76e7d47eb1ab002d0536d9c2e073eb9286c9ce78aff2d9ac042e7c01916a2712

Analysis

max time kernel
900s
max time network
887s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19/01/2025, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup/Setup.exe
Size

37KB
MD5

e3383ba53ecebb2ecb7063fcccff17dc
SHA1

cd1384e86f194f95c8939418d30c80c56c412645
SHA256

07eaa040d73e39f53851533c8c09d92cd3228d099236e3995b19b4c8a1c15ada
SHA512

563f952147c529230824ae6feaababb3ccbe7eca324d71892d2d4f68ffc0eb6eaf1edce29662c63563cd1f7c6de6e4468b35e2b96a7eb43c93aa7367c2877d34
SSDEEP

384:LpRWUiDZblmJEpRGyEff1PNN0CYSmkhrAF+rMRTyN/0L+EcoinblneHQM3epzXPL:9R6HpR9Eff1P0Clm8rM+rMRa8NuxZt

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4612	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0cf848bcebf5d082d484e0ffe1e8f23e.exe	WindowsServer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0cf848bcebf5d082d484e0ffe1e8f23e.exe	WindowsServer.exe

Executes dropped EXE 1 IoCs

pid	Process
3404	WindowsServer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\0cf848bcebf5d082d484e0ffe1e8f23e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsServer.exe\" .."	WindowsServer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0cf848bcebf5d082d484e0ffe1e8f23e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsServer.exe\" .."	WindowsServer.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	SearchIndexer.exe
File opened (read-only)	\??\Q:	SearchIndexer.exe
File opened (read-only)	\??\W:	SearchIndexer.exe
File opened (read-only)	\??\D:	SearchIndexer.exe
File opened (read-only)	\??\l:	SearchIndexer.exe
File opened (read-only)	\??\L:	SearchIndexer.exe
File opened (read-only)	\??\q:	SearchIndexer.exe
File opened (read-only)	\??\v:	SearchIndexer.exe
File opened (read-only)	\??\B:	SearchIndexer.exe
File opened (read-only)	\??\h:	SearchIndexer.exe
File opened (read-only)	\??\N:	SearchIndexer.exe
File opened (read-only)	\??\T:	SearchIndexer.exe
File opened (read-only)	\??\w:	SearchIndexer.exe
File opened (read-only)	\??\a:	SearchIndexer.exe
File opened (read-only)	\??\E:	SearchIndexer.exe
File opened (read-only)	\??\K:	SearchIndexer.exe
File opened (read-only)	\??\S:	SearchIndexer.exe
File opened (read-only)	\??\u:	SearchIndexer.exe
File opened (read-only)	\??\A:	SearchIndexer.exe
File opened (read-only)	\??\i:	SearchIndexer.exe
File opened (read-only)	\??\k:	SearchIndexer.exe
File opened (read-only)	\??\M:	SearchIndexer.exe
File opened (read-only)	\??\o:	SearchIndexer.exe
File opened (read-only)	\??\p:	SearchIndexer.exe
File opened (read-only)	\??\r:	SearchIndexer.exe
File opened (read-only)	\??\s:	SearchIndexer.exe
File opened (read-only)	\??\g:	SearchIndexer.exe
File opened (read-only)	\??\G:	SearchIndexer.exe
File opened (read-only)	\??\j:	SearchIndexer.exe
File opened (read-only)	\??\U:	SearchIndexer.exe
File opened (read-only)	\??\Y:	SearchIndexer.exe
File opened (read-only)	\??\z:	SearchIndexer.exe
File opened (read-only)	\??\t:	SearchIndexer.exe
File opened (read-only)	\??\V:	SearchIndexer.exe
File opened (read-only)	\??\y:	SearchIndexer.exe
File opened (read-only)	\??\e:	SearchIndexer.exe
File opened (read-only)	\??\J:	SearchIndexer.exe
File opened (read-only)	\??\P:	SearchIndexer.exe
File opened (read-only)	\??\R:	SearchIndexer.exe
File opened (read-only)	\??\x:	SearchIndexer.exe
File opened (read-only)	\??\X:	SearchIndexer.exe
File opened (read-only)	\??\b:	SearchIndexer.exe
File opened (read-only)	\??\F:	SearchIndexer.exe
File opened (read-only)	\??\H:	SearchIndexer.exe
File opened (read-only)	\??\Z:	SearchIndexer.exe
File opened (read-only)	\??\I:	SearchIndexer.exe
File opened (read-only)	\??\n:	SearchIndexer.exe
File opened (read-only)	\??\O:	SearchIndexer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2TS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aaa9a13ab56adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003bd5a3cb56adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000121fb73ab56adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MTS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092829a3ab56adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a689ff39b56adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068b54f3bb56adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2df183bb56adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
4400	chrome.exe
4400	chrome.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe
3404	WindowsServer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3404	WindowsServer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	WindowsServer.exe
Token: 33	3404	WindowsServer.exe
Token: SeIncBasePriorityPrivilege	3404	WindowsServer.exe
Token: 33	3404	WindowsServer.exe
Token: SeIncBasePriorityPrivilege	3404	WindowsServer.exe
Token: 33	4988	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: 33	3404	WindowsServer.exe
Token: SeIncBasePriorityPrivilege	3404	WindowsServer.exe
Token: 33	3404	WindowsServer.exe
Token: SeIncBasePriorityPrivilege	3404	WindowsServer.exe
Token: 33	3404	WindowsServer.exe
Token: SeIncBasePriorityPrivilege	3404	WindowsServer.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: 33	3404	WindowsServer.exe
Token: SeIncBasePriorityPrivilege	3404	WindowsServer.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: 33	3404	WindowsServer.exe
Token: SeIncBasePriorityPrivilege	3404	WindowsServer.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: 33	3404	WindowsServer.exe
Token: SeIncBasePriorityPrivilege	3404	WindowsServer.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4400	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4832	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 3404	4672	Setup.exe	78
PID 4672 wrote to memory of 3404	4672	Setup.exe	78
PID 4672 wrote to memory of 3404	4672	Setup.exe	78
PID 3404 wrote to memory of 4612	3404	WindowsServer.exe	80
PID 3404 wrote to memory of 4612	3404	WindowsServer.exe	80
PID 3404 wrote to memory of 4612	3404	WindowsServer.exe	80
PID 4988 wrote to memory of 2424	4988	SearchIndexer.exe	86
PID 4988 wrote to memory of 2424	4988	SearchIndexer.exe	86
PID 4988 wrote to memory of 1532	4988	SearchIndexer.exe	87
PID 4988 wrote to memory of 1532	4988	SearchIndexer.exe	87
PID 4988 wrote to memory of 2400	4988	SearchIndexer.exe	88
PID 4988 wrote to memory of 2400	4988	SearchIndexer.exe	88
PID 4400 wrote to memory of 1792	4400	chrome.exe	92
PID 4400 wrote to memory of 1792	4400	chrome.exe	92
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 3080	4400	chrome.exe	93
PID 4400 wrote to memory of 1944	4400	chrome.exe	94
PID 4400 wrote to memory of 1944	4400	chrome.exe	94
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95
PID 4400 wrote to memory of 756	4400	chrome.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Setup\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Local\Temp\WindowsServer.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsServer.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServer.exe" "WindowsServer.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:616

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\System32\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2424
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2728 2748 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
  2⤵
  - Modifies data under HKEY_USERS
  PID:1532
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2752 2756 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
  2⤵
  PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc6a7cc40,0x7fffc6a7cc4c,0x7fffc6a7cc58
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1756,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1748 /prefetch:2
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4296 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5088,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5176,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:2
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5036,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4944,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4836,i,6864997810584568277,13117808228938640929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:3448

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2804

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:852
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {887c89ec-6c0b-439c-b95e-8753b5b59d82} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" gpu
    3⤵
    PID:4944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f90ed261-b3f8-4834-a078-4830b8b27cb3} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" socket
    3⤵
    - Checks processor information in registry
    PID:4716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2924 -childID 1 -isForBrowser -prefsHandle 1364 -prefMapHandle 2932 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {419ff6e7-cb73-4354-b494-0cc4224dc1bf} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" tab
    3⤵
    PID:3200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3736 -childID 2 -isForBrowser -prefsHandle 2908 -prefMapHandle 2688 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3a962a7-97a6-4e60-a506-de01bfb94107} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" tab
    3⤵
    PID:2072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4524 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4516 -prefMapHandle 4468 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c49a4189-98a6-429a-a2d0-4db21bf3d47d} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" utility
    3⤵
    - Checks processor information in registry
    PID:5140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 3 -isForBrowser -prefsHandle 5524 -prefMapHandle 5520 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd4d027f-7b0e-453f-b178-452271578e34} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" tab
    3⤵
    PID:540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 4 -isForBrowser -prefsHandle 5536 -prefMapHandle 5532 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d959bd4f-4445-4eb7-9d18-dbae3b38257a} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" tab
    3⤵
    PID:792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5392 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26b71f04-9c39-4576-a57f-eef0ae6f008e} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" tab
    3⤵
    PID:3136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3700 -childID 6 -isForBrowser -prefsHandle 3116 -prefMapHandle 2944 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1ec0a7d-b6cc-4d09-b90c-0051c2434133} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" tab
    3⤵
    PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
aa12e2249b2714a1984db3a2b3e00e93

SHA1
6ba37e114586f12cce27953a588b070d65d8bba4

SHA256
74a24105811e125d563c223c32de9bf663c90d7933a6b1e816b6871de5b5107f

SHA512
56731ef90257118b8af81f2d08cb22ba3e29aa41aecc36059f27abc76245ce02ba94f049d06d65fccadf5fc1b05a2cdee1a768b1632c4d57c2a7f31dd80d18bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
42d546175df90d2de3fcea23a8aa4ebc

SHA1
d2dbaf341caae69c44659b673ab1663409f720fe

SHA256
d50179362050acb9e5f1a830ad05062ee75cdbd9c3d5977c28472c03bd3f78e6

SHA512
aabe09cddf12614673f0647e799075c775abb588a568f13a681d0e855e6fbf7e0751c7f9150e89d8c970398d863d014b6f4fba7a69b017edbe2162e29c71287c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
b5730857c8dd229c133c0d9723ef24b9

SHA1
e2898314fe468aa088fe32d4a61568603865c6ea

SHA256
e7530cf9bad3f09af015d96a9816472690bfa19773944af128b0c7d0fcec3cda

SHA512
7ab0ee5de6d4d77e5e95bb634d5cb3fdc3225a1661d09168ccd8820922d887dad7009ae919646ecdd37b85ba731c7016fa49da4d2132eddf51e1d84621be0b2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e91ac1e15d98869f08daa6bcb557a5aa

SHA1
a2d0f527650948f9f14c86ccbcc8027e4ba773d6

SHA256
b37930f73849c3eb2e4cd7f6a03a1d72852cdd6e5667b40706da0d30cf6575fa

SHA512
99369b7ae5ca656c621774dfebcb9dafefc782a7c2604d8c8e7ebb8d7b45a31f1bf827ccbd083d867cac13945fb0f16a7877f66993bbbb6a555d7b786b7ad39e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ed921aa522b02d9eb4540a4718b826c1

SHA1
3c3770b2cd64cc72248505e0ab894a36b1c0ee8c

SHA256
ec6554aeebabf9961b94308f73dc93d9efcac8a901a4faaecba79c7be7abb902

SHA512
458351cbdf56f58231b619d553e96215238bf4f46b13a1ad052eed40de1e0706a0a371b59118cee0e7d6899f47eac725a62628be30a28941deaac328db5151bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7989164d256fd083a48b2d3bc6f8c957

SHA1
7f0d0496ce0148db809e6f8beb4bd27d85564953

SHA256
7c2ce738f42bdc3adab76cefd6525a9d172b6dc762d978cda66aaa17d7c694cf

SHA512
7dd8287d4990bf62dbbb148cc3c2613d907c1be088bbccdb2a1ba3a7fba65df94974b175fb8431ec3f5ba8e1c09267e2812f164809c5cb25f416002b538954ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2e908202e8df2f7b0650aff58ba29be8

SHA1
0ce02e198d875488a4559e6365fad50075baa960

SHA256
45a60596b48ce1fbdc2b352febdaa37a53039f7098d041a07706d8366a159aab

SHA512
7b3aaa7a7cd3ce0de0d8f740fd17b5a9d06f86a4aa8d9883fe8fb0c5c0ef6f643c6ebb36d8ab899ef9b0e6a2483bf7a5ef647e0a8d83334fe11ab3cfeecf2f0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
af0ed18f6b3bfd964c6ff08f6bd91c0d

SHA1
ed4156ce3b17b0d10e3cd2a6c5756867a2e59e22

SHA256
678687a5ee659781f7e4f8a1e1c168b0593230257e3f2288364540ea159993a4

SHA512
8902a85d3cb1586112362891079739b1fe572722023b8c7acb617d5581bcc519ed45572424c4db6eddff75c735e22e6dfbc2d6cec01fc3bb0c06ac0ff54c7195

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
155abccd6dfb73c8bfcb33fe20d31bc5

SHA1
acfca70b5da3edf107c676b6480b24339d95eb83

SHA256
e4198d6de06fb90b28eec7d495f52a0a6512973e847c7843bf5e8ac254ac4edf

SHA512
db0716304de8ca6f748e0285988a39aed40856b9ad6ec208ec26abd1d4a9e571d52cad3346d76924b42459e7f702ddd963e45387e3fb2048fc82c98033bc9504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0249a2a2c2fc597c81d523e2479c78b2

SHA1
70b7c6de310c739c9f9d68371db9a4a575dacd0f

SHA256
c1613758f8ce46d96b4b79ae214ecea33f9354552199044f59b5058b7de2aeee

SHA512
345c425638674b5a079cf56c95bb2a2abb54ec364159ad48a63cb7611faa227563ecae949ad4e19a558231639f5cffc19d19b4892f9c6805ebdf66f72b978b70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
28cb33d2f9ba8186f7bd71421954a296

SHA1
748b891eeb49884fa1400ad836415d9f64a7dc39

SHA256
f1be92c0842a39cf56fde92ba98fe03d824373e05e5a7bdf137b9b1f0bafc2a3

SHA512
9c6702ed101bfb790d90f4e3667074c26f593d52c49d799343f60f2d189a3c068f55cb520cedcfaaf47e92d36da0c9be9ab7f922e5be1f569898f9949cb599c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
23df3fca0535d6a36d53953aec0faa0e

SHA1
52e4bc87693374b8431ad0fb3a43abb247d7ab87

SHA256
49e913ff548a3f9af405086895b2ea38b7a65c45ef7b5d295b25a6fe5c72067c

SHA512
1b3f6c352576c49f525f13e19f0a65cb57fba892bc81b0d7caaf4afb41c6dfddd0b865f85e4b8d6a5e9b8e946435b3db86c275182abd296f5a7f48472cda6cf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2d379dd2e272c843348934b5dccdfee8

SHA1
5f7c48e0cc9fb238f93f37642edd55229b406340

SHA256
b56c08ba474c05727d43acabdb4e9b37c53758e7aa74b8393df5121cd14f98bf

SHA512
28deea4f1a0ed01e5a2bd381a24a8916ce4ccc5e20de30bf9dbe8c13660e03eb254bf1f6b600c275e340d8263b0f100c2ded79de83edf420b8c9f97feff33077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
20cf580fa0c9ee5d69515fe3c8c9b169

SHA1
a6a5774a8e8187f69dec2b0073292faefd504616

SHA256
9a1a0876dd8867ea4562baaca1ae1e6d45955e159ea35312018bd8c84414e4cb

SHA512
76119b3fd97f037cc98930e3f3fbd4a74c6d7a36b41914c5838b2a74528f6f87074c623967d87e09506bdfd1dd93b049a45d10d9f56528442dd6cb730654aced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6e056cdce64d2fbc4b6e188cbf99230b

SHA1
71e9668543fd97d2e10a938785eb35ee11001ede

SHA256
c1101f9932eee9c8b8837220b5ebd4a8d9bf552dcd4ec14ad193b4f3f2d5bc74

SHA512
9fe1cb25851f2e0a2a670ca209da2f44d7f8f441dccb4dd736eb71788ed3063fe97e8b7e910aa2c0a467e10f89130848ceb243513fc2d3823be0a0ac5c1be32a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
36fd6df3822d247919d84a064b148952

SHA1
17acb1a727b7a437fb0c7f968d645e006adca8fa

SHA256
bf13b087235a76141318d1dc3a50999e60a9bbb85b3feebf67b20147952028bb

SHA512
02cccfbb1f9ccee81559afe4e5f9c9932d3ea72993c06d9b6a0071ccec9235963f2424942db00e42cb2ed78677cc7fd05ff90e50cc58330a34bdcdbe8ff3d358

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ebdd1f74a4c3830b6719b3188a5cf43c

SHA1
a751507e89262d85ca00bd2cd680d8597b27ce4c

SHA256
b4f785637186201ca9545e27ef1665d45d0d40bd9ef97b0db773a35cd96dcda8

SHA512
ab81f62ec268f288f5e08c20a6043e4feee562513ce8719279084c79bbdbf9f914ae57988664ec30ceca37db6684afde5cf154ff3674a7c79d3fa4dc44297c85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
de4490a2da312b2650e915a96153e54e

SHA1
f3da9d541a15c96ce3cd03d5416f35bef1dd173e

SHA256
40698185c07bd40837de165b1d93107e6390a40ad8c503b71e9d798781f8cf96

SHA512
0205033cc59e18f043510feede9a9f8efa11205e4cd44d787cd205d773cba79b5001ed56c2fc9c0b442ef416c7b52113a97d695cfd499428f863b98d9953d1a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
6c16907817d2039c4b862ffc247ca0ec

SHA1
ab735f21f72bef096370d298d2976e15442cddb6

SHA256
53e27422315364ed902bb379fe2a1d292cfc828c5ca34f51dee2cc6520ef6aa6

SHA512
4db486cdf00a22394638e2abccd968682752f2f1b835f3795e630b34c916a5a799bd1860f4abc82ac58588b078e4ca41d999b091154ffb28c785d24aab163b94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
f88f4ca923d402e00b7c441db1981a71

SHA1
238c313e2bc7549975f0b70c1d6cdf1ae1db6655

SHA256
27b22a52a5ea738e37255603d4ced99eec21a5d478eefaf2cd386c3950babdc2

SHA512
a748b284d1243ded062e03996dae204f1926302b7c434ff2105fc6e31d02316c545dc633bf2468bf17c672b95e6cd87e851903bc2945543e20f58eaca3c271b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
b5d533f9bde3b9aa25522f9bdf0cb45f

SHA1
c2dd259f987f5545b50a61d895d76da4970d69ad

SHA256
c0a4626f3ae174acf939840690217da880865f01d77481e256e1eda45321a05b

SHA512
5f74bfcd9a7180e95649c02856ad511062608266f94ee393f949733683b160b58bae9d88cbe8331f1a8c96090a51195542a7b3fd30682a555d28becdfb23adca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
f56651daeac190b28af43d02077f7d63

SHA1
9f610b8074ac1a0bbcb6beb00b152c028dc575f7

SHA256
c5f1454027316524279482b0bfae0650d6aa8eff79e17aca9270c66405d6ebdd

SHA512
d313f9ad2d2473d41215e9f854057fda4b9eaec74d2cb27e074b155ac87e6345d1928e8209ee4f6eff42001ba3971816ea45378e4b0e4d2ac4e5c6178dfa32fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
0916ce070be0aac476b389902b3bb6ab

SHA1
e22131552cb8c4ae35a9cebc00b7ad28b306eb5c

SHA256
e40753925e68176393a48477990421781a90709222c2a6009ff36a00697978ea

SHA512
864ca8c5d3545afcbfaefe661b29154ca087a1838ad7b7c9868d20f613cc15668a52bd27b13142e0c8e8089b9801db8b7d9593e4ee6dc4e8711d6d7e8fc53612

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
08b57390aeb780403ce02129ee1466c5

SHA1
e222729f77913780aee1ddb97308049ffadfedf6

SHA256
ba73b13f1719afe6eecd275753f513ceb23cdfe28591efbe5c02bff82116c64c

SHA512
50b70feb087bf310cb09cc05fe22e4ca3d89991c2e7fe3fbe3753fb191118d7bc1ad0e21d916ddd6805b739a3174fa51ef3bd150d34d5f3bace6e6dafc8869ce

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\D4EC0829EF8CF1FD2BA96B1F1B48F6B34A327726

Filesize
49KB

MD5
85e75b55cd2fde9f738fb53e548f26a8

SHA1
eeb10aedbf9d06bc40ad6afa8ffb0b0cb403beb0

SHA256
1528de562300cdec7c23b14b7b090a7ebd40d370203771ae7778e6fc0a15ba42

SHA512
f3bcff9c362d8c58f5585cc6bd13b7466b4c19b4ef30dae4a872f92341ac4e0b05fc8a5461e0a5ac0802acea1e314813a58241db2af633ab09b1b414ef856c46

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsServer.exe

Filesize
37KB

MD5
e3383ba53ecebb2ecb7063fcccff17dc

SHA1
cd1384e86f194f95c8939418d30c80c56c412645

SHA256
07eaa040d73e39f53851533c8c09d92cd3228d099236e3995b19b4c8a1c15ada

SHA512
563f952147c529230824ae6feaababb3ccbe7eca324d71892d2d4f68ffc0eb6eaf1edce29662c63563cd1f7c6de6e4468b35e2b96a7eb43c93aa7367c2877d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4400_331081402\95c91a29-8568-4427-ac3d-6f2408e4fbbe.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4400_331081402\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\AlternateServices.bin

Filesize
8KB

MD5
ea87d9587fe4d4404ffab821f5530a18

SHA1
02c108bb44ec429e607c0b1663461c6e4f88da5f

SHA256
a9c739bb9fe51edeebfdfe86898776ab097122bbdc361c18a0b87d1cc0a07a9a

SHA512
a2efaecbcc3e767d0bb7a3bc9a7aa6448996a2331c9b037ce71edf82d2b702cec60d9a0c8edcc715cc5f78fe619a2a606507dced9dcef790b233b8d93a39c5bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
937ff0a63d55832d77b308483f624c5f

SHA1
07149b402fcff35e275b99edb594bb6b630cd21c

SHA256
11683c9d7db5416c1a2eaddd396ce0dc4457261f92645baa1f33716c8a9c0292

SHA512
d011e92dbf87e13d0bd10a6d0446964bd9c06de5633921ea35577f19ef3d592a3ff0e40051391deb10c177f519d9ae8cfcad9f206fb1f4462e136f985509f9ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
13KB

MD5
f8aea2ea10e4a73a6055019093b07673

SHA1
3b27e47e0dc5254bdae9119c0e5ba8d4be748161

SHA256
b8846b2a900a8da8e968d17207fbc9e574ab706a27b0e5e6271070440307ea07

SHA512
c2dc1cfb790bd4277d206e8085e9d7086ca521894f8ef9b9c3c26377accc25164b118f187b6e995f12cf65051ad7ac58c1563cbdcdbca9a9624a73f38c52cf55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
13KB

MD5
2dac354c7f49ace02a0f7f9dccb65a37

SHA1
e55a45c00c2a1df9c4be1f9c637af1810d38384b

SHA256
13d2fbfe63c1dd29b1ed1ec6dccbad0e9229e0994fc78c51ec5bcd64e4f8f221

SHA512
7bd33e6adce298ff2a25e8e52fb74fa0e45046e1d72e0ea835915ffb5c1bd344b061e21f74dce94546038fb3dcf3521a70cc5135794dcf6ced581a7d8893b90a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\222199ca-bb45-4f93-9361-42058bfb7013

Filesize
24KB

MD5
604a13ab6d2b62e51929f7f7f72362cd

SHA1
f04514d124254d4427ff912a739120b79278e672

SHA256
a06d7057d709939bb67bdeccaeb06cf7df31fa378f62c464de10fb59520ae6dc

SHA512
e4db5b41e3e78f0a250ae2160570636b7f09103bb1db9aa511f5e723a40bcbd8de0138c9c327806b92a4ef872ace3cbf137949dcab04078c485d6f7a9cf18c2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\7ca16bac-b0b9-417f-872a-8a80ca11043a

Filesize
671B

MD5
04bcf1db74aa77bc5fadd0b01522b20e

SHA1
c50d9f1996a8b0869a9cc69592bde49adc10197b

SHA256
90ebf78d075fedea80ab5fd139b64a29c32553a6c0ff062703f7c7128c790a73

SHA512
a656cbe5b7021bc2a58e9b40892c2941c877cae423bdad7d4d469c9e303fe91a5994c461c49e13ce6af9a311b334ab87560aa5047e9c3386780b3e7817f2b3b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\b7328b68-eae4-4f49-823a-62a2ffce366c

Filesize
982B

MD5
44270f5b821b0b40d353c570041cecc2

SHA1
d83fee5df7ab7664abe0f9de35f070c1d7b39790

SHA256
139087fc78e9261bb263090b5d5fe92959e10aad54141e1cefb15233019a02d4

SHA512
3c2d334f1f96d32f7aed93c496756e6bbc9803536980147fba57c29e1393982dad72c3c5f42093bc8249bc04ef4b8f4cdcddafd9eb3d51182a9592979057e259

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\prefs-1.js

Filesize
9KB

MD5
5942e699e02e8c0fb393a39183c6fb52

SHA1
906bf94f13ad30590bda5be0a1431c4d27094d0d

SHA256
3954e36fe07bf262aaee431b18a1265442d288ad72ad13914c32d570b9752696

SHA512
67a715cf1834c8eddcdc2febc5213dd7991d9fee704e2d384f4a2fb23d27722930bce00a0566fb3f1e66c88ae3c5f43b92250e96333dda98c1ef2469b3cfbe01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\prefs.js

Filesize
10KB

MD5
239bd4c606e639ae61c07ac4628296cd

SHA1
1a5c3c200a15362506a4a3aa4a39db69f7621091

SHA256
de288404a47a99d7a535f2abfee60927193c1c7714e285bd91bfa6dd859ca173

SHA512
513b82e82a47852161ad6c7ff5e080cf0088fa1f3998b4f2d4cb749444fa06f489e61767358d148c49b3669f872cce3f1dbce3f5777f264aa47b4fee38720334

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
61ef62ff6209b17916e898157aadfe42

SHA1
e459f87acc8b24e47837021b555fbbef63205536

SHA256
4f363fd779af39bae46aab453b596d0c20bf71f280f371791e6c6ad6b727ba2e

SHA512
1dcc542ebd7efd2531dbac003564fa7c69a372fa33869f66d74038bc7d8826b0866d833d54ef848373a0da5c010ede4888040b172750f3396d57155094778a05

Download Submit
memory/1532-72-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-71-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-80-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-83-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-84-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-85-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-86-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-87-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-88-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-81-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-79-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-78-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-77-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-76-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-75-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-74-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-64-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-66-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-65-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-67-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-68-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-69-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-70-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-82-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-73-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-58-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-62-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-63-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-61-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-60-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/1532-59-0x000001EF1C6D0000-0x000001EF1C6E0000-memory.dmp

Filesize
64KB

Download
memory/3404-15-0x0000000074010000-0x00000000745C1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-13-0x0000000074010000-0x00000000745C1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-18-0x0000000074010000-0x00000000745C1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-19-0x0000000074010000-0x00000000745C1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-21-0x0000000074010000-0x00000000745C1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-20-0x0000000074010000-0x00000000745C1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-17-0x0000000074010000-0x00000000745C1000-memory.dmp

Filesize
5.7MB

Download
memory/4672-0-0x0000000074011000-0x0000000074012000-memory.dmp

Filesize
4KB

Download
memory/4672-14-0x0000000074010000-0x00000000745C1000-memory.dmp

Filesize
5.7MB

Download
memory/4672-3-0x0000000074010000-0x00000000745C1000-memory.dmp

Filesize
5.7MB

Download
memory/4672-2-0x0000000074010000-0x00000000745C1000-memory.dmp

Filesize
5.7MB

Download
memory/4672-1-0x0000000074010000-0x00000000745C1000-memory.dmp

Filesize
5.7MB

Download
memory/4988-54-0x000001D006810000-0x000001D006818000-memory.dmp

Filesize
32KB

Download
memory/4988-22-0x000001D002020000-0x000001D002030000-memory.dmp

Filesize
64KB

Download
memory/4988-39-0x000001D002130000-0x000001D002140000-memory.dmp

Filesize
64KB

Download