Analysis
-
max time kernel
2696s -
max time network
2612s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-12-2024 21:15
Static task
static1
Behavioral task
behavioral1
Sample
MalachiTemp (2).zip
Resource
win11-20241007-en
General
-
Target
MalachiTemp (2).zip
-
Size
11.7MB
-
MD5
6547f016ad4a2a2ac21830cdc787bf3f
-
SHA1
7ea0143a1b4bfd234b5df31017d03cf82e914337
-
SHA256
53288348c08f054b6d7d9a10a74b45c202ccd86ebd6636a889e8600f85b199f6
-
SHA512
c8037af6e178a9067031fb6c6da5e86a9ec12b71f6f3e536566700719ee5a44d3df5fcbc30d6c2cbc6ef292467962f8c9b2048092d7ae0861888e7228499f801
-
SSDEEP
196608:E/IbMxdZb3hTqr1dUn//P8djLpaawweZps8im3izDKt1VlenB34M/3vNW3RxtMFM:EaiZbxTqrnUn//OjFJM6Kt1VQ2M/v8M2
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 6004 VisualStudioSetup.exe 5756 vs_setup_bootstrapper.exe 6112 setup.exe 2112 vs_installer.windows.exe -
Loads dropped DLL 23 IoCs
pid Process 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\fr\Microsoft.VisualStudio.Utilities.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\SharpVectors.Css.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hant\Microsoft.VisualStudio.Threading.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe.config vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ru\Microsoft.ServiceHub.Resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hans\Microsoft.VisualStudio.Threading.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\Assets\Installer.150x150.contrast-white_scale-100.png vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\es\StreamJsonRpc.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ja\Microsoft.VisualStudio.Services.WebApi.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ja\Microsoft.VisualStudio.Setup.Download.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.RemoteControl.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\pt-BR\Microsoft.VisualStudio.Validation.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.version.json vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\runtimes\win-x64\native\msalruntime.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Setup.NuGet.Packaging.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\es\vs_layout.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\fr\vs_layout.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\es\Microsoft.VisualStudio.Composition.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\it\Microsoft.VisualStudio.ExtensionEngine.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\ko\feedback.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\x86\msvcp140.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\NOTICE.txt vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\it\StreamJsonRpc.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\de\Microsoft.ServiceHub.Resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Shell.Framework.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\es\Microsoft.VisualStudio.Imaging.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\es\Microsoft.VisualStudio.Utilities.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\net472\System.Runtime.CompilerServices.Unsafe.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\System.Composition.Hosting.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hans\VSIXInstaller.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\cs\Microsoft.VisualStudio.Imaging.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\de\Microsoft.VisualStudio.Composition.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\de\Microsoft.VisualStudio.Setup.InstallerResources.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.Identity.Client.NativeInterop.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\CheckHyperVHost.exe vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\cs\Microsoft.VisualStudio.Setup.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\de\Microsoft.TeamFoundation.Common.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\tr\Microsoft.ServiceHub.Resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\TraceReloggerLib.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hans\Microsoft.VisualStudio.Setup.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\feedback.exe vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\arm64\vcruntime140.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\SharpVectors.Model.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hant\Microsoft.VisualStudio.Setup.Download.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hant\StreamJsonRpc.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\es\Microsoft.VisualStudio.Validation.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ja\Microsoft.VisualStudio.Threading.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Imaging.Interop.14.0.DesignTime.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\System.Threading.AccessControl.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\tr\Microsoft.VisualStudio.Setup.Download.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\VSIXConfigurationUpdater.exe.config vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\Assets\Installer.70x70.contrast-standard_scale-140.png vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\es\Microsoft.VisualStudio.Services.Common.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Utilities.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\System.Text.Json.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\es\VSIXInstaller.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\it\Microsoft.VisualStudio.Setup.Download.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\pl\Microsoft.VisualStudio.Validation.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\cs\feedback.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\websocket-sharp.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\pt-BR\vs_layout.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ru\Microsoft.VisualStudio.Services.WebApi.resources.dll vs_setup_bootstrapper.exe File created C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hans\Microsoft.VisualStudio.Setup.Download.resources.dll vs_setup_bootstrapper.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\Crashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\Crashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp chrome.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\VisualStudioSetup.exe:Zone.Identifier chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VisualStudioSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vs_setup_bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language getmac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language vs_setup_bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language setup.exe -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vs_setup_bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vs_setup_bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz vs_setup_bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz setup.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133784256642841926" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\VisualStudioSetup.exe:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 4012 chrome.exe 4012 chrome.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe 5756 vs_setup_bootstrapper.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4248 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 4248 7zFM.exe Token: 35 4248 7zFM.exe Token: SeSecurityPrivilege 4248 7zFM.exe Token: SeDebugPrivilege 996 firefox.exe Token: SeDebugPrivilege 996 firefox.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe Token: SeCreatePagefilePrivilege 4012 chrome.exe Token: SeShutdownPrivilege 4012 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4248 7zFM.exe 4248 7zFM.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 996 firefox.exe 996 firefox.exe 996 firefox.exe 996 firefox.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe 4012 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 996 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2816 wrote to memory of 996 2816 firefox.exe 81 PID 2816 wrote to memory of 996 2816 firefox.exe 81 PID 2816 wrote to memory of 996 2816 firefox.exe 81 PID 2816 wrote to memory of 996 2816 firefox.exe 81 PID 2816 wrote to memory of 996 2816 firefox.exe 81 PID 2816 wrote to memory of 996 2816 firefox.exe 81 PID 2816 wrote to memory of 996 2816 firefox.exe 81 PID 2816 wrote to memory of 996 2816 firefox.exe 81 PID 2816 wrote to memory of 996 2816 firefox.exe 81 PID 2816 wrote to memory of 996 2816 firefox.exe 81 PID 2816 wrote to memory of 996 2816 firefox.exe 81 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4940 996 firefox.exe 82 PID 996 wrote to memory of 4664 996 firefox.exe 83 PID 996 wrote to memory of 4664 996 firefox.exe 83 PID 996 wrote to memory of 4664 996 firefox.exe 83 PID 996 wrote to memory of 4664 996 firefox.exe 83 PID 996 wrote to memory of 4664 996 firefox.exe 83 PID 996 wrote to memory of 4664 996 firefox.exe 83 PID 996 wrote to memory of 4664 996 firefox.exe 83 PID 996 wrote to memory of 4664 996 firefox.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MalachiTemp (2).zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4248
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2892
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94ac50a2-f1fc-455f-969a-0baf437b800c} 996 "\\.\pipe\gecko-crash-server-pipe.996" gpu3⤵PID:4940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55769d3c-220d-4d1a-bdf1-62fa6eb9c15f} 996 "\\.\pipe\gecko-crash-server-pipe.996" socket3⤵
- Checks processor information in registry
PID:4664
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3116 -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3320 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a7eb609-e716-462a-911b-35ff4daac0ff} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab3⤵PID:800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3952 -childID 2 -isForBrowser -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d0a81e5-c812-48f5-b834-ef1ee0778ca2} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab3⤵PID:1468
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4504 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4524 -prefMapHandle 4420 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de98ad04-b6e9-44fa-a658-729ae3df99e4} 996 "\\.\pipe\gecko-crash-server-pipe.996" utility3⤵
- Checks processor information in registry
PID:1572
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 3 -isForBrowser -prefsHandle 5572 -prefMapHandle 5580 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4901d5be-892c-4f1b-8fa4-f25f77f97631} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab3⤵PID:1476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5556 -prefMapHandle 5476 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca327564-1620-496b-ba89-0689f97732d3} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab3⤵PID:3244
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5960 -childID 5 -isForBrowser -prefsHandle 5692 -prefMapHandle 5888 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3ec9b41-c17d-45c5-a3e1-41c51ac91951} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab3⤵PID:2368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6272 -childID 6 -isForBrowser -prefsHandle 6268 -prefMapHandle 6264 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63e11cf5-c808-4950-8924-b367c27f193e} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab3⤵PID:4956
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4012 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ed4fcc40,0x7ff8ed4fcc4c,0x7ff8ed4fcc582⤵PID:2480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:22⤵PID:2992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1704,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:32⤵PID:1996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:82⤵PID:4832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3084 /prefetch:12⤵PID:3184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:2164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3076,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4352 /prefetch:12⤵PID:644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4524,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:82⤵PID:4928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:82⤵PID:2328
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
- Drops file in Windows directory
PID:556 -
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff765354698,0x7ff7653546a4,0x7ff7653546b03⤵
- Drops file in Windows directory
PID:3452
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4392,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:82⤵PID:3044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:82⤵PID:5144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:82⤵PID:5180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:82⤵PID:5556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4976,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5124 /prefetch:22⤵PID:5324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4980,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:12⤵PID:5812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3212,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:6072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5268,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3484 /prefetch:12⤵PID:5592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3432,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3488 /prefetch:82⤵PID:2516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5344,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:3044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3424,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4500 /prefetch:12⤵PID:2880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4304,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:12⤵PID:5936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=3548,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3752 /prefetch:12⤵PID:5456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3120,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:12⤵PID:5520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5840,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5824 /prefetch:82⤵PID:5680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5852,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5888 /prefetch:82⤵PID:5396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=3112,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:5904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=4244,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5424 /prefetch:12⤵PID:4432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=4472,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:6100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5508,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3496 /prefetch:12⤵PID:5468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=3752,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4388 /prefetch:12⤵PID:5240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=5720,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=212 /prefetch:12⤵PID:5980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5992,i,3657978466719195900,10451754005150302662,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6116 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:2428
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:680
-
C:\Users\Admin\Downloads\VisualStudioSetup.exe"C:\Users\Admin\Downloads\VisualStudioSetup.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6004 -
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\vs_setup_bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\Downloads\VisualStudioSetup.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\Downloads"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5756 -
C:\Windows\SysWOW64\getmac.exe"getmac"3⤵
- System Location Discovery: System Language Discovery
PID:3696
-
-
C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe"C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe" /finalizeInstall install --in "C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202412112122355317.json" --locale en-US --activityId "bc219bec-9ded-4410-b3b7-18d25fbbd41d" --campaign "2030:e03594ca50234bd2b739f3a9b49943ee" --pipe "d017ec64-6419-4b46-8a07-02fe6ac41e31"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:6112 -
C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.windows.exe"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.windows.exe" /finalizeinstall 6F320B93-EE3C-4826-85E0-ADF79F8D4C61 "Visual Studio Installer" "Microsoft Visual Studio Installer" 3.12.2149.20818 0 "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe"4⤵
- Executes dropped EXE
PID:2112
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\msalruntime_x86.dll
Filesize2.4MB
MD524178f8a52b4ca98d9b928e2bca7b43e
SHA1c731ebbda1a3b8ef4274c8ece233e6fbe9a91b80
SHA25623f826bfe027ba35aef0610f9a55fefeab868e831bed65ab284e9d7a83c5e7fd
SHA512a8f0d7069de8c20daffe4bf66746a594466f3a26034ca7127d5bb202693f507bf38e99b5924d4f932504dfd503bd904fdabd061779690c0f758fa2795e1ca307
-
C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202412112122355317.json
Filesize162B
MD5ad891c3b02a02419dc60db8c273a8315
SHA1141a08ca0e25d56bdb35fc71e1c767667079114a
SHA256186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7
SHA51264cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f
-
Filesize
649B
MD5f3436aceb9d7f335625e5fcf8a417e6e
SHA14d08a24a6bd7570eb96e5eef2c088d5da0fa13b6
SHA2561bf4b23f2a95839336467f14484e8b0b9546f77f07a6d9469f9d3a951cf1b2ad
SHA5123ad5d0d38b9b53236de9e3c88b970615a2932f70d0f832cea2609590b55acf18af080c80fad3b59ae349ef52e368dc174f2ab500f7a10756bb7e29d0e3e44f04
-
Filesize
41KB
MD5e319c7af7370ac080fbc66374603ed3a
SHA14f0cd3c48c2e82a167384d967c210bdacc6904f9
SHA2565ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132
SHA5124681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011
-
Filesize
60KB
MD53e5991635f4bd50cf896fb998507aa77
SHA15acb8f2ff97affeeefe777b857864165d84fd9e5
SHA2565abecf44756a6cd7d5a75aee4c9f5b138d299a8a2fecb64e3ec92ede6cc89ff2
SHA51287ed9451460043b6957fab8a7b005c64b02598d3b91cba28167ddf4f162665fb8157f37dea8a9ea8e056d5120e7f9b93bbf4370000055f578bbbdefcc9cc6633
-
Filesize
22KB
MD52b41d3512250b9521aba871a5707cf23
SHA12bf8a039e31b6a549d10482f58d9ae7823ee012d
SHA256a450a6398f0a16e5ad065b2f3e4dee62db08ec1105cf8cd025561e78db2d3692
SHA5129c20fde1f3e0637a9ca38c72dd73f83fcb90ba54a8a4212e5654b3ccb85a2d23d0d2fafebaac871a3eb7c054ec186eaf7d46cd366fac192092276b901116704b
-
Filesize
78KB
MD5928e335ae44f86a00cf7f1ec706b8453
SHA18e152dc44cded0ab8aba560861eee88a63dfabd7
SHA256a43949c3a5aa704b22159317233a480017ff154d9364def69dba50fdefe7e242
SHA512ae4743a7599d7c54d0ca034c3da5c9137e3d85dd922924d8632fb757ef83a27fc1672b0b2aa50b762eb570a8940a25483613d657964291d9c3f3d95b133b6820
-
Filesize
40KB
MD5b786554392ab690a37b2fc6c5af02b05
SHA1e7347fa27240868174f080d1c5ab177feca6bd84
SHA256ebe47cc89c62447316148809bda9095bd07bd5392a99ab4b8ac8b9f6764cda51
SHA512b71cdb76464a775fca909cabd0a7435c34de3ee4e19c40f5bebba6415295f0be2f82532a2ecda043c787ea4e8c23fd4e582a4d4322923fdf603a56e3fcb8b567
-
Filesize
17KB
MD56d27f87dcf23f1ac1a24e7b67069f5ea
SHA1c2e6e9af6b481f419e1fd338027f939eaa1c8c59
SHA256b70d2c85430af30fda1d5f23ad64c4009fdbc8f18a2f0756ead41f5e74e38e79
SHA5120ea7baafa2fa69bef19d9c887ac5dbc3911cd574c4330d6023e8ab9662cbc45d32511171f14a7988bf54f0559a07079f5dd2e074288a71d7a44eec27182a2ae4
-
Filesize
35KB
MD55009982b60a0f93eac4c1728e5ca17e2
SHA1c0f932d333b91a4b971a52ce88bc96320745064f
SHA2562ffc0ec332938cbce14008ab246c3d918800189aece932e92bedd8adb8332fe8
SHA512401dd0a45c177130628787b92a17642783d27b1a977833af4110d81cbf2572a159a371beb473baa07ad38ac8297551aadadd2ebb80401a73acd580fdc03964aa
-
Filesize
107KB
MD5b538243e8ba44fff3b24eb94d1f22366
SHA1688a4cf33c48ab7d64a6efb39a9b8bf82ceb8849
SHA256281cb163af3db83e5ddef8aca11460b51433bc113e8c75b9751f7566730d54f9
SHA512caabb652393d1ca596e4be7a44fee7f9d13ecd9161288f0977b5d03204b13b999493b441fda8a3000e3912d666deff0d6f67e55f35d717d53872c4c967bf719e
-
Filesize
2KB
MD586f6fa90d1c096f6249f7e8a08feeeab
SHA1612faed423508b95257047aebe4f3d5101b45201
SHA256f180c8ed347cba78c899c660ab211a9dfaac9df1eeb5321faa768186ccba8fa1
SHA512bb2358421f08744b7474e81df81768bd0ff84713709877b31efa25a343816ec59a3450a32866ff210956bd454d490597b1f0d0712a58ffd2e131bf46fb1798f3
-
Filesize
264KB
MD5ebadc2fe20cc0e5d33b6f186c2777acc
SHA18af5b31f0bacfd1a6b11975ba2f1e037c375a439
SHA2562cecbb293bbb248404ff96cc71cd5c5e0fba4529569a46b6dfb4e473cdfff8c7
SHA512e0c01730d40b3c5cce0a714dfa91642cec6d8e72b99b05fe286abef3552b4736383c1ac1b07eb484fd01a20f20a5b37e51b021d51aabc8f73aadf3f02bf87aa0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
5KB
MD5bec159d2f374e9dea3e85e7b78a438b2
SHA17321c591232127e23fdd5e31f1d2c8480808b8a5
SHA256a8e702efc09b6744e0fd7b4492ddf3bca0839c7090fbed7f7e2ef181eadfc35a
SHA5124c40aed13a31e5234db20394c65b6b983fe8f340b6f93bbb0b798fa7e6a98f2e6c5bf3d242309479f0585866042580729d6a96c3e633f62bf47cfac4e1f4cfee
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
2KB
MD50fb05c2d2bbe1e0dc7b653653a06fb24
SHA1720380eada1230a925abbb4f94a5b0aea2bce88d
SHA256f61380730f7d0a38f3b89235cb6ae724b1d0d6869798760b20fc118b9b60db04
SHA51211cb77b08437e99cc34aa0242c9be93da2c2b72ff10c2f95e495260ba2b285efb572bf046be72df7d89a0823f4404a452ba8936a349359e38592b50fa7a6b98f
-
Filesize
2KB
MD560a5a95a901785a57f4d08d13ab0a320
SHA11ca5fbd0c5f289cebe1070409899c4fc68889d40
SHA256fdb9c42fef60c5984f719e8f84396e44cb5f4b7541769fc85a6da22b8223228c
SHA512719caa655f223d79f8844ed7a227814308fcd6e85e7f3915707d8d87ac61087d22e6317a2657af540072e773dd31cd67165b257af4386720ab32c572537e2999
-
Filesize
2KB
MD5435fac71e7418031c377dd7b5e56cf89
SHA1452e7094ff14d5a0e394e7cec1b1c0836bcfc1f6
SHA256d4921d6abfb1182f1af243ae6ccae77512b7aedf5e5d7a095b2e0e88d5622956
SHA51291a2d82113763aa46050243b172a89487e1358f7c28dca7e9c5bea729ea05e95697cb50ee8b11f4c5dfd374bc088d73e30c1ce1aef650129fa23373e5e53abab
-
Filesize
356B
MD5b6e821d27ec5df95bde9548094a38dc4
SHA18c1b2416dd7801ccc9fe57e94be75fb211d3b492
SHA2569a3001cc257f298cf0f9be69338fa4e573317d983954c01d7bec6ceaa7653cf3
SHA51217c906ae5ec6d3904b9e35cc3571f54ad787dab754227fe2f9ad3e31e163ce62f84d950dd1ae68879ca030ccc7a8f13c151a0c0c87592779300dbcec52d60590
-
Filesize
692B
MD5a202541fa0d92f343f3d2065a719260b
SHA158461b23a560d0693870639e5cf139b84bb6069c
SHA256e5e9daab450d7cbe16ea0662e292caa468e26aad2fec8218db4f8a442d4ff315
SHA51202750372d7f1857a8e43d9fae0068eceecfdd11d57d5e462430ac9240aafb5872303eed74049b2ae48995d03db0e921541337d6650833439a1c9a82ed77bc629
-
Filesize
2KB
MD5394b290c8a81ad27b762f8b5e4766d4d
SHA1b5cb6a46a7d2b5dcad530d9f06418e9fc37760ea
SHA25601414af3f1658b18f0f9b43277a933ecf39e8a55c54194ef80b852bacc96a8c9
SHA5124972e223bec07d258bf42181217e7f60baa74260014145b10e4074b300769c58f8fc124fc9d120b53a952f5d22ebce082ceadd670c3b3b78e0a8d59c1005ba15
-
Filesize
10KB
MD5aa68bf9fe17f494ad9d8afaaa20b955c
SHA1ffa27e158b2c052c76a9a7056d91e73b9486744f
SHA256fc579782b59c4faea48db6edea3079c206ac160e55d13896b0f9d2151db607a0
SHA5128116cad9f52b39d6895c4da3f68a0dd0d4118724e4fcd3c741c4c00c98f55394e381ae56cd56b6be5ab6e8563df71b4d5f909e131772a1cb5e643d6d66472b0d
-
Filesize
10KB
MD5367e049b0a008c52aa2ee222a95cea33
SHA1f8b8a06f033f30a096ebee2d75c1a5536a0ea592
SHA256b5b7d99d250821fb22947922f1d36135b12249543b0ae1659ff02aaf0b833194
SHA51293cd5555bdf24473cf39e64c33098186849c5ba1eceb0cb6dc3c5c73c4a25dbf3de6745bac71012b99f79a9ed03edf33e659a68e829d3801eca042dbe6175fa0
-
Filesize
10KB
MD565b9ffc6189b9b94222a17df38d19514
SHA17ac7a333f68fb92a4016925ca3a47222f22c8e29
SHA25604917c9785192617a7dc69ed93b077f7356b4429fcea16bb2d6b770e70eef899
SHA51249145aa42a63456e39e409a6926bdb081b067236108a7fe9cbc05d4197fababe4580df032b37a29e91a38aa6e8a26d6d9b55ae6ac2b0353bd938747198b0e564
-
Filesize
9KB
MD58fbfe2fd196bb8dbfba2809317bbc86d
SHA157634cb49facdf9100792bbccc96c87cf4c7d1fe
SHA25688f3674c5bfab4207c435b9f17f128a49dfeec4816c2ced01aa287c282777f77
SHA5125bc16f9e676da0b619cee40fc145dadbd275e9e1d42201e4685ba3f8844eab894868118482de9c98bf89e63a1e1dd59293e4fee341889a20afb46d5cfaf8b07d
-
Filesize
10KB
MD5c0a352c7ef4263ee8c4a6e5d9be982cf
SHA1f8b704efc776f6cdc1d9ba08fae8e023e1949ef0
SHA25637a9fcf224c141b2c0cb8d3493c51a248565296931207f926c68ecfd381926cc
SHA512a8715c2f91eee64e71d1b080b1d363d75b509db48a5daf6d68cd6c5a8f3e3764a7023cc64b112c335583d079efe9c33fdd106adc5885ed6c1882686adbfd54ae
-
Filesize
10KB
MD5678e59919e8ba2773f5c53ce636d7c1b
SHA19791454039865842ba16fb3b0d0e284d71733dd4
SHA256d3a795493cd654204de2eb5aeeaac2c1a84f691e71a144633ca433b28131d428
SHA512005b4c6838ecd7b787db7d7a076626b298bbc61748d6606e6f29e5f250784c9b0d121f501b596b1c06dd01ff83dba6aa77184e50d305d57932e5991393710ddc
-
Filesize
15KB
MD5f3738883c8efe8169de373dc7a93553f
SHA151d2d650b25ad458e06dc9c859f28e251c12dbdb
SHA256233836840ecad4dcdf05131b2f8d2dcc376998302a230ca4032f5212d35f475d
SHA51266014c0e337f07015606aeceeafcc2a219044da5eecfe95c44e51feca24fe399d8c582b9a1f3226cdd9e8c01d2bc0f7062f8c6a4c7d67dfe4a20db50503df0b4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD57a8b255bf2e4b49441e2e46f64144c13
SHA19309b88ac0ff59bde0fa5281b7499c4ccf7afe42
SHA256d59bb5880988306123eb0829bf87b49c20124ad7f897d0f1421828a4b6e890ba
SHA512736dcec2eb6d1e272605016cd1f0e7ee5bf48448e99d374dfcdab88516812b5953d53d553163d5a69b4fcb44326dcc810af97abf557311785435aed6405ff0f8
-
Filesize
230KB
MD53a581dcf2d21dfd8fa8394378595d552
SHA1e48e6d823273689bf60de6cd5de76673893b0d2d
SHA2564b3ea6e3ca1cd24ceebeb9652819e6f3242184ba1f5ae47a8315400297cdbb7e
SHA51224452ede56364b0fee391c89dfb3e7eda4f1f2873d72bfe858dedbd807dda40ec8fa0752a7be2ca2785dbd2fa1134d9a876d431ccefd2b66cf9b334905cf0ef2
-
Filesize
230KB
MD52557ddc7335ac0537621dd29890b14e7
SHA136f75870e8102f00a084683def18f77398400075
SHA256405b01867f5394f10483ac46d73418973a5d1d7dc181f11e1bd8570f415db359
SHA512f1cf5b16883d1b5cf01885b935d05474df4d149b9f42aef57bae825bf6213cc2072eca21004472a13e5f2742d491f41b5aa963eddd61e418aa642716d0eace96
-
Filesize
230KB
MD5402cd35c4eefc0617317a765c07faffd
SHA14a0b5e0fd598c202adc24c02c6c8feef74d0287d
SHA256229aa9e7e8fa7c1172acfe8edb6b5d722cb6abe33410a96260b6bc86acad3f3e
SHA512d325c6169f8e3a016e161507ef9bb87e3d02b18328ad6667b7a3846e726018d5645bef44aac526507f67f994fb2469b82688fa96c17dbf2eaee7fca0869ccdd3
-
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20241211212306_8078df8a4e484b9f9b2722cb1cf7c3d6.trn
Filesize7KB
MD5eebfc50d6db40496aacca364b87be389
SHA100f0e15289f1c866322b2779fb5f2286dd17011c
SHA25678bde931149780e697c3265271ac8434659fdb77aacca9eb3acea4f01bb24d75
SHA5122297ccf0bab9bf283c881ec560be33b43d92d13f175b1ff1c4092b04ad999f6fbb668c11aa265b37b215185b31b0e8a1a32ec5f985cfabbbdd880b3a07f54b98
-
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20241211212335_509ea3a5649945839f27d093c3a64af1.trn
Filesize5KB
MD55a5d35a15bc3ddd9d6130eed04376ba6
SHA161e1faf4c6896a87fcb73aa43e4bc83c2ff776b1
SHA2564ef6a1a0d46de8c7382691de5d2d7dee1211f86021784c362746db6d233df301
SHA512b581a788d3fd065b8558d85224415d7c04b8581fc536711b885e7138eb2fe45203c318cdc9e67fc88bebe2ebe7a5344a4245ba90c21606d0c16a37db2b3b5bd2
-
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20241211212356_f8c71c17af12434a91bc27cb79797b30.trn
Filesize17KB
MD552c4f38f816099dc39913da95634bb13
SHA1e318818c4b52d0dc40c31271091ec8e37ea0d4ed
SHA2563c3adeaffa7d29f63b1d1345ed11f8bfb56f80501cf040149e777168d700b63c
SHA512bd13ca1875379e1904679d004283763010afa1863908c403eef93b810e508bb1d9e69136092c266daa5b2c2e4def4d3c51cac9d4d0d699ff5ec9b942c78d1080
-
Filesize
74KB
MD554f911e4f0655fe6c7b0fded505f190b
SHA13d6d61b03c4b45c49420a30ad70694f6fc239b95
SHA25612e4e149342cd923bbb4d857f3a87796428e59fc8879a62a44551e5beea275bb
SHA512a6a76d595e0696fc80b742445fc179a2ec8e95227c21adda75cba30443b2da8bf458114fe5a3add5b9c8c945a7d3e9ae4606beb726e95500d5faca9e9d7b1920
-
C:\Users\Admin\AppData\Local\Microsoft\VisualStudio\Packages\_Channels\922c5fd6\channelManifest.json
Filesize103KB
MD5cca82efca0542a93f8b5c80ebeac5aaa
SHA13ce7ceb9d1cdaf69e1f683ae5c3925881e2b8c0e
SHA2561e538b3f7293f02de270cc4cd730e823709b3467d657db965ad3592dfca71e01
SHA512cf5f71ba542c3f2950177a4e95273c31cad7c4c969adfbe533a3443c0f71b9a58b0b8050eaf23daebeec0d2c03996214cfd1e2bd7453c37ce74f1321e1d47cb0
-
Filesize
22KB
MD5fe372d06082881e4e575635849cff5bc
SHA109a4a11ab6b39f4e2c9202f6f9c2736c309e4793
SHA256b7b84389a07f8d8700fe2965e5a9fe6eacfcce8f7ca8e2db3c56983bf0b21355
SHA512a1d80e91d7a6edc56f3327762bf004a4b4c74a8c5bc5a6da18f30b68613d31d4a99c96f7751aad05f20cf737b763a0d1a786c09cf5bf12375d81b25dda80edc5
-
Filesize
20KB
MD5a81af9b600cecf3e01eddea606bf21e0
SHA1b3738835239aff12fa725b05a8e084b85a3a1108
SHA256b069ee3f8a316aef4c8350b7a161a87a81f36956ed8989760c8408483383cc10
SHA5123014482521635e1c6e51becf58be53b7fae5165db340b5f14390bcd4817ce8425c95d4ebc06497fa7366ec693c95cdafb92ce44dafa2954a72c6b8b218a19b68
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\activity-stream.discovery_stream.json
Filesize22KB
MD5031763df99bb97f8dbd33f440a53b016
SHA1a9889e11274e7c3aa072d93e1efc73eeef84de2f
SHA25600badbec53d5cdb31073948ad2ccdf85c4db4d12eeea02f678280eaaff26502e
SHA5128f88bdbc5fa2bf75e4021b285040cccb67e85ec1d7db89491bd9714ec5c427dba8f8d9c560f77fa5a8d0ed448c00aeadcefd58c521c99342df52081ae12f073a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\183E2680605B56F24D804B991A30FEF1163A9594
Filesize61KB
MD506128b9f9467abb9551f7ccc0c314143
SHA11cd57ebf12da94297a5fac8f631b6627960a64bd
SHA256af51791571f17a89097aeb2301cbfc89cfe26a12969caf90fca01545b850f10d
SHA5129f1e45d5bd1d0aa580aca329d1a61690592743c66e4f03937e7846da018f5942b055929b72a09e354d302ee32e1e94610a17a517ee74bdf60fce66d5df40516c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\DC904F6FE13AF2FDD1A89E5DC2045B0E5EE12A27
Filesize224KB
MD5b34e004ea62b029d2a89834bb35e3ea7
SHA18d8afb6ed7a84b710bbd8dbb23c9bfb58fceadc1
SHA2564b9006e26d6ed507d73157de7025e82d4668400f984b686f217c8cf3cc7216c5
SHA512eb17f0f16c494a71db44698bf87d118bc99555c6755ef414860b5f275ad6986466c1dc1d60e44d1bce9e22298f83ee035a4a38a379581d8e355eb70d14221875
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
135KB
MD53f6f93c3dccd4a91c4eb25c7f6feb1c1
SHA19b73f46adfa1f4464929b408407e73d4535c6827
SHA25619f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e
SHA512d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4
-
Filesize
16.0MB
MD5706ff9c0f78625129f5f13ea64756c2c
SHA1ff0b02a22aabbba7ee5246453b0dc9f5236723e4
SHA256e732281b61877f3304981b3a3e1df63e89ee0e6682f0fdfe1338c94676729aae
SHA51288847456d9d847571dde952efcd851d7b9b2a2f6c5ea8ee768ee8b65288dfb43e5daeff7077bcfdb0b045c21415b7a362d4dfa06792cefceab3ed9a881f89c3c
-
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
Filesize19KB
MD53374eab90af5842f1f07c1f60e74441f
SHA15c7f58d46e19713e785351ae0f17086071b9a881
SHA256f1ae5d2c81ebb819706682b0b7ce311eb19162f1ec51fdffee2f469e283f68c5
SHA5120d66a8ebebb6d2df8772089cb829ac038a929d7ba3ef82c5ea221f972777279929b982504b612931d4e52ea44ac6d12c48c06e07d26ae7942125e0020bd84c4b
-
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\Microsoft.IdentityModel.Abstractions.dll
Filesize18KB
MD5a11bd4da1799d6983a662073ce40281f
SHA16e85aca84bb83fd356a5f3018351a3152c696cc1
SHA256d3265f1cab1188ebac29c78e0f114ff3a0b2701c8a2f5442bd4080afe92519b0
SHA512424bdb2db612da935c570fed005de6cc2b0bb718c0e9c9c6942b0658169a41ac0ea1ea24a4542f7181c4ab102d3ca9190de695026304c834987e32417ef82825
-
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
Filesize580KB
MD504775edbc8687663870e4236d0ee1ebe
SHA1e508a323371be598aaabb6a7142258f1197f7e00
SHA256a34e047e3957f51b993bd1f2819a37f67545f6b49f335575d8ca819dece3cd67
SHA5129ff5b16797651c9ef4af4fb5d9d38c8f25d2e996770db7289bba12ad468b028074393f7fbd10ad0a1fc4601196d17b10086ffcb53edf28c60ddfe0dbb28adc44
-
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
Filesize307KB
MD58533bebaa025a397f10e588324494e97
SHA193c30a4bb46c59451bf4b02662bc282f1984ed6c
SHA2561675c894fb208e6412e017854b835144a2fe55a8ebbde1f2b4b14bfe4cfbc821
SHA512cb12809a3a7590d50f900197ef2752e181ee9d1f6d163293e78a754de4952e7405a7c70ff94c12659502134be64968741f04e8ad804c9d62b61c36ea237bf5f2
-
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
Filesize1.4MB
MD52a001dc022ee695ebd293494fc9febd4
SHA1d5426adbc98ac17e468e3bd7e97c8b8f3ccc6624
SHA256ba2a7ce28aeaa0e052b196006cd24e8672fe4dfefb56485f203ef1a614e67d0b
SHA51295ee5863bb8fcf6b0959e41040f5d29d508b35f782a6f40f83723291f9e295cf179254ff5e79bcea4046884ffcb07b415d53f4b37d2ac1695db899e5063ca959
-
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
Filesize989KB
MD5812e35d00498b49bdb36b1c5c832b601
SHA16754bd78dd97fe0cf8a4a4d4e9e3850a6c296336
SHA256181c4de1cf0721243d58ebbce905ab3c2c255ec70455a9b59420d6bcbe5e5aa9
SHA512248166bc45fefc6ad43a4262b9d47174ba06f997addb6da6d6b799e3bd04891ee50f95171670e01f33fa1374b4874bf80a12dd2eac401fb9c7feb916555be096
-
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
Filesize60KB
MD5bbe6955b4695866de27bb1c1822a25ed
SHA1adfa2f33e22fd852bf20f396ab8b908e772c1d5a
SHA256b6f38af430ff17e9ce5721affdbb361cc8a35f7f4a81a1a03c7a4710ea2da124
SHA51214c1ea1dcf6e3e98e79eed2fd2f5d79eeed48ae52992309ed8e68e0c3d62d3d761b3f103093d6ca8e48cff945a1f42e80eccf7b43eae828c5413edf47aab8864
-
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\Newtonsoft.Json.dll
Filesize705KB
MD5dc926df28065a5d355ad64107f7302a8
SHA13dd6bb9c69726eaa05cf198f5e0b7c14e03cda4c
SHA2565ef06959f1d3355c4f15fbcc2aad17a31740dbdc74284bfd2dca6a7d651bc14d
SHA5128745575c9099ab6a046098814c8135a1b85e61d8d73c6aaf9f41f04206624f0b625e1a4c73e1fb6f430d625080b7a8dada5119dc98a79a13f4807899b10a591e
-
Filesize
138KB
MD5f09441a1ee47fb3e6571a3a448e05baf
SHA13c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SHA256bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
SHA5120199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6
-
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
Filesize17KB
MD5c610e828b54001574d86dd2ed730e392
SHA1180a7baafbc820a838bbaca434032d9d33cceebe
SHA25637768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
SHA512441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396
-
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\runtimes\win-arm64\native\msalruntime_arm64.dll
Filesize3.0MB
MD596221a9536911bb7b04b78f0026b9439
SHA1208d52ab83b1ee7e368c4ee4ad8c257b96a228ae
SHA256a7adf1c32576e2350a692bbe575c6e47dbbc252bc7d3fa220d76635e08017966
SHA51268b9f2b13ba79974c4b363104ee443fea7c5ca1cf3eaf8094149ada7488651edad9c8a9dad7c2ab70d41b9d58cb80b4410b80630115ff0d35a4378854788972f
-
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\runtimes\win-x64\native\msalruntime.dll
Filesize2.8MB
MD5c4b719fcbf6e1a0929a0e0fb63238f04
SHA1a80c8f75053217c9ed6372ade34a9dad08bfae93
SHA256e27d3fe39da1d019c3b419229c70798cab2ef739c2ff57d0f0197e203b7dd0c1
SHA512ab13a2f1fd234d0e0443cd73c9e4ae67b4bd5b1d5a670b6ecf5a572a76a2c02db006412b7798fbdfe72ffa9c1cc76eb151735a00f7a06ce3b9c6f19c8b041c57
-
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
Filesize403KB
MD52fba884456524b453b0ddc8c422e3013
SHA1b9e83827457f790e0b89895e1a30ea1b84866c0d
SHA2569d19fe12134339923d815c4ba0d195d5cb55215427cdfffec7d7da821f416272
SHA512b0ac2a5ebb5b7e56680e66aa5574bc5f343f879b7698a59286a925c3746357a67bdcc4d20d2394e99195b759542065772708f8c07b471ab862fbf83a1c1100f9
-
C:\Users\Admin\AppData\Local\Temp\5cdf48e836ef03e620de940a3b\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
Filesize3KB
MD56e70f080f0a5f3f052eeb0ce6703dc4d
SHA1fd5fde5247508b4c4583a75ca020af6e140e23ba
SHA2567314eb4bf1be5d751eb7a7939921972b7b34b58ce7aac743c82bbdded66f9236
SHA5121c2f824255bb24ca02e9687ee7367eec4398ee5b84b448edfe00751122bce2ee07afb35a1824649b149b7160c3cb57d2eae2a3f93388a3d998494c129be5709c
-
C:\Users\Admin\AppData\Local\Temp\MalachiTemp\.vs\MalachiTemp\FileContentIndex\bf8b18f6-2e0f-47a5-bd2d-6e40d1e05fd9.vsidx
Filesize107B
MD505e7d72df28fce48c84163b2a59ee8aa
SHA13d79db8b37db1d17fedca4e0d34e7b35211f610b
SHA256e2c5aa10dea21878151263d01cf64aa6ce3f146ea42c473511b3a35ce6b91205
SHA512bc171c72fb8074678a1f98f072b615e323abeb6097772f4fb85f9be42d499adc7aa93e0999f8a87736d0ab457d9f310ed37149d8c663c875aca26788789a0176
-
C:\Users\Admin\AppData\Local\Temp\MalachiTemp\packages\System.Runtime.Serialization.Primitives.4.3.0\ref\netstandard1.3\System.Runtime.Serialization.Primitives.xml
Filesize17KB
MD56a5f88c606e3959f31e9da2480879503
SHA112b0e7fd7a52f4c5b8a8bf32d4f8c3f1370dd00d
SHA256061c634272ffb2b9fd9aea2a7622511720cd133ed95a67ad18a80bad084cdf08
SHA512e2d1ee64bf13b2ea916974be5fbb24ed87d1661a87ea6a392923ffae54d950b927da4f560b10563052bbe1eb671bb56d9a67109b61cf3c26a6ff65249a1f68b0
-
C:\Users\Admin\AppData\Local\Temp\MalachiTemp\packages\System.Runtime.Serialization.Primitives.4.3.0\ref\netstandard1.3\de\System.Runtime.Serialization.Primitives.xml
Filesize18KB
MD57421bab30807ab002211033a86ffdd7f
SHA15750000c82a08c02b9b567362426e5ff669a763e
SHA256f525c6e963e98a0d12c2f5f3d7f43864d1d58dde3801a7bb6bf332c21b2b0533
SHA51244fe650ca0a08e041f83b5b9e250e5875b2516c4c9fae4fe773ebd1f7db3d14a651748578a5595abfa267890248d225f244bb3f3e534b383f6c8541c3d672ace
-
C:\Users\Admin\AppData\Local\Temp\MalachiTemp\packages\System.Runtime.Serialization.Primitives.4.3.0\ref\netstandard1.3\es\System.Runtime.Serialization.Primitives.xml
Filesize18KB
MD5b7ffc389093f78f139117f65a29c0d89
SHA1d9e552a2e15d8f725243bbeea882292f23c6d5e5
SHA256fe011502e2e8212c9778b1662c62e17fe925ef330635bf014311c59b08622beb
SHA512469f736486a7d03216e48b03747d5a2f1149a658d68748aac374975be25c22afbaf5a0ec6714ec7d5d3225e698872660c19c345ddb0e58f424240c300e1f2382
-
C:\Users\Admin\AppData\Local\Temp\MalachiTemp\packages\System.Runtime.Serialization.Primitives.4.3.0\ref\netstandard1.3\fr\System.Runtime.Serialization.Primitives.xml
Filesize18KB
MD58046177264c9ad3638737bc6e71a20c0
SHA107b5b6239e2aa771310519fbe23b1a48134d9caf
SHA25607ca29b7b8c9e20d3ea191a646ce3b94b6ee5070fc7bd82f09a4b1327393ccb1
SHA512818621beddf9d138327f3a44188f70ca4095841e03e0f4fc99e3ccb8fb711aad0a545f74b26952901bb162d4891da8973d1f2f56f9f7008dd6e0fd00f160bc7d
-
C:\Users\Admin\AppData\Local\Temp\MalachiTemp\packages\System.Runtime.Serialization.Primitives.4.3.0\ref\netstandard1.3\it\System.Runtime.Serialization.Primitives.xml
Filesize18KB
MD5c90620c3d56b934e0a329002e92b1db3
SHA1286ba75d1e5f1229cf1bebcba61255dbe2e98713
SHA2562f3498073dd68153e12fb88d75a4a93b1e1f11e502949197580b71849934aad9
SHA51245a3e5dfe3502c29b18aaaa4c61da08b221174ef3334d5cfdbab1ddd375ae798536c64901fa1d052eb04d5700a395949567de53fb7fd87aff867eb68ca1437fa
-
C:\Users\Admin\AppData\Local\Temp\MalachiTemp\packages\System.Runtime.Serialization.Primitives.4.3.0\ref\netstandard1.3\ja\System.Runtime.Serialization.Primitives.xml
Filesize19KB
MD5cf87d63b06f68704cc39e2e6029fbe59
SHA1030e3c88a7e247461b96996afd73eae91c652f75
SHA256eedb9fabd93dee4edfa46cb0f166b912b6c1944a821d1df38b4ecbb6925428ea
SHA512c6dc509e54a1922c5c332db5d2e117e6e3e0414009adc5f357d4064137ef034fc1212d426f4cbdf9693d87ccbf3d56482cc171926c49090997c31f53c4bd8b02
-
C:\Users\Admin\AppData\Local\Temp\MalachiTemp\packages\System.Runtime.Serialization.Primitives.4.3.0\ref\netstandard1.3\ko\System.Runtime.Serialization.Primitives.xml
Filesize18KB
MD5232903e85302162cf27e767189756b86
SHA1e61e5fd28bf81ac8a9a8a3a24f469452c3a723f1
SHA2560878bc493921e1d2648de9d2455e5243f2af87a92435a45e2807b779d943a067
SHA512861f7ace65f629ead6f7a269d62c431580ad85008dd97f88d36e7b9ee76bd7c921ea1ef115c300508484c5bc7bc9fd9acd7640d741bb1519fdf121cb16486b73
-
C:\Users\Admin\AppData\Local\Temp\MalachiTemp\packages\System.Runtime.Serialization.Primitives.4.3.0\ref\netstandard1.3\ru\System.Runtime.Serialization.Primitives.xml
Filesize23KB
MD52caa21bfd3e49f7709abe9085f6e71f9
SHA1fb564a33a3abe644468c17712c92f597ef9eeb83
SHA256812225445bf7747544656b78a8a7124b474a88de09efcdf3e5bae2bbb5dab7c6
SHA512cac7d2782fbcd51624fbbaa179283f9b3088a9d6f125608e3df9e48011b8376d5b5bc17e57c716313726c237d5a32a3ceebea44eeed8e56684d2b289160a9591
-
C:\Users\Admin\AppData\Local\Temp\MalachiTemp\packages\System.Runtime.Serialization.Primitives.4.3.0\ref\netstandard1.3\zh-hans\System.Runtime.Serialization.Primitives.xml
Filesize16KB
MD533b266ff406eada9755461d0bf964a6c
SHA1f8f4396325cbc0b2226a4fdc18043cf200e940fd
SHA2565d4e90abbef96fb28f03860a40dd0d4ae3a81d6173716b78af3a23e7f5d0005a
SHA5125fe504634f26a8c85a283046d4c5dd2133e197725f4622fc860d40866b817affe482814572e4d9496a2382bbefc3deb0191314511b0c429e1aefc2c62af87dfc
-
C:\Users\Admin\AppData\Local\Temp\MalachiTemp\packages\System.Runtime.Serialization.Primitives.4.3.0\ref\netstandard1.3\zh-hant\System.Runtime.Serialization.Primitives.xml
Filesize16KB
MD5199a885886b17db63f3e8b391d040650
SHA161434ed60f257c72d3b4eedb5b7300a65e267c24
SHA2561ef286575c8d068e26b2eca645a1b26c9ce31ae4431ef87ca29a1f2a756b06c1
SHA512ecfaf06ec848bcb75ffacdfc482389e856061058e0da7e45d1712630ed96a9f87a41e7c06deea064c2d2d05508b44fd77f563e6d2fadfae7537a49103e9490bc
-
Filesize
103KB
MD5043c00d4d0b65f591fa3e6230c303a9e
SHA1b8d7aa799801234ff456709ac2d5172190536235
SHA256c2c476231c78476f70a02754d055c7e21d6fedfa33dc17779a14b79f3bd1f851
SHA5128b80ac516fa4092e1a4d495da5f7db15294e28d6c50825320c21a1af6c92d7e6ecbb145da493766f49f76fa8f7037bf15454601b8d3d3ab7f6efb2c2d8ef8297
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir4012_1145859760\CRX_INSTALL\_locales\en_CA\messages.json
Filesize711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin
Filesize12KB
MD5cbb4370699439f39b49d01e121be6a2c
SHA1f5808eaf735146303f7715a246db65f79c9f9994
SHA256bd143e63d8d61c5df6197a311ced9651d127fce8eeab0d355f0412a77232db4a
SHA5128697337c7b0f8c467bf07c6e2e1604cb438bfa61bbd81b2372ac410fe5b9c9dd6ae8d0c09f22baadeaa69cdea4d307b58d997bdd525dfa344dc63bf132b5fa34
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin
Filesize6KB
MD59d9924fb353dd0df659b9367fd5351d5
SHA180c1ddf44f450ca3041d3bf6f2ab53b38b8d2331
SHA256d101b711148fa8642e5b36db917dba54d0429e73cc08b6e20e0d26fd44f8bbeb
SHA512f9074ab35b63a19b624f0058f66eb30b24b825274e4690223b5be5c455a8ede7d27ea7c8f1afcd3cd7bb2038c040c01f5919c91f5f73a7ff2b9ffa8f2a5d6dd5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5bc3ec699f9b5ba9f35cb0552b30907eb
SHA17cfa040fbc8ed8d1ae90f236194125de26146372
SHA2563985556f0c8bd712171b226ea3f57de0fc05a2e4d41483069c41f16f3fc3b77a
SHA512b1484df12d07ea68097fc39b106d614614f809d67ea0becd2b92ec4545bda5aaf536cc0af90d1e167a07d3f5665283c43c29975ab8ada9ec41f702f69c5b40f8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp
Filesize17KB
MD51d85f2f12ecdfa1bd4836ba27a69620d
SHA113f675ad5ebfbfffc608ad1952d1fd35817f368a
SHA256a8fd25dd87fe39c5a96a1d716e52d18b2d8a5ecc1c7b86e8cd0cdcf0a0011aa4
SHA512042fa6f2a4cea1386a366e2557e2864d995295d17cf2a5c7525e7a53d23fc93be04f0ccf3d9fe83acf0b1f44d39977e0bfe063f102010b2d63a7089cc5ead985
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\46561d67-64fd-4098-a5c8-497dedb6c850
Filesize982B
MD56f51d0c27d79672a08690713b56fea4e
SHA137a785cbffea8a462d574053e64d2fec280c54a4
SHA256b698ce1dd46902337446d9725555730c3cbbc4b925045063e2bf26f9f774b77c
SHA5129fb40bfdb40c016e958ca873eeb39dcc36526f29518465a8879ffc7ba2ad3ed3280a6a05ec2ed55c0662ac6a3129b98ec56888ef969877efd71c33da2e1613f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\49f96950-57bc-4c43-bdbe-f1b6bf2c814d
Filesize8KB
MD52343f874555d32cccc5a9d050de880b6
SHA10aa378dbc07725b749a758ce8afb3d41bd413b61
SHA256d8851cb6ed7f83555e88664971ede938f7badf4c2e573c16688fc3f1df94a12b
SHA512b45e45ac7b216dcda44ab0e6ea81b7fd26ad21f9c055d6a95c89974d64b2b01a122a83dec2a0f8a89d643911e9a4c187d67d5a753d4ff77d98163b67c0ef0849
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\9783c8b4-171c-4ef8-ab39-51d7f041fbe1
Filesize671B
MD53e10103715c99d785feec27f935bd51a
SHA1913f74e03e07ed07e5ef02694352087916dc83b5
SHA256acb2910adfea7980c72aeb68af20d70a8fa941e4d73b69fc3ea796b1bfa8b517
SHA512ddc1c4606a9b0ab5802bcf4aefaffa4eb217ac12f8882a8293aa45a7928d28334239c088b718c9fc0ebd934548956a4b913374796fbd824c4cca22fbdc2a8d2f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\aab6f2af-e9f8-4a9b-b988-a5224cb28c18
Filesize24KB
MD590de294292adc352558931c72cceb09d
SHA1c6c98b383a60825665ce7e43a2e91475d556bdff
SHA2564815793bcc926ac4d1c786f0aaf37f96bd43266ea13b56193741e8e7040c26b5
SHA5126f504db7ad0addb2548fb656399c74e8c3552480cf71f73aa98bdd85aaaa3dfec5ddc829fe961534b601b1f46b7854166293ecbd3b9cd22d9489d29e379738f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5716880db59387f06c401bbd7fa05cf3a
SHA184ab18bebb8f4368f2f93deab88f036f9eac93c9
SHA2561347e23c8634ad7bca93ada8ec11f2cefb253698eca552d13db6085cbea84b91
SHA5122b2814565193c3bf4babc5155091d4775d0fe84adc21344da9fc4c2440bc0cade900fde3127de9bc7ccd7040333783b2e2c05c2030d65ec76c577760cc978a6a
-
Filesize
10KB
MD57b2679d2c4b14a38f261af1771cdb6a7
SHA1830d334ea02323b05dff5db8df9a3e7f435dd680
SHA2566ce3a24355803b7691d458520df0e102816fa28dc5fccb319d2340eb7fc09564
SHA5124ebfad587b27dda08d0283208810d8f7923ac882f55a5539700ce46cf9ba2bceaa770dde06db974c6a53c119f4030e6c0e52228faf2838b27b52909ff2ca3f44
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD525edd8829abde9242cce6d7ecbc3763e
SHA14ba77a5d8db40c0f22bacd1388f3a44bf331bffb
SHA2568f3987cffca5dc67d876a281f71e665b79842942b51f5f3e9f78cb446bcaae61
SHA512c10cbbc3e1d1f07a05677d534208887e1a55a7ee601c4affe88b258abd214cd06decb8bd71a4ac0d90e8c7a2aaaeffaa265588a6482524299a94c0b8777dc362
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5ca30ae3846642d3b502ee08092598f1c
SHA1ee28636c5015d5b243f58de461b3595c17f1e353
SHA256878335a8945c59cfa1d9503bdcc21d9ce3bed97e003d7a56f23ab1802a3229ed
SHA512507b88e9c0d76cad661476f0ffde0cf9f0f94b51411018367cd6688c394b7552091c4174fdd62053e4c5520dee10a6c030624ec0c61e46b278c6c5fd7ef05c04
-
Filesize
15KB
MD532b0f5410541e5056e4d21052884a006
SHA15791283093fbe7165b798c0c712f5f158f12d456
SHA25669560d040883513aa2725fa3545a097cc9d475e6334c77306461ec080f223f5e
SHA5125afeacfe27a81bb08c61e86e058e20b036b6fcc123dd421fad6db5f8489b2dcbc4333a45b8e2a56c9ef410aec5cb3bb4a76c742a225671b9d95fdcbd8eb45f2b
-
Filesize
4.2MB
MD51ec10cd7aa279506e7d9327d64380868
SHA10683584299f46a88657a98885c1fb98a8c833c29
SHA256551d3d8e084c85ead986298c9bb4adce88b5aea356f868bcb0ae985f185bdbe4
SHA5124379329696416f87cc0b695af30a51bcb814f90ccc030e03c6f5c380e86ded4d7fceefc094a698d7ea52cd914282c2bb1196dca5673ab4487aba1846ff5bad89
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98