e162af668be2beb9756d9
SHA51228c6251668f14082abc387d1ef8bdc8acb0d62f258ce1d229814092057ee2e7dab3bc585d648a4ce8ebac3bf0dee09842d7defa5df450891347b3aeaca20df09