Analysis
-
max time kernel
426s -
max time network
432s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-01-2025 21:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://dandev.online/fastpay/fastpay/2997/
Resource
win11-20241007-en
Errors
General
-
Target
http://dandev.online/fastpay/fastpay/2997/
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Loads dropped DLL 1 IoCs
pid Process 4316 vc_redist.x86.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\winnt32.exe\:Zone.Identifier:$DATA NoEscape.exe File created C:\Windows\winnt32.exe NoEscape.exe File opened for modification C:\Windows\winnt32.exe NoEscape.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vc_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vc_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NoEscape.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2253712635-4068079004-3870069674-1000\{8AD389FE-0A2C-4B21-B779-711B2884ADE7} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier msedge.exe File created C:\Windows\winnt32.exe\:Zone.Identifier:$DATA NoEscape.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4556 msedge.exe 4556 msedge.exe 4104 msedge.exe 4104 msedge.exe 4796 msedge.exe 4796 msedge.exe 4132 identity_helper.exe 4132 identity_helper.exe 1504 msedge.exe 1504 msedge.exe 5372 msedge.exe 5372 msedge.exe 5372 msedge.exe 5372 msedge.exe 4016 msedge.exe 4016 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3512 firefox.exe Token: SeDebugPrivilege 3512 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 3512 firefox.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4784 MiniSearchHost.exe 3512 firefox.exe 5412 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4104 wrote to memory of 4884 4104 msedge.exe 77 PID 4104 wrote to memory of 4884 4104 msedge.exe 77 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 3040 4104 msedge.exe 78 PID 4104 wrote to memory of 4556 4104 msedge.exe 79 PID 4104 wrote to memory of 4556 4104 msedge.exe 79 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 PID 4104 wrote to memory of 2664 4104 msedge.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://dandev.online/fastpay/fastpay/2997/1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffacf983cb8,0x7ffacf983cc8,0x7ffacf983cd82⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:3040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:82⤵PID:2664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵PID:2220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵PID:876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵PID:4164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵PID:128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5096 /prefetch:82⤵PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6020 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:12⤵PID:4028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4668 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:12⤵PID:5124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:1116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:12⤵PID:5380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:12⤵PID:2344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:12⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,2994132731022604554,8891080960827651621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4016
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4032
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:968
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4784
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3124
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:3240
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3512 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1824 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62795867-7db3-4cb7-b649-6767d4b37051} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" gpu3⤵PID:1016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef5ade21-2dd2-458c-9c27-7e7fa692f7a9} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" socket3⤵
- Checks processor information in registry
PID:700
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2904 -childID 1 -isForBrowser -prefsHandle 2908 -prefMapHandle 2976 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dd2f454-446f-457f-aae4-37e5587a0135} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" tab3⤵PID:2772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3792 -childID 2 -isForBrowser -prefsHandle 3264 -prefMapHandle 3364 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a8bd388-9547-4a32-a16e-eff1e2efc457} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" tab3⤵PID:936
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4464 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4420 -prefMapHandle 4456 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77f0f99f-ce53-4e70-8da8-360f1f45f157} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" utility3⤵
- Checks processor information in registry
PID:5380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5564 -prefMapHandle 5560 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f6d84b5-77c0-48ff-8a76-0db0000ad01f} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" tab3⤵PID:6044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 4 -isForBrowser -prefsHandle 5536 -prefMapHandle 5540 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8904a58c-1df0-4f34-8d28-17714470a3cb} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" tab3⤵PID:6056
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 5 -isForBrowser -prefsHandle 5580 -prefMapHandle 5484 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39698a9e-7dc4-4f03-94a2-ea312f16b1f1} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" tab3⤵PID:6068
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1908
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe" -burn.unelevated BurnPipe.{59B57084-0C9D-43EA-BB3A-68959271D073} {6A719E78-BFBA-4DEA-9EC7-106E3DFF0FCD} 23042⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4316
-
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:1780
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a1f055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5412
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e1544690d41d950f9c1358068301cfb5
SHA1ae3ff81363fcbe33c419e49cabef61fb6837bffa
SHA25653d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724
SHA5121e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da
-
Filesize
152B
MD59314124f4f0ad9f845a0d7906fd8dfd8
SHA10d4f67fb1a11453551514f230941bdd7ef95693c
SHA256cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e
SHA51287b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5c3d75ba-2e38-481b-b0af-59766bcfd4d4.tmp
Filesize1KB
MD503c11d027c3ad22f0384a2da0edfefab
SHA1a3c85b0862d47d897bd1319e6b984d0a60aaa03d
SHA256f98abf0fcdff9df75c608a3274e04e852a48a8dae494045660b43fd17665e722
SHA512eb924c5d3fee9fc3ac0d539d2eb3e5d9021ba06605141ee24217acb0790d9f0f5bd8b3a7f0cd9f32eada2364b45723dbb6dbbc99bc3cff4fb8797bdc069a1541
-
Filesize
215KB
MD5d79b35ccf8e6af6714eb612714349097
SHA1eb3ccc9ed29830df42f3fd129951cb8b791aaf98
SHA256c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365
SHA512f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5f782a2a975ae3b6ad54b10efec39483d
SHA1df9b474e33d2b25974e8caf0699e5b30e3a47299
SHA2567057021c0689fdb3d21315c772bb4d63a8a7a8546608fb702b4cdcb5141b3bdf
SHA51232c939c320201d040881b140092a55398b5e39d1b3ca57bb423fcfbff3e7383853b14f15542a79a1d8b756dc759ffcd2f372b1559be9486f5ca0ddbf61dd6395
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD526f522ba3bd6437167a9265fbf788a84
SHA11a326264bc62eb3f2b776cca07ce17a13ac8e011
SHA256c4dedd6888800f8a805c44311cb8980f856e2702bfd380e4eba30d6d7433130e
SHA512d96c3bddf19ac91d9917bd1596122fdd5bae98aa895b08d8dc9fe69ba0e758922e035d67fc3618ed3a23d82b4c9514e255cac838b99cb55b6c16eb9349feca7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize672B
MD53a75bd1307377cee45064200235484c0
SHA17c49f5731500cdf46d6602e4def7269e2bed2c7e
SHA256d089e96dff233469b0d77635e3e8c26deb1733955e0438d3a015d3aa210c8b74
SHA5128423e1cfb3c9ae94e14276a5051f3c1aa81a95f4788b9be66b5223607e6e8f2b4876dd577e078e9bc524ab976e079b2fe368e88f144f4fc439e242270e22ff8a
-
Filesize
1KB
MD5b9522ff93f12ed6fb249fb695776e983
SHA1e5d25e457279fed66f613a6d0b164fb673890fe1
SHA25659f4604a7826b8f4928135317f4717f4b93bb2cd85efdebeb244209b2b638f80
SHA5125dc2d4c98dd0bff3f7b4731ba9ef2e819ec2dd877166fe904f9e9c2a9b72bcdb69e0032b2c6a9037b6eb0fe60a29d8dd0695b33409c8f955e0c3493ecc0cc3d0
-
Filesize
1KB
MD5fc6da63f5ec2f27136e8ca2321b9774f
SHA16dfa6305ef6b2915e4c2028e5abcb681d7177032
SHA2561b65cb876d5b6eb3541a3f053b9f21edab7c3ba8e69ed9599926cfa6f75ddddd
SHA512e109e4325f8c098e80ac1c8922391e780665015f82f398bc60311f2d95ba58c407db54de8fd3fb2d212246e4499246edd3cf883508bd83641d2966e968043744
-
Filesize
5KB
MD5712a4e8c405e1d66999d3cf8be811b55
SHA1fb06c5948a3a86454e2fafbb0a23bd3a15b2ce38
SHA25601386406566e821610542a71d5fcdf6a7e3b2c7b3a0d065012f8c56a264cadb5
SHA512f8fd61128a47a1004e47cff7b9073437477534ffa7252cb7d52171e79ce96b0451bb3fe329df35cc59767489798230d884004010e49ed861b19820dfb754881a
-
Filesize
6KB
MD52de18cca05d7daec3e20d749ccea8f97
SHA1cf9f44d4ad41689016777154b9a9dfd1d6eaefa4
SHA25686ba54b439abc8cfd18622e38220facc565a379addccdf4822842d5b996a4b1b
SHA51273ae53e1b9a70d000fb9245ffe57de3635eeedd95ea73b9a0144b79c9ae0255db144f1c7e91ea390e77dadc5332bacb56666a0556ded22c281f6dda2d8bfc6cb
-
Filesize
6KB
MD5730df3a47b342b8eb4881c7920cc2de4
SHA1620f8050aff536280dc8920c6f9f24ea84bbb01c
SHA2567459edca3d98c8fdaf289dcf3f72a622c2ffd4365e22a6dd0c4dc852b971bef7
SHA512a07f957ccc6e5a7155bf85089fbb9c5657b9b7fb02b4bf5c786dea595b421a9775727cf29a1049d9b74b36cf4adb56fb211f965930c04d55d876c223b431e64c
-
Filesize
7KB
MD5d0b390c753db618b826eb3c0c3ce9a2a
SHA1c78b65edb07cf5df47e889686df67b2c599df53d
SHA256dacecbd70e33a858131f571f47f9a73c8f355746e265852a8d08db6e94870653
SHA51201e22084dad81b8e320b9607ed9a0ba335281559e2759d63d3ba06e800ab3dd5633e0f930426c7cc6eaac2fa495b06f09f1ceb157c3818b935ac43b24d964d02
-
Filesize
7KB
MD56a7310de00b9446946d94ad091becf55
SHA1d264e0da8f062d91f3a1584d602ad9caa9121209
SHA25656d7bfb688ab44e971aaf356635d2bc7dd795110510d90591984886961f9fcca
SHA5126f4e4c9687f7a2e41622bbe6e7c97d5162d4e5dce3f0a5da9e7c5537b3f62693b4b0e7f71e4d95d960469525e11ae9bdb7f89b77e0d8539d7051d41fb67de577
-
Filesize
1KB
MD55d91b5b42bc226f34ba279af0cd9f237
SHA1b60c1769acbb1dec07d0548fec27f473898fe80b
SHA25688112bfbe19e20cead4605342d8577f82633169d8f0136309710a5d1673b29ac
SHA512c411882b1a7905957b616b1c45631d98fef3f2c14c11faabb2f84c45b9291bd03a5fec8e42b5980710e377a28be5b23666429fb3f3c081abf0ec4eb00e4a6622
-
Filesize
1KB
MD5cb330ad8ae74b2874770393ced9e41d1
SHA1c93cdaa50a3d3974faee8e6f6aa5e58727761eea
SHA256bed9222cccad622a46e7d08759c81b400045ae2e044d102ae2734b8f9ab7e6e0
SHA51219bdf0f75004c2a8a875aeec907f4de888f19674f3cae926eaba30df3498ceb3071a4fdcc30514133110638e7aded81336ae831823b362142937bfaba4f4843f
-
Filesize
1KB
MD57e892d4fb4ae696e0996cdd08842ea47
SHA12ee750ada9c8980910d6279521f01d6879278c6c
SHA256af88ab1f50093cbf5af48c83a9435e824ddf34a8abf86cf107127c94a6a24b7f
SHA512d961a1ba872f028ce1a0433c1d12eb97cf37a86901893adff862e903c97480cccfd46488c25171f7e14456cc49e013f90bb6d10e94769b286b0b4ed4d4ea4588
-
Filesize
2KB
MD591cafcce2a2e81336473e0cbd36510f4
SHA141a2047ec87eafe3d66f0c9cfa70e0147ab61e78
SHA2568b9a5b702e23becb94acbf6e42c858f0c7cae4262bc3dbed07850f15cdafbfcb
SHA51243ba9d2eaf7fd37d56523cc20ed949e56bc0c2037e05596a167eb062bfbddd7d44b19a3970d411fef9be5f71ab6b57ae1e8e69fad23fa201210b157295ca3d0f
-
Filesize
2KB
MD57a957d0902ad23855169666fcaba32ac
SHA1838fadb725c10831e4af65c5353a5b1b350246fb
SHA256232d4b4884d206e1ea556774a91ae4a3178ef4b2982f957f65cc77e4fbc773e5
SHA512f28f31e007d89dd26bccce227b009b08b172c290a2a85b7f811037486bb69d45b79adcc83e727c2eb16c85bae513211d15f8623190e1c4a487805aef9330766b
-
Filesize
2KB
MD57ff85995c9f6576afa9ede14cfe06e04
SHA156b4af6c35da82271608c5194ae11dcaf96239b4
SHA25609715b789b7f884386e9b13516a084b75a1b8f9dd0997bbf32d2a654b40bb455
SHA512f50819ec676ecf6526b8e9981da3bf076032004042e7803d3a5d812a6294e532ec8d268fc4add32f9cb5901244eeb6d6f241dd28fc33b38970ebf137a6c78f61
-
Filesize
538B
MD516393f44e69fb1c07b7d47246daee1c4
SHA1a234d60efc805996d6c420bf1dfd07206113a28b
SHA256a9fa8bfe8baca3f443b1512b025ef4726154577254df1302b98178b9d920905a
SHA5120cc2e1bb9e4ff176f4c65284a045a8e626937666f83e94385a834d7c42a9454b0506f9fd2f2cac23a9f97385d0397881e5a048cbea71535a965298f24c497b05
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5290074e54194f02b7e9eb2511e865751
SHA1aa3b2559f7ab183933954fbca6dae073e979913b
SHA256dd486a1d13cbb46018e6a93df7f84faa0a19032e409174863c534f07f796e1da
SHA51272047965d7fd98a19e2a284df71aa0e3fbbecac5740fd3136c04abc272b1583ea54f0771a2270a2d2b6f90ff1f749fbcda55158e9897762ec63a37aca3d00154
-
Filesize
10KB
MD50eb8981839a4660434ab4ed71ef34bdf
SHA1b7f0bfafbd466131b4ff5a24bf1f4386e88a3c84
SHA2566cc77e9992ded1876e396d23df877673134709dc7c9fde1d94aaf9442b22df46
SHA5125dbfd76cdc1f91d64666f8b982206dc3c7273699e79385c0ce7914404099a76c874d6beeb1cb2eec7b6a87a9e42c29de4011c03bb966e125ee8525f8a3a66fa7
-
Filesize
11KB
MD55b824916dd5b3966a398de7e128854c0
SHA1563f82faf1aa46955e8e84211e520502645c9ff6
SHA2562f95f30168390e0d3281cdb1aa695c1d0d38f9e3881c9949ec49d126a5412c69
SHA51252edd3f24424583ef2d17e0951aec7a5f2a2a8ed8acd18111b1d8a0b5797052c21fdda91e4e06d273e2e37e70def86750e9552b7e9a0953e4698c8f95cc383b1
-
Filesize
10KB
MD55b5dc5e5f1af6009fac09cc40a365745
SHA13eca0aa32e07ac34f70bacabafc255deb6043e7f
SHA2560a318a7e2c491e694d56c9e69fa5cb290f7a03f4875825f1bbdcb01e96ed4a5d
SHA5122afa377e5d4fa69a4bf4781563bdab04fd2ef8922e8571f669c9e04ba3be1bbce043ecbf5ad51989f550f1eb72685fa00088d61fd0cf2fbddb47abdec95727fa
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jj59r4xg.default-release\activity-stream.discovery_stream.json
Filesize21KB
MD51da12e993e5e0318a07047191a135d95
SHA14a3177b58a90ffeff5be0b2cc3cde75f3cd4bcd4
SHA256b2b6ec4d6f4d736c692910e7f7fa69e580fa4e6595efd4ec9aefedad4b39bc52
SHA5121d8fcd1f87a5ba3a2894521d9f3a34cc20a73dc06e9b6f3f284225be3dc7759a8e3e5f6c3f108e32a5b181fee50dd9e96c47fb352e3d679a91ff4ae36f66140d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jj59r4xg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD577a8b2c86dd26c214bc11c989789b62d
SHA18b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499
SHA256e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8
SHA512c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5b66799d715b113faf28da5aaba5528ef
SHA11b20576808d17c24f7abf2c49a7facfbc1480da4
SHA256bb7ed85e7a1833e5a31d62882937ee6b094f2421b9d1c8d9b6e64b9845b29868
SHA51293d4708a2f4bb3ca7b5bcb0f3dc13eb5e93bfa5e485845822d67770e4c0217797f330ab9395598b1d7452cc8191e4d3848a1b268a6cd1b7a5001266ce53794d6
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
118KB
MD54d20a950a3571d11236482754b4a8e76
SHA1e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c
SHA256a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b
SHA5128b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\AlternateServices.bin
Filesize6KB
MD53c010d889e58988927c333d23e647145
SHA1f731280452b40b1fb708a2ab5c90018028fd1f3f
SHA25682dcb85b9468be27d61796a1ac52e913293cce64bb685569d32e78a995615ade
SHA512b17df1792f21bd01b67b0a234da9ed5b6b2b7fdcbad104f8ee081594090efef4202b9b64b09c395f3ea9c72dcf438c79553d4cbda656d6db47dc05d404fd1e10
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD538600522790d1bb7e0e1246e153ad5fb
SHA16d0ff7699abcd220ddd417c9b9391d483db4e9a1
SHA256c2267fd1ed61433384cf79e512fd5c9ef89b2484534aee9ec4fb11b3f142cfe1
SHA5127e87680593952562ff8a5ba39f7922ffd8023c38c64ffc2154cb369efbd3e2bd36db1026ca28a352385c0a879b9f8b770435da455f1ddf4e54349896dc0c63d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD593dda9ac4818c44257459dcd83bbbdcc
SHA1d22d9858021b552d572f6686f230ec9a4ad0e6d8
SHA25678557fb63f7c4b11694a2618ff1e8a2611834aa9aea3719bd054c3e4e093a066
SHA5124d212291ecd7ed6d13c2e511ff28d6af15827fc401e624d8d733ccc6ccc29888cab988d496e383596b0a5e52f1f453abcd16e03bc554610a3e68e9c3af1b469a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD50cd3632e5e6c1050d2e452bb8de7729a
SHA1290bb87425c98eba1b2f766aacc19aa0607fee4c
SHA256ad010d8eff87871d11acc9afa47e233e6cedd53d34ce2b9ece804c30ed16ca9f
SHA512afccac94163458989415399865f0743bf5462a191523580be8b6ae69300c3e8a8686ff683b65e1c125b1dd8d91c14b63b819dd46efd205ed83d2badc54813f0d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\432bf5ff-d31f-4fd0-af73-a30986b52000
Filesize982B
MD508cbd23d9a31f33454bed642136ac8cf
SHA1f8085d1c0b9387a6efa7c216b97c6cb1472055e4
SHA25672d574f584ec7f7749822281472ce33cb2093fcdb7a1211f2a8c675907b9d502
SHA51272b8fc91c7108bd0316b44396a7c86a04926d067dc16570fffaae3c732aebaeead5b0dd887fe86550473fdedc2d7f6f562b1673b1ed3902ad9e7893e7bc45d3a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\c1a86137-bd57-452e-9131-5714de268c4b
Filesize25KB
MD504bb8c275ff61947837f584c04422e87
SHA1d96d6d89c53d81cc4d4eaf2e05a5009a7a61edf5
SHA2566d1cb3639a3d13e608efb2975440ddbeb7c5a35cd7f673f7ac98006f2c00b906
SHA512f209018a75cdddcd903cc73f566b2630b122941f1a402a0c55d6a7df400bb9ee0cb00542796ae4a9f281eb3d05c3ced5d1fc5ead1d1584e75b6d588120b0ef8f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\de1269a5-3dd4-4539-b349-fbc6b172629a
Filesize671B
MD5bd5d9c5336dd832818b86ee261bc1e7e
SHA10fb4dd8f112ed9f1c1e0f5568b2c7db4c602368d
SHA2562871c10c2a1d6bc0a9a22681d3bb3ddd064ffade380840141cbf8763718b24f2
SHA512054a64c75aa20fb1a1c7023426d31b2f85ff245ee84883aeb0f743eb050de6d84c940a0743f7e23dcadba1d13f31c4c2d785415f9b37b55bc8c5cd50338b542b
-
Filesize
9KB
MD5baa959c5a702bd36d39f3374e25db736
SHA1e9b029910a6b0f63dc06f45db184b07720fe9470
SHA256f8d3a82329c38901aa92928e7131941696d0f08c8d81d3235456c00f4b6c6497
SHA51231e45b4bf466304ef1a7cda485cf084e15bcae77039f61c8bdbb530962da4f2023a443f305458c70c769be2df77c19cf84e932a5f9366355904bfbe28dd327ca
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
13.5MB
MD5660708319a500f1865fa9d2fadfa712d
SHA1b2ae3aef17095ab26410e0f1792a379a4a2966f8
SHA256542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c
SHA51218f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4