Analysis
-
max time kernel
1016s -
max time network
656s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
26-01-2025 17:59
Behavioral task
behavioral1
Sample
dControl.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral2
Sample
out.exe
Resource
win10ltsc2021-20250113-en
General
-
Target
dControl.exe
-
Size
447KB
-
MD5
58008524a6473bdf86c1040a9a9e39c3
-
SHA1
cb704d2e8df80fd3500a5b817966dc262d80ddb8
-
SHA256
1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
-
SHA512
8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
-
SSDEEP
6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" dControl.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" dControl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "2" dControl.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4624 created 4744 4624 AM_Engine.exe 127 -
Downloads MZ/PE file 4 IoCs
flow pid Process 76 3748 Process not Found 83 3748 Process not Found 85 3748 Process not Found 91 3748 Process not Found -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpcmdrun.exe dControl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpcmdrun.exe\Debugger = "C:\\Windows\\System32\\systray.exe" dControl.exe -
Executes dropped EXE 1 IoCs
pid Process 420 MpSigStub.exe -
Loads dropped DLL 2 IoCs
pid Process 2768 MsMpEng.exe 2768 MsMpEng.exe -
System Binary Proxy Execution: wuauclt 1 TTPs 1 IoCs
Abuse Wuauclt to proxy execution of malicious code.
pid Process 4744 wuauclt.exe -
Windows security modification 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1" dControl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus = "1" dControl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection dControl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dControl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "\"%ProgramFiles%\\Windows Defender\\MSASCuiL.exe\"" MsMpEng.exe -
pid Process 8576 powershell.exe -
Modifies Security services 2 TTPs 6 IoCs
Modifies the startup behavior of a security service.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" dControl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "0" dControl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "3" dControl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "3" dControl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" dControl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" dControl.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3796-22-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral1/memory/1016-44-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral1/memory/1720-94-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral1/memory/1720-95-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral1/memory/1720-96-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral1/memory/1720-131-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral1/memory/3760-133-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral1/memory/4932-449-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral1/memory/1720-5425-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol dControl.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini dControl.exe File opened for modification C:\Windows\system32\MpSigStub.exe MpSigStub.exe File created C:\Windows\system32\MpSigStub.exe MpSigStub.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol dControl.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
resource yara_rule behavioral1/memory/3796-0-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/3796-22-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/1016-44-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/1720-94-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/1720-95-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/1720-96-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/3760-110-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/1720-131-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/3760-133-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/4932-427-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/4932-449-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral1/memory/1720-5425-0x0000000000400000-0x00000000004CD000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d1617f1b-a6f9-4b0d-bc6f-674bb99c3bc3.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250126180810.pma setup.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\MpCmdRun.log MpCmdRun.exe File created C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\MpCmdRun-A9-53C9D589-6B66-4F30-9BAB-9A0193B0BAFC.lock MpCmdRun.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\logs\StorGroupPolicy.log svchost.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\MpCmdRun.log MpCmdRun.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dControl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dControl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dControl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dControl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dControl.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs msinfo32.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msinfo32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133823884162748171" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MsMpEng.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Defender\CachedProxyBypass MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MsMpEng.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Defender\CachedProxyAccessType = "1" MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MsMpEng.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}" MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}" MsMpEng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP\ = "{09A47860-11B0-4DA5-AFA5-26D86198A780}" MsMpEng.exe Key created \REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3406519639-3774642266-3926631722-1000\{DB8AAF42-2005-4265-B178-0D4AFF431214} msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3796 dControl.exe 3796 dControl.exe 3796 dControl.exe 3796 dControl.exe 3796 dControl.exe 3796 dControl.exe 1016 dControl.exe 1016 dControl.exe 1016 dControl.exe 1016 dControl.exe 1016 dControl.exe 1016 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 3760 dControl.exe 3760 dControl.exe 3760 dControl.exe 3760 dControl.exe 3760 dControl.exe 3760 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 4932 dControl.exe 4932 dControl.exe 4932 dControl.exe 4932 dControl.exe 4932 dControl.exe 4932 dControl.exe 3792 MpSigStub.exe 3792 MpSigStub.exe 3792 MpSigStub.exe 3792 MpSigStub.exe 4624 AM_Engine.exe 4624 AM_Engine.exe 4624 AM_Engine.exe 4624 AM_Engine.exe 4624 AM_Engine.exe 4624 AM_Engine.exe 420 MpSigStub.exe 420 MpSigStub.exe 420 MpSigStub.exe 420 MpSigStub.exe 420 MpSigStub.exe 420 MpSigStub.exe 4924 AM_Base.exe 4924 AM_Base.exe 4924 AM_Base.exe 4924 AM_Base.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 1720 dControl.exe 6492 taskmgr.exe 7524 msinfo32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 672 Process not Found 2768 MsMpEng.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 8832 chrome.exe 8832 chrome.exe 8832 chrome.exe 8832 chrome.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3796 dControl.exe Token: SeAssignPrimaryTokenPrivilege 3796 dControl.exe Token: SeIncreaseQuotaPrivilege 3796 dControl.exe Token: 0 3796 dControl.exe Token: SeDebugPrivilege 1016 dControl.exe Token: SeAssignPrimaryTokenPrivilege 1016 dControl.exe Token: SeIncreaseQuotaPrivilege 1016 dControl.exe Token: SeAssignPrimaryTokenPrivilege 2768 MsMpEng.exe Token: SeIncreaseQuotaPrivilege 2768 MsMpEng.exe Token: SeTcbPrivilege 2768 MsMpEng.exe Token: SeSecurityPrivilege 2768 MsMpEng.exe Token: SeTakeOwnershipPrivilege 2768 MsMpEng.exe Token: SeLoadDriverPrivilege 2768 MsMpEng.exe Token: SeIncBasePriorityPrivilege 2768 MsMpEng.exe Token: SeBackupPrivilege 2768 MsMpEng.exe Token: SeRestorePrivilege 2768 MsMpEng.exe Token: SeShutdownPrivilege 2768 MsMpEng.exe Token: SeDebugPrivilege 2768 MsMpEng.exe Token: SeSystemEnvironmentPrivilege 2768 MsMpEng.exe Token: SeChangeNotifyPrivilege 2768 MsMpEng.exe Token: SeImpersonatePrivilege 2768 MsMpEng.exe Token: SeDebugPrivilege 1720 dControl.exe Token: SeAssignPrimaryTokenPrivilege 1720 dControl.exe Token: SeIncreaseQuotaPrivilege 1720 dControl.exe Token: 0 1720 dControl.exe Token: SeDebugPrivilege 2768 MsMpEng.exe Token: SeBackupPrivilege 2768 MsMpEng.exe Token: SeRestorePrivilege 2768 MsMpEng.exe Token: SeDebugPrivilege 1720 dControl.exe Token: SeAssignPrimaryTokenPrivilege 1720 dControl.exe Token: SeIncreaseQuotaPrivilege 1720 dControl.exe Token: 0 1720 dControl.exe Token: SeDebugPrivilege 2768 MsMpEng.exe Token: SeBackupPrivilege 2768 MsMpEng.exe Token: SeRestorePrivilege 2768 MsMpEng.exe Token: SeDebugPrivilege 8576 powershell.exe Token: SeAssignPrimaryTokenPrivilege 8576 powershell.exe Token: SeIncreaseQuotaPrivilege 8576 powershell.exe Token: SeSecurityPrivilege 8576 powershell.exe Token: SeTakeOwnershipPrivilege 8576 powershell.exe Token: SeLoadDriverPrivilege 8576 powershell.exe Token: SeSystemtimePrivilege 8576 powershell.exe Token: SeBackupPrivilege 8576 powershell.exe Token: SeRestorePrivilege 8576 powershell.exe Token: SeShutdownPrivilege 8576 powershell.exe Token: SeSystemEnvironmentPrivilege 8576 powershell.exe Token: SeUndockPrivilege 8576 powershell.exe Token: SeManageVolumePrivilege 8576 powershell.exe Token: SeDebugPrivilege 6492 taskmgr.exe Token: SeSystemProfilePrivilege 6492 taskmgr.exe Token: SeCreateGlobalPrivilege 6492 taskmgr.exe Token: SeDebugPrivilege 7284 firefox.exe Token: SeDebugPrivilege 7284 firefox.exe Token: SeDebugPrivilege 7284 firefox.exe Token: SeDebugPrivilege 7284 firefox.exe Token: SeDebugPrivilege 7284 firefox.exe Token: SeShutdownPrivilege 8832 chrome.exe Token: SeCreatePagefilePrivilege 8832 chrome.exe Token: SeShutdownPrivilege 8832 chrome.exe Token: SeCreatePagefilePrivilege 8832 chrome.exe Token: SeShutdownPrivilege 8832 chrome.exe Token: SeCreatePagefilePrivilege 8832 chrome.exe Token: SeShutdownPrivilege 8832 chrome.exe Token: SeCreatePagefilePrivilege 8832 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1388 SecurityHealthSystray.exe 1388 SecurityHealthSystray.exe 1720 dControl.exe 1388 SecurityHealthSystray.exe 1388 SecurityHealthSystray.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1388 SecurityHealthSystray.exe 1720 dControl.exe 1388 SecurityHealthSystray.exe 1388 SecurityHealthSystray.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe 1720 dControl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 7284 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1720 wrote to memory of 3760 1720 dControl.exe 98 PID 1720 wrote to memory of 3760 1720 dControl.exe 98 PID 1720 wrote to memory of 3760 1720 dControl.exe 98 PID 1720 wrote to memory of 2080 1720 dControl.exe 99 PID 1720 wrote to memory of 2080 1720 dControl.exe 99 PID 4484 wrote to memory of 1388 4484 explorer.exe 103 PID 4484 wrote to memory of 1388 4484 explorer.exe 103 PID 2768 wrote to memory of 1680 2768 MsMpEng.exe 105 PID 2768 wrote to memory of 1680 2768 MsMpEng.exe 105 PID 2768 wrote to memory of 2576 2768 MsMpEng.exe 107 PID 2768 wrote to memory of 2576 2768 MsMpEng.exe 107 PID 1680 wrote to memory of 3924 1680 MpCmdRun.exe 108 PID 1680 wrote to memory of 3924 1680 MpCmdRun.exe 108 PID 2768 wrote to memory of 1220 2768 MsMpEng.exe 110 PID 2768 wrote to memory of 1220 2768 MsMpEng.exe 110 PID 1720 wrote to memory of 4932 1720 dControl.exe 113 PID 1720 wrote to memory of 4932 1720 dControl.exe 113 PID 1720 wrote to memory of 4932 1720 dControl.exe 113 PID 4744 wrote to memory of 3792 4744 wuauclt.exe 128 PID 4744 wrote to memory of 3792 4744 wuauclt.exe 128 PID 4744 wrote to memory of 4624 4744 wuauclt.exe 129 PID 4744 wrote to memory of 4624 4744 wuauclt.exe 129 PID 4624 wrote to memory of 420 4624 AM_Engine.exe 130 PID 4624 wrote to memory of 420 4624 AM_Engine.exe 130 PID 4744 wrote to memory of 4924 4744 wuauclt.exe 131 PID 4744 wrote to memory of 4924 4744 wuauclt.exe 131 PID 4744 wrote to memory of 3648 4744 wuauclt.exe 132 PID 4744 wrote to memory of 3648 4744 wuauclt.exe 132 PID 1720 wrote to memory of 8576 1720 dControl.exe 136 PID 1720 wrote to memory of 8576 1720 dControl.exe 136 PID 7200 wrote to memory of 7284 7200 firefox.exe 146 PID 7200 wrote to memory of 7284 7200 firefox.exe 146 PID 7200 wrote to memory of 7284 7200 firefox.exe 146 PID 7200 wrote to memory of 7284 7200 firefox.exe 146 PID 7200 wrote to memory of 7284 7200 firefox.exe 146 PID 7200 wrote to memory of 7284 7200 firefox.exe 146 PID 7200 wrote to memory of 7284 7200 firefox.exe 146 PID 7200 wrote to memory of 7284 7200 firefox.exe 146 PID 7200 wrote to memory of 7284 7200 firefox.exe 146 PID 7200 wrote to memory of 7284 7200 firefox.exe 146 PID 7200 wrote to memory of 7284 7200 firefox.exe 146 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 PID 7284 wrote to memory of 7500 7284 firefox.exe 147 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dControl.exe"C:\Users\Admin\AppData\Local\Temp\dControl.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\dControl.exeC:\Users\Admin\AppData\Local\Temp\dControl.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\dControl.exe"C:\Users\Admin\AppData\Local\Temp\dControl.exe" /TI3⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies security service
- Event Triggered Execution: Image File Execution Options Injection
- Windows security modification
- Modifies Security services
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\Explorer.exe"C:\Windows\Explorer.exe" C:\Windows\System32\SecurityHealthSystray.exe4⤵PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\dControl.exe"C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |3636|4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3760
-
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable4⤵PID:2080
-
-
C:\Windows\Explorer.exe"C:\Windows\Explorer.exe" ms-settings:windowsdefender4⤵PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\dControl.exe"C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |3636|4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring 14⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:8576
-
-
-
-
C:\Program Files\Windows Defender\MsMpEng.exe"C:\Program Files\Windows Defender\MsMpEng.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges2⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke3⤵
- Drops file in Windows directory
PID:3924
-
-
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" GetDeviceTicket -AccessKey 0AA9A002-A16B-8842-46CD-DB2BA6DBE0FE2⤵
- Drops file in Windows directory
PID:2576
-
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate2⤵PID:1220
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:2488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
- Drops file in Windows directory
PID:1660
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\System32\SecurityHealthSystray.exe"C:\Windows\System32\SecurityHealthSystray.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1388
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4400
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:1272
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:4596
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:1472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:4868
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:4624
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:2808
-
C:\Windows\system32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId 40ee5cc9-42c1-4d05-b1e3-bbdb674023f8 /RunHandlerComServer1⤵
- System Binary Proxy Execution: wuauclt
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SoftwareDistribution\Download\Install\MpSigStub.exe"C:\Windows\SoftwareDistribution\Download\Install\MpSigStub.exe" /Store2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3792
-
-
C:\Windows\SoftwareDistribution\Download\Install\AM_Engine.exe"C:\Windows\SoftwareDistribution\Download\Install\AM_Engine.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4624
-
-
C:\Windows\system32\MpSigStub.exeC:\Windows\system32\MpSigStub.exe /stub 1.1.24010.2001 /payload 1.1.24090.11 /MpWUStub /program C:\Windows\SoftwareDistribution\Download\Install\AM_Engine.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:420
-
-
C:\Windows\SoftwareDistribution\Download\Install\AM_Base.exe"C:\Windows\SoftwareDistribution\Download\Install\AM_Base.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924
-
-
C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe"C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe" WD /q2⤵PID:3648
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:6164
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:6208
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:6492
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:7036
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:7200 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:7284 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 27137 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dc00690-4705-40da-b627-88e2871cb4c1} 7284 "\\.\pipe\gecko-crash-server-pipe.7284" gpu3⤵PID:7500
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 27015 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1737b00a-ba78-4d64-88ad-140ba14218e5} 7284 "\\.\pipe\gecko-crash-server-pipe.7284" socket3⤵
- Checks processor information in registry
PID:7576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3304 -childID 1 -isForBrowser -prefsHandle 3296 -prefMapHandle 3280 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58adac46-6aa3-4161-a2b1-cf90826492ac} 7284 "\\.\pipe\gecko-crash-server-pipe.7284" tab3⤵PID:7812
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1224 -childID 2 -isForBrowser -prefsHandle 2568 -prefMapHandle 1240 -prefsLen 32389 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccd22d3b-0e65-4e08-bae9-a8a653476141} 7284 "\\.\pipe\gecko-crash-server-pipe.7284" tab3⤵PID:8128
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4728 -prefMapHandle 4704 -prefsLen 32389 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33ff34f0-58f6-4b32-b8b4-6c48efbd1315} 7284 "\\.\pipe\gecko-crash-server-pipe.7284" utility3⤵
- Checks processor information in registry
PID:9080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5228 -childID 3 -isForBrowser -prefsHandle 5220 -prefMapHandle 3884 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f418a6b3-695b-4c0c-a383-6016f55bd79f} 7284 "\\.\pipe\gecko-crash-server-pipe.7284" tab3⤵PID:632
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 4 -isForBrowser -prefsHandle 5348 -prefMapHandle 5260 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39e6b102-41dd-459c-a2f9-b7944b2dc96b} 7284 "\\.\pipe\gecko-crash-server-pipe.7284" tab3⤵PID:7308
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5228 -childID 5 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34c096ad-f65f-4379-9491-e98e16b9caf7} 7284 "\\.\pipe\gecko-crash-server-pipe.7284" tab3⤵PID:7376
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6084 -childID 6 -isForBrowser -prefsHandle 1508 -prefMapHandle 5984 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dc5dced-9a03-4edb-8d26-681b74fc8fce} 7284 "\\.\pipe\gecko-crash-server-pipe.7284" tab3⤵PID:5392
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2764 -childID 7 -isForBrowser -prefsHandle 5312 -prefMapHandle 2704 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8ed7d35-ddbd-4ae7-a33f-3e9522dd0647} 7284 "\\.\pipe\gecko-crash-server-pipe.7284" tab3⤵PID:7196
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:8832 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7fff0303cc40,0x7fff0303cc4c,0x7fff0303cc582⤵PID:8872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1984,i,9277165118999860283,1957432067783783346,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=1980 /prefetch:22⤵PID:9168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1952,i,9277165118999860283,1957432067783783346,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2000 /prefetch:32⤵PID:9148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2088,i,9277165118999860283,1957432067783783346,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2324 /prefetch:82⤵PID:9200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,9277165118999860283,1957432067783783346,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:6196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,9277165118999860283,1957432067783783346,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3204 /prefetch:12⤵PID:6304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,9277165118999860283,1957432067783783346,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4596 /prefetch:12⤵PID:8504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4880,i,9277165118999860283,1957432067783783346,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4560 /prefetch:82⤵PID:3380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,9277165118999860283,1957432067783783346,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4744 /prefetch:82⤵PID:5132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5332,i,9277165118999860283,1957432067783783346,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5376 /prefetch:12⤵PID:9136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3316,i,9277165118999860283,1957432067783783346,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3832 /prefetch:82⤵PID:2500
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:7520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:7444
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x16c 0x4a01⤵PID:5820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\StopFind.mhtml1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2960 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x148,0x14c,0x150,0x120,0x154,0x7fff11c546f8,0x7fff11c54708,0x7fff11c547182⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵PID:6868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:32⤵PID:6864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:82⤵PID:6896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:12⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:12⤵PID:2240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:82⤵PID:7764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:7772 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff767af5460,0x7ff767af5470,0x7ff767af54803⤵PID:8120
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:82⤵PID:8292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵PID:2812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵PID:7200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵PID:7912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵PID:8236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:12⤵PID:8300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:12⤵PID:5552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3884 /prefetch:82⤵PID:7280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3776 /prefetch:82⤵
- Modifies registry class
PID:8232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:12⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:12⤵PID:2212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:12⤵PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:12⤵PID:388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6388 /prefetch:82⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,18382063173280025566,17292450845097946037,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3396 /prefetch:22⤵PID:6784
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6268
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1888
-
C:\Windows\System32\4szow6.exe"C:\Windows\System32\4szow6.exe"1⤵PID:8680
-
C:\Windows\System32\4szow6.exe"C:\Windows\System32\4szow6.exe"1⤵PID:7192
-
C:\Windows\system32\msinfo32.exe"C:\Windows\system32\msinfo32.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:7524
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:7604
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:7668
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Modify Registry
5System Binary Proxy Execution
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5ce134f032d35a7679ea2ae94b095b592
SHA166621c08b5a31b615348d1db1e688c39e5f67d68
SHA256ffc7715f1c90b1ea6c4cc10cea605d44fccb33b395500b01f91efa08d4a1694a
SHA512f77ed36a94141b758f19e4687c26db10c4ee939926008c7cef85c8edf31dbeadc7ba2b49e650a54891af9e68b17dd1628311594a79d661ee4306b98f365058f2
-
Filesize
41KB
MD54a686349993965721f090d158a10a6c4
SHA1fb0f61ba49cfd7e213111690b7753baf3fcce583
SHA25665451d12c37acf751e9f4732e9f9f217149b41eebad5b9028eac8bd8d2d46d8f
SHA5120dc571487fd798b62678378c2dd514fb439f6c131637d244c8c3dd48d5e84267d21fe633c5b20578e621d5e8fe2958c5e58bc18ebe2d4731b18669fec4031489
-
Filesize
168B
MD524238023d282a211a2138d2a40c98cd6
SHA1a654d778c836f3d5bc9b78a3b75952fa2460bff9
SHA256bc039f9ef9e05d54b2c76a36bd681240057b7d67b26d2093f3854713201dc01b
SHA51294d495e36d0a5dca8099157793de2d584e2a1cfaf6e8312c111682213203456e2476cc628f9a306257d4c3b2be77c93c848e6076cce1b859b7fb8794ab41e197
-
Filesize
2KB
MD58781217630be89765fb1764b2c6ccc7b
SHA10fdae61c2e74a29eddabd597df3097e59028bd00
SHA2569ce4c54a5505a313f1c51777ca053b34cfc27667f2a918998113e3b0b8be0fe9
SHA512bb495ea8a5ef5460006584f43a36513f22aa10daced460dc739c47177c93e72a1a15543314597693abb8074c7887efec1017a2ae33cac51f7fd1e8512b742bd4
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5c8bcb642107c071a26dd1295bab019a2
SHA1a7b6ed4df979a730729078ee74ba368c2888cafa
SHA2562c82937e519fa049e1219048c9964fe7f9baf1035513a91f8b48b9c5cee0111d
SHA5120f6e2658b0174befffa363e25ab5296807f8237014f7e1c15d8551aedb468abb5271cc2e1e6793b93a2e894ba1a7a212ef234a32a1ac6e96251245e4d8c29adc
-
Filesize
9KB
MD58c086a084a51c46fbc0ce3507af88a77
SHA158fb8e6e25012e9e0b217bde66c508a11fb23f9b
SHA256fce9ff80d606c4af6c3a90c9108833c80e50e811bd4870fc650c7a98979e5d1f
SHA5127d3dbc57602e2da13671f3f645e399a1221f0abb8bd9506b512b726cfa5bb1b71660fa67682c819886365bbf6fbce6d4a554a2600d34569a9e5a189da53f9e1f
-
Filesize
9KB
MD51f930c63d9074609c0da0001af48f819
SHA1d683253acc86102751c27935239df84244b9a2fb
SHA2565cc5493a1933d265036ecf05ec6b010a25e1bebfa0f5623fc42fb5aae8a8884c
SHA512390ff1bb8e091bf2ddb760a33412bcb5b9a546053eb7523197e8ee9cfbe3548946b01536c728fe54598d780120f63641a87a3447821ab215503167d9390c85da
-
Filesize
9KB
MD5c7b293871dae6545e701bfafca512fa9
SHA10b573ce7df32c278de9614f4b3951fd82383df49
SHA256dcdd7ecc8d5a84aa69f9343c334cd6f0fb3001e6a9ea6de026992bd87594b394
SHA5124e037bdeda75f979abf109e041c1960bb0e9aa6af5051dce1939eeddc6c6c1e9f078c6e9a998a958f440fc8913dbbed1ccff248f3b2c51d55a2e6a9d9df1d520
-
Filesize
9KB
MD578c704554038b8cd7c9e9c155d1550e6
SHA1ee4d498e1f6f233e8ed1d7309d1f205b73648a70
SHA256a20eabacab823df2bac79388c63af2d461b8ed6c96851048a05155c4292e1811
SHA5120c078a0c495d26008f5acd5cf719d120743ec3d259c3b97766f4a41b6abe8182a4ac2ae7bf168ed145df66922cadbe2429d2989ed081b6728165105bf411eacc
-
Filesize
15KB
MD54c4177cf786f416c26e9b2f652db1060
SHA15549f36c26092f454ce03a1a5aaea6a639a41a58
SHA256c9e3d8d4c144647f8d341cbc6d387677a502326114cd73db84010819718cf8fc
SHA5123e5fa9fdbe08749e9c3a584cfdf98b28096913393dca9c1aa1d9a41c86c8a52cfd4ab89cc4e49f8fa365e6e04929d09d258933d048aeac83cc011d1f43b8d59d
-
Filesize
236KB
MD52568638d7d043ebd4ee2aca0fc85213b
SHA1bc5ab92e3e114871fb07c9f0167c02a88c8e793f
SHA2566c2fd911df65ec212ea30709f3ef4842ffa7397044d068d3774c3220f2ed1225
SHA51240ad7b082c028159d39355c2c624ba089590dcbabdc52a6dd02d20f16a12da8e875dbabce388dc162f7b95565ee5f584b7c2cbe7b47b45477091790ddb87f343
-
Filesize
236KB
MD5e192185a65a4352661be7259fffda0bd
SHA15df422e66bb775e382f76da876092a943d110fa0
SHA256bd1c72a1deeb0955cce79ec1a6dd80c4fc467e3883179c8b0f4ae902abae09a7
SHA512c59e82490ee6cbe4b83046c7a6f80223af5453e163a9f455f46c77456266e38fefd8c91087f26eb8c3f1e37a2e41553b4955e31625653298514f46148d9680a0
-
Filesize
236KB
MD5b3f5e4d93c728fd8d1e7ba5deb5dabc0
SHA1405d6fb7030a3b0c28dd53312cfe34dd7ec770d3
SHA256b35b46b1424a7c93a36efe0182a0d06ace0b3749e041ac35b303e2303555541d
SHA512e267b7dfbad85c33d22160aa2f4148c8f45cfece5c6bc22e60813d826e3fc60922e707c78ab20a6de3e6b974fc0056d5e28bbb817ae7843f14d84002407d2ab0
-
Filesize
264KB
MD512ef323b3a10350eb62304c08c25f4a7
SHA17f34117078311445748009cb24ee63264bff1ffc
SHA256298bd469d298ee13792a70b39c191da7b0ac4ce96de0727cd4cd63873cf7f853
SHA512fdcee65ae2e1671c3a5b3c26764b8f348713c1098182c034be83a77f99d65d62a9d133f04b3b2ddf6604cffcb92918a7ce61ab5da743dcd5e2f4fe629e290fef
-
Filesize
152B
MD52dbb5524aa1aa51fb09065a1fffbc8eb
SHA1931698f70968b05802e3f1caf59ef833cb49717c
SHA25698be2d6ca5623fbc27ef9701448face11d39e85297489d63569b40f38ad07404
SHA5122e80c69ebdb363d3deb8ce8a36f4f582450e932b039f71fb1a2b0a94458add2c978e122b98633430db51125be2e60d746aa88e1fbd0be38434de0784cd685316
-
Filesize
152B
MD5ce3b1f686fe1099f127abf8bb0a6ebd1
SHA10d73154910ba712114a54da4a70e1f2fd6af7911
SHA256ba6fb4f1587708c5b12d41d181d5c0bd794a0a0acdca7b70c7538398ed3f07df
SHA512aa39919330e2261df585ab526c1dee495a7404f361f0f8f6856c18d38cb5468d463d5135b339d379bfbe39e789a8d994064f845f690cd9ed2c29c780e4aab622
-
Filesize
62KB
MD5c813a1b87f1651d642cdcad5fca7a7d8
SHA10e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b
-
Filesize
70KB
MD53b06aa689e8bf1aed00d923a55cfdd49
SHA1ca186701396ba24d747438e6de95397ed5014361
SHA256cd1569510154d7fa83732ccf69e41e833421f4e5ec7f70a5353ad07940ec445c
SHA5120422b94ec68439a172281605264dede7b987804b3acfdeeb86ca7b12249e0bd90e8e625f9549a9635165034b089d59861260bedf7676f9fa68c5b332123035ed
-
Filesize
19KB
MD51bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA16dd8803e59949c985d6a9df2f26c833041a5178c
SHA256af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863
-
Filesize
63KB
MD5226541550a51911c375216f718493f65
SHA1f6e608468401f9384cabdef45ca19e2afacc84bd
SHA256caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5
SHA5122947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD59631ad9767f52c08e9f450edd570c4c4
SHA1554875814e9ceb98c1fc8459a8bf25c0a4ebbc1c
SHA256eae9a98e5647df0036722e8c9fe2553d0810013689a3b82ba915e3f6582da513
SHA5121b29f35acafcee25cfcf4a186180f5df9f8dca70ac95717e8a30ae3214875b3ffaae616b1f366a9702022ee8f6fe1c16384d422d014817855daef98bbb10a0f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5bbbfd341336d78a14455eab0bc676b71
SHA12f91b444b62cc68a7c2af09ce5d6944ee2967e18
SHA25615c590b711279ccd45cf554ab97d331fd10518fcefa6a09fb92114f10f662045
SHA51230ecc9dce246da5e891618126d43f50d453df760bd6c016689a7f7ff7eb1a4681fa5d2ab0aaeb015c3027343284e1521133c3404c064acad53157adbf7433989
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD58d55e2501b946ea9b5dad3088cb15d78
SHA1fc8bfd712bdd8615eba9e9e5e1be3b09c794d754
SHA25662c50802692d240e066bb25616e0f7bed16bbff8a30d0c3a5c2f098b21f7889c
SHA5124de41a57aaa139c588a4a30add690f9dfdd5dbf3d42f182995bf99a7397ac2d09574ad8a4a07fde64995eefcc59eb8acd7441c0ce5009a29a452fe215681e364
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
2KB
MD52b023337358fc68e75e027abbc62248a
SHA177625a36e37ec4459e790f6ebeeb133e7e596a73
SHA25659766c020ff517844ba41183fb614733753f1ce484ca7a7af291c18afb9853d1
SHA5125dd6ccc4e53455067a5b6707405e1ff6cc5f384e1dadd113cc39f03135b2898c9d09700265c6faba6153ff0a94406f29605682a774043898d1a53d04862bf2f4
-
Filesize
2KB
MD51d92da59e3eb745815df9727238f15af
SHA14188a154ffdd19265551c185cc1f598d06d6f34a
SHA2569046a4efba60b42d5368096a48ee44e06fc4be4dace776eecfe68ee73b6d0545
SHA5120c39defaf348df4520c2f1fddbd4357270d2a92f07fdc2e4e2cb5f7839cf7553b570f10e3ca1ae9104dd7d6c420fca30a7cd603b08db8a97367a7d077a713ed0
-
Filesize
2KB
MD5e449014dfefa51dd1ed004c444ba32bb
SHA11274bd2b6ac544041ce385dafcce2aaf3c343e39
SHA25688d477c697e7f6b3d4ffb66e4cdcb8d2c9d8d4312042e93d99555ecb864e6485
SHA512dbfbb1015735ad6f780485461b876f20f88d3d4de608c80d47db73911d94ced47bf9dbf4cbabe785fd02e47eab573c40c19067aaa821ad01f40876af5fd73d45
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5f9a55.TMP
Filesize59B
MD578bfcecb05ed1904edce3b60cb5c7e62
SHA1bf77a7461de9d41d12aa88fba056ba758793d9ce
SHA256c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572
SHA5122420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73
-
Filesize
4KB
MD56dab02fc92791803164c2a822a12dac5
SHA16c79993d6d8dbb6d54ccee0af6263acc2b81b222
SHA256977212f07970832431600e84d2c54959c6e808ae2a04825a0b7e8f66503fd35d
SHA512a6afcc4e4735a5926de86320f4d74a56d8a45c16bbf6f081cca08da2d953bb96d7ef0dc8fce3a607c438263e37b5e5933b4ffc7cac969943f37d00a3e0d93ee7
-
Filesize
5KB
MD505014ed6f131ce59ca1cd0ae75de969f
SHA169458d5b0ebe9f3684afcd5b376bacde4f79dc25
SHA256ed64f491c90c51b052521fba8223f80fd57bdd36007840beb822d26c9573fa56
SHA512c82d726b4766f10b862132a199b7b3008ce0855cc5f1d17be610bf34aae0f5ae52beb0d6dd73d31c6f20be4c3c7e983a202701543aab00281a412aaebef16c99
-
Filesize
7KB
MD5967b7bdbb5677398a80cc979e588a6b2
SHA1131a69d97caef063c575ee387062eee6566b89d9
SHA2566773be7d19f75d180573c65ce2ff09f6d338aa932df21105ca5b6e5180cd4d2c
SHA512a2e1afcbd4d848ba3d449d0cbb64ff0cae1eab069f1cda7b69e985c93d1d5220a2d485bf8d7f1ef0d20899949f6ad6e58e143818bc28ca7d8c2acaedab6522f7
-
Filesize
7KB
MD5d58ece5c4f5758613af3c5e86b6e6f1e
SHA1fe2dd702e338e136af7042c41d4cdc10b9e84d84
SHA25631bbe427ec38852d8a9282847a6121c14a1f0435d1ea7f6eae5010e4d9651a3f
SHA51243869c9a38a9244285bee8878516e942753935ee0f2a583b446b8f80c0e4dd9d240f9fbd11e9845c0194b9227099566c9260fcfd14b7d712f07cc0446a45ccca
-
Filesize
8KB
MD566f1ad825b7366937b6ab92230f04f27
SHA16e5094c27b7dc8b08a6c44e384add37fc30732b2
SHA2565d6cbf5d27eaa26f3f17bbff592dcb34e42c2a3c95bd9d7e52500cc19d195a48
SHA5122ea07483bb7d4d68089f2d3edd94121c0eab2bd1e6cf26301c440397a07db8b0c7b6f4f67774c05a12adc84d934bbcb964ed711490e08455dd2919ca240a35f8
-
Filesize
24KB
MD5b34b4baff340a3f6eefe8505fc27e7e7
SHA14d1b936588dd1eb659511606f7ae37b4b788bd8d
SHA256333804cf5fe67abc2dcbfc59e065200af4843e64bf4e6b2cd3fe0ec93fff182d
SHA5124821914745f500999afc00a979cb251ee9bb08b96501ab8eade9f75565565d568b24422661c81a1b136017151ded5192fc5575990215d1c8f7783e1a9be45257
-
Filesize
24KB
MD55614b3ff8da92c0262de324b43eb81b9
SHA1d313dd6760e336a522ba05f3918e9aa4d8bb0a11
SHA2564f9380552bf22ef4ed93687f44b76aee52c56dcb373c6c3fe5613f6370100275
SHA51261957fa440c545bc3c83e2579f14fbc4945377c2df935bfb1ff2a71361ca8effd821418b3d6a64005038741837ed4fbf0a55101d9d1f69ed0881d9ed28a57954
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD52e7ac77ded8c2dbd8a5c6715943d9828
SHA1da0842b3e15ee348b2e9f90931af3a61ad2e72fb
SHA256aae9c6f76aabeb8a609b27dc7ed73cf9ce4ae7304a83e32f410536acaa566e20
SHA51254bcfd71eeff933e55a6decf5161019c55e282cb588ccb16871854d68781eae385ef4314822e639eaee31133fae93d50ff8886046428d0927546d91c8a27ce85
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5fcacb.TMP
Filesize48B
MD5edc5728571272783df889fe81a79f050
SHA184588fc72ce4799421a4e0385fbf6826780adfa3
SHA25680ac8cf81ff0bd459d8d884434e7871d3effb55ef1b66815615b1fb2ebf23872
SHA512e4e4111d0bb8cab77d0a481130e98cfb54bd2282fe9a0d16a895ed4533053c296f25d1a56abe8927edcf90fda0768e22cc8965f19b435f17f341988ccf2fcd6d
-
Filesize
1KB
MD591f6b0d90103edb4993bf136df8e037a
SHA1a290e38ca3d318bb4606837aedd12de56a5e0371
SHA2568ba32f784bf9b556c07a6c3a805df806c722c9d26a4d75002d4b389bb4cab250
SHA512d812b3322560a1c880f4e583b5005c6119ab54b7f56966ec3f75d009f7f77dfea86280aa959eac6be5fd6b2c36483df7d514acc239845e68657e5e36ccbf1f2e
-
Filesize
872B
MD5b1d9000cf08689378659d47dbe4e5e2f
SHA125f8d7c9bf9d56372d5eba96a1905ee2c8702f6c
SHA256ccadd7c03e7d4bf38cc06b3474617bc433b030973acc3b2b5a43fece315c5b05
SHA512fb8075e64fdd0ac0d8121b0c2c1402281e00740670543cd6a28ae47ce1429641dd71930cd53a09b418bdf9972c984b50f8ef5b223f0e7fd29beeff3866e1e6ba
-
Filesize
538B
MD5933e557f8852f1e2df23ec2cc4426d61
SHA1c6b332e7ac3724275ecadd3191123a5e42e999d9
SHA2562299b6f64100577c983a8f771cf6153f8655af889a68285b95d7309182987cdf
SHA512b626867685c64cf6543d6d7ffdd635f3e052e03fed4ead353af40c5a10521bf83a73361cf4c7d2bb36d059378fa0414147012b543b5071d9f120c30fbeeed228
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD538044151d67fe6e2dc0b800ad2f2bcaf
SHA1c993cc5ea56e057850e6cb33138b544d992249da
SHA256e02cecdc9d27e199b5da9fa38c694e9655074295602cb7aa455dcb91d68b8e20
SHA512921bd2de29f51b4b3150fd85baf0e27a0229ea6680c87ee20216722a9fd7fbb515b04c22d5c1a3e41beb4da362e218e1c0bc954630ed17126b3a125a600eaf3b
-
Filesize
11KB
MD57f3dbb5718b984fa30cc49196708bf48
SHA1fdbf6f46e2ba03f000192e06d01fc7c78ce2def9
SHA256eff5aa73dd2d175f1fd0d01633333623214e23772179193d362ea38ca2b38d16
SHA5120e7575b565f118808c80530e3998cd9a80590f8f8fc1cda94ddb22738b2a68854ff98dd71fddc38e966298de0f01714168240921fc43f11f94805e9be76ef6ec
-
Filesize
11KB
MD52dd43bb25fb411a0e26ed3f1e6d44a2d
SHA152b27c6419df0147416e58125178a792ac293f7f
SHA25629b8e776dee51eaa80abef36532f3caaf0b334e5db5bf593665ee202994044d1
SHA512ab9ca6126b9141f715a816e60ac782f7e5a67d4ad3914c3baf6e825283a1ccc02da9a57f78909f6d716c0d041f26d686f09e9a70d4eb2c17443131ebddd79964
-
Filesize
11KB
MD593ef1f07d1dac8c929b980b085297327
SHA120386d7678661b11f3fb9502b9e15963fe9ee678
SHA2566dd0b2f594a7f32cb9cdf6d083ed5d6e607d31d17e341f069dbd494596bba9bb
SHA51246ebc0645ef2804b49469eb124b1da389efe9bc9906dc2baa4732c367ef29245e2397bd1d9f335a22a521396b9f100c092b5e49e20ef9f5fb7fa14d1327002ed
-
Filesize
11KB
MD549edffb58e6f6e246052fc17ca35ec8f
SHA11885d6cc1d4e5ecbbb3f9115cedf3a17f8a6aec4
SHA2567c7015924434a822893b0691eac0bd561ee2222171eb79ecfa18b0a92328a102
SHA5124fbe4427ac82f1b6a36fcee93afdc8183245ac548535815e10fafef799e25abdec7f5d51f694a3d32546eb58c8946e4b1048793c1b35ec956321c4cf2979b8fe
-
Filesize
706B
MD5795103377bed316703f5616aace571de
SHA10e9affba6c45bcdde602b696eb7dbebb7764b5f3
SHA256157df0dc3384030033bb46eec0b3a380207f881682f5d483e16fbf79dafe628f
SHA512611825dee8265daceb4d42098def4132d57d9d1b42671557267b2f0a6ab5affb3afb1997ec0ba05047d89e0bfb1eb8ba210744dd9482be074787a8644b28252d
-
Filesize
706B
MD539712e92cc6dd50f4eff3c5b42a06ca1
SHA12511c08d5d575cbb7d3f5a5df34321052dfec4c8
SHA2566958d4306236a8541689809bf210b5c477245ef3782d0f1ee948baeeb429e3df
SHA5120fcc1b57deaba7874d31415a8b561ab5dfe449559db82d157a7e13be14a54bde1334bfde9a1baab9f3bd8accbc2285bdf76a2901d98a1ed9c01ab1248e3f60ee
-
Filesize
706B
MD519f24c633c41857cb956ded90e3909bf
SHA1633e11c082802cffd3e4e03de8535d3ebbfaf849
SHA2569751b0947a8f5dd53f0fa0108f587a8abf14eef2f5e651f1b9e357dd5017226b
SHA5125f306f1238de80b7fb0d9fead45d3e3fcb7c15088d2e2cfc42ccca9950e329ef89093012cdbb4ec18f95a0f115a3a539bf41407bdac219e46aa51e62af4f69d3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ajx894gh.default-release\cache2\entries\172F5BA7ECC6F461526A1DAB7CFF330C86C694F2
Filesize224KB
MD51ff7dd2f5f44372d66dcf3c7218a9873
SHA1a01d7d413bbd27d1f9da8016202f52daf5eb7e5e
SHA25656606378bd85d5b0bfb3445bf658ca96aa662f3bafcf2332ecd235c7ec87156c
SHA51231a807565b55d999cf5e41698ae80f2ac2520719b7cbb8a1fabdc42bdc74febc864710a6ffd6757629b9af5e876d69d1dbbb5e88c29e4c26e1f4df74081f0408
-
Filesize
2KB
MD514e4c9b7400ff654762d1f7f5cd960c7
SHA19ea1a38cfedd94999605ae22ed4cce8d2303e2c8
SHA25611a7c2c6f8682f112120e4252c0cccfbbf9ceecbc9621c749e5aaf94922ccc4e
SHA512b7620c33582b1cfc1b8aca1d0904cc9d6f822ace4393a507d83b2ee953b8204af9e142c038ecb665e527e88c027193222ab523133e5cf276eec88fda95b473a8
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5638b2ec2037fc8a3983fd126ec4b6d17
SHA1678c30569a08e05b3182b96abb64ebcda13a9448
SHA25685798a174985fa5f738802d7b006c0bff20aea571cffb8ea11b25372e82e73b0
SHA51239e794fedaa8ac2f1ad72fa649098884a3ed628f40b9cfc783268597aa96244fd2f0f4f97273ec1db6af03a142893d27b02e2374699fc1abbc125de9c25fd421
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD501261e94b95d04fd882068c7a9e38987
SHA1702ce6cdc23ae587465ff935505276d08e53d483
SHA2567a8ce7ef4bd4b014639cb08d34a0696006ae3129ab43c31888f05a4e2021948e
SHA5121ab13b4a43f54661994c1548451d90dc8812cfddf67d65529553194fd1f6bf1178474d337d9715424a83468e05fee4d13bcff360434fd21f29ed31eab4b1d1f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\AlternateServices.bin
Filesize7KB
MD5571d55000edbe4cddebee48ca79495f7
SHA1d573898a6cbe2f2f3e7ef2d721fd34621b64bae4
SHA256700ca31faa2f5dbf18f629eee4b7556403a3f81cd02a58748042794b7c97f1a8
SHA51241246409ab5d8f35a51f210503f5fea3a81c0f2afcc9db61250d596c4e3df69421aec734a05b5179ba3246c1c0dd2110555c398b815125770fc97a8621a69bf7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\AlternateServices.bin
Filesize12KB
MD53d6f184d7168efd738f316f2cb4b7a44
SHA1954755494f47167ee5662bd12d5c84f9798da2b8
SHA25689cc72ba86abad8ab46108dee7cecbd2bf2bad667c9da1929b758ea3974265ea
SHA51200fcc7ec137984c344e11210e600349ce7d540a3effb1823fbf84c19dac4ba0beb3f48f042a6bc948d987760d4177ca8c1268c99ae82101ff5e153d9c07fff4d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD594a1cffb32cbd08e02f3536816d32ff0
SHA184a5e0ec2a3b6ef0a3ad9bb1767d45390321162f
SHA256326dd615afccd21c75c3e93e888b6a1c6159ab239ba533df844559c6736c6f2c
SHA5127da78054268365ac16deb922884bde9986754f011fc25604917391e0a307c5e9e1dd7d68b13b8ede932c77a38d938befa4e5562b060b265f12df4ef5098dc80e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD569f01f1e09d8f9348a40b09c1a54fbdc
SHA1f96cde71ea09fb8c302157fe645aa3918d4ed040
SHA256e105e10a6ea60c2ac38dcb70d2f7a61ae6d92c3557d98decb8de9406931b1775
SHA512f1c30912b9ebc79b2fdeabf2c4b057e287f2b2e0034c70c6ce2d21d036a18676aa5b80cc944fb976b8b766d39598570f2cc0342622757876c52008869945f2b7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD5bf49e1af34861cf5659c4039051a7af5
SHA17e31192976775db47ef3f90341a375f8f8df9f14
SHA256267db7298edc4aa5d7733a690a2b276a0095483b9e77b5bed591a7108f10020c
SHA512e1d78a9fded51afe7d70e2a75a79183e58228a6f9f199e838f58dddb51b0a346e9d74d58b8c08a4f85e2929e4f9bca96b99e27fff8c47f03caab27b80838b27e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\pending_pings\2e5be0e8-32df-4df6-8803-e824fc1c7add
Filesize982B
MD5cf4967383792b2557d47a0677c2e2988
SHA16670a9ccae7a22203db8839f7492e1e98f93d404
SHA256121580ab0de6f85499d593ac176fa201414a1e2a2bafda521c66644ac89b95db
SHA51220252ad8fa6ff5d36f05c544a8aa45e5c30e1b96d060c07caf99be30a2467c016548cdd7650e83f330c185820a2e2141b00001ca10d888ac98d8dce67ad693ed
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\pending_pings\86eadcc1-722d-48d7-989d-40236913e350
Filesize28KB
MD50e7e8bd1aac2589fc54a1fb340a3a5c5
SHA112a94ba1c348bb6eabdee946c59c7f9ccef96753
SHA256266749a41f4d0c573cdf91128b228e2e000bb457d88b914485df84481a875330
SHA5126166e2f72d35a4775ec16749bc269ff27afdf2346e4eccca23127d9905f3da33f47a661827257cd0d97f7d45941d2ae8158513e9867b15aff3a6561b7568ff9e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\pending_pings\962d369a-2d79-41e8-88eb-6ca83b343a14
Filesize12KB
MD5adf6f00d8ac29d99bd767a1f86c2bac1
SHA1ebd1ac3f7decf5e460d6b1d913d0140a71f321a9
SHA256c429e264b495e88152a93bae9d3f315e82a854d4f0c235561e468eacd169f8e4
SHA5129decc27558e756dbfb8d42023ce914cadfb7e522d85482cefe783b3882a693625071807dbdf943ff0eaa2fc181a655eea47cffa0b5ba633ef17596969c6fca3c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\datareporting\glean\pending_pings\bf0d326b-3673-4847-bedb-0d863be725b8
Filesize671B
MD5ad53930d5e82bbcbc01e7211412e237f
SHA1152bfdc1baa90aae29c413d60ac85c49de921922
SHA2561d80a395ccacfdaa9349a49f5231fac21974cfa932e294b1b8b59640bc4c2cb3
SHA51213068498d9922df29078613e985248e9c90e44af5b3485febee471bd05a42e31f38dbc38f6cc2c05c96bf8cd8d48c6b87bd0c2bddab19b01a2067ef4c04ca19f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
9KB
MD5bea71f428877590cd896557997757bb8
SHA196869986c9e07a150c7aca41e8cd38ea595718db
SHA25631daf1f0622e9876ef84e5a0526780286c2b0d57fbd5e639b4439f74c4175ef1
SHA512463f4199f2c5975104799d26b236ab70a0b02024318daddaf8d969f84fd5a3529b7020cc89668dd6487eeb6bcaefb4cb8ba59932b604335a5cfdb2b629df4e54
-
Filesize
10KB
MD52126fd165067007fe8c533d6c25abba8
SHA129a12a46c331e27b756da311c62c310a290ad8f6
SHA256cd546642b131dde2d4bf00c1fadb8cdbb34caa880c6dfff7cbeeb34c16af2b8b
SHA512010a7e8ebb5b53175d95a20c2dd445f120e0f32b83cea2d68e7240fcedaf86c446664c5466a1c2c10abcac93b1d047bbeab189cf3eec6acec00b122d285e73b3
-
Filesize
9KB
MD5aa90511beb6d4552760299dfbbd5e0b8
SHA1af10fe95e759a30e0606338e6abfefd13f8fdd10
SHA256ac5bb04ac6039a875183dfcb32306b0316d26e9cc2fcc048cd9014e3a40f9d67
SHA512852df8e5979a5b29f4bf02aaf4aed23641ebfb24c75d4e3cb67ca8e3505ce11458f6b6c777194823ecb98c3c7b4e4f70b3457f15c40838a45b3980638e7d1a0b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD525b25e1012f165f3e6d09b50690a47e6
SHA1491806db85373d4f627839e7f1050e19da6fe244
SHA256ac8606f6fde219d9ce828509bd44da625fe45dff58a910102b6b9fc967b2ad70
SHA5124283d79dc9c011d3279e6e5eff180e522b97a205e8aa4c6ffd4120c27d089161ba70326a9aa36ec02656087a5abc9a20ba7983d9cf11f146005abcd14ec84688
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD50f5460700f45399a38ee6e390714ddbc
SHA1eb363b4dc4f3330a58eef55cd820416d9e3c1468
SHA256d775fbf4c0062a932c56e3a865e5ba3fa6615dcb907ed1852e597f1d78a1e069
SHA512fd20ac8d84de6356af3b33b07afa5872a9b6b2f0cff49e561006b3980d954f164eebce9027b4c2f2873c3cd0ea79f617b544a68b972afad8b5bb80facb31ba48
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5e7863ad07c7a7510bcbf6371ce836e05
SHA1f320fd71e38b5eaefb7370ab3b2bf807f03216f9
SHA256e717a0ccc2b653f7d5db964fe050d2fdc5b8ebe333e118444fef8b88e9d39212
SHA512826b087f980c1902a5e6ab2ffcfbaf2f33cbdc357763393baa2982739651988ef1913f598a730167fef9cbc93dacbdf59f04822f2b02eb88c9623a1c065b35f3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5296bf493d3e5dd6d94dab484990c0df0
SHA19882ed0b46e90add45ae1f8397c571ae78d6063d
SHA256022ad13ae9f5fae57e76d28f2e0f493548f309cc9cea70b9eb862131498509ba
SHA51297dfbb90bfa9b7ab6152b750fb9dc6c7ff09bdc02da05f8db3187a598e06deb7e767aef5b2fc69bfa76471b724f7ae95c6e4893f7b4cad94f0a33ad79fa9d0a0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD56ef5b3090b875cb288cd4cd1e0a13385
SHA107db8542108cb2b932a7bc61315e3b37d4e23e16
SHA256664c50defc7058c58d37e6ef9647c9ebc7ddc141dd63c57ed682b6ecce8e8828
SHA512acdfcfbb80d720e42297c57cfc1675dfbe7e72ec37894d1c2095319c2d3a4397f9156fcbcab1407664d050f8ce86f3dc64cb7353d70178582951c52b2792b7c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ajx894gh.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD510f3f4769a95827834c78097422599db
SHA12bbd9140a049c7c99e08c191e0154bb1650a18ee
SHA256a1842a1dae00cec0024b116cf20188f9bf75747820911dea43215ca4b66f3107
SHA512c6f023f7652114f6ace3cb6debd31f4dbb23ac6b167e81174e2fd73bfd393b6d82f08c40c8afbc83e703c2458443960695150d40beec2872158678bafc9f618e
-
Filesize
2KB
MD5d3d41590210f105024d434cb56d6cc0a
SHA1b794e698c0fd06f96bb5844fa830b4628dcfeb20
SHA256bcf758cd924313e4ec32e21857d24a4c5a89b98a2ec9a5fe73eee232c6433549
SHA512d3f419f6c35ea173fa941f3c84e3118c9d08536569411b7552eba72feceafaadd5b430709757a75cb7f04cda012b34ba784b79669adcff0373418b1d0702489e
-
Filesize
233B
MD5cd4326a6fd01cd3ca77cfd8d0f53821b
SHA1a1030414d1f8e5d5a6e89d5a309921b8920856f9
SHA2561c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c
SHA51229ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67
-
Filesize
897KB
MD571cf589293424c4389202c7f1752fb2d
SHA16103d9f6bf95c772c8b7ee89aee370cdca4642f8
SHA256071b0d3a08503a8b88aeeda1d20f371a563377028f6e252dc66cce60ab8f823e
SHA512893ad57ffa14912ce51e33461f9786d6976ea6d57ef66cf74b6e1fcc97ce9aa5a49632d73c84bf575256234b6ac3df2451976846dafa2fe34668bea7295bdd17
-
Filesize
4KB
MD5004035ca98f40db1ae2ea4d24a439ff1
SHA1b141241c35b58f5c77838ad91fc098ea3922abff
SHA256304dce0a4711a788230ddda55886ab3df3aa069e647f477ff5d98d7e3f41d1e0
SHA51258894ac984a328da560e2d46bbf41566ec5aae57c89ab0c25ae9b2902767349ea9f601240d831526d0aecca8e27d8cffdd2b11c76874fd68281f00a83c5dd426
-
Filesize
5KB
MD59b414a201c408ed1e25dc0af31e88b21
SHA10a70136537cb0ce691b11306ff98b3ef127ca6a4
SHA256ad5b1e46b4308495797ea9f82b30a59156b258c248bc25b87968be48cd38864a
SHA51271b4acb7a13f2d9fa2b4915aa265e60514e6a6cc30bb2ccea9f9903ebe81e2098fd54a8c265e17128b7dacf931551e4a50673fb8495600b4a325b9d65e120ed1
-
Filesize
37KB
MD5f156a4a8ffd8c440348d52ef8498231c
SHA14d2f5e731a0cc9155220b560eb6560f24b623032
SHA2567c3ca3161b9061c9b1ff70f401d9f02b2d01267bc76cbfcbc397a5aec60d4842
SHA51248f3c273f072a8c3c73a1b835ed320a6b8962c2f8b5037a3b6c1bea5431b17d9c03e8d771cc205bbc067975c78307f2306c55dbc4c72e0a7c15c6b17b3afa170
-
Filesize
37KB
MD53bc9acd9c4b8384fb7ce6c08db87df6d
SHA1936c93e3a01d5ae30d05711a97bbf3dfa5e0921f
SHA256a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79
SHA512f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375
-
Filesize
37KB
MD51f8c95b97229e09286b8a531f690c661
SHA1b15b21c4912267b41861fb351f192849cca68a12
SHA256557a903f0f2177e3e62b1a534dee554cf2eff3dd3991bc2310f064bf9c7d2152
SHA5120f0e5b85b6ef73ecebcd70ca90ce54c019eec1ea99966c469f357dd3393d0067f591b3690fe0b7922d7ba4aa25ebefd76a092d28c3377e6035720f8630a1a186
-
Filesize
20.6MB
MD53520d7e8299414c10d7cfcb39f7f6652
SHA14162a2d03319d3f90b4edb3ea318f2d233ff23b6
SHA2564a666ac194789d8f18fdfb714c1cf10d402eab7a567b92a965f163ea9d524b4d
SHA512934944d3cb40a3409074255ae9a975f55c1673fad3705feb2b38e2572af84679d1c51c785d2f08ea02ecd1679d823fe28aece5d29b66e113b580b370669cf0d8
-
Filesize
2.7MB
MD53e7733cc345452bfa3e16b4b49bc2224
SHA11287a71a8fc40221ab694ffc6621d16d93d7eb37
SHA256924e7469f83b248289fe935c9f7ac96b2486f7c0544cdcf2f38a038472bab13a
SHA5120eca2c10f6074d970ddd97e6abf55fbed2f35d6bb0380e6efea98903ef376668bc827fd9846ca27571623c72dd98e9c44fefcc3e489da177a5cd021e8bcffc0a
-
Filesize
18.8MB
MD5c06e78d8f48d832d55e858933c9a4f38
SHA130e2a9e2afd2861e529ad29fd67051fc288c7a6b
SHA2561a898df11a7c41275549f86bf1bc09e8af90ccfc9e2651b2dd06b24e5a46635d
SHA5129187f0d7000a49896533637ad186ff92f0cab4b83cfefd768962a7f95299ce6c636a8471b86e75f31024cfbaa14d75951e2b560c63fbe7ec709580eeeb850639
-
Filesize
1KB
MD5b158589e9d41fdb331902eb0ba14f8e7
SHA12dd76f97e77429853526ed61f188eee78e18dc71
SHA256dc43f87dd520a0c57e4153ba90a5c76b94562a315372b5fc6afb3d20bdb45ce2
SHA512a2f19f588761dbec0a96fd84ee81bb6f4c7433a3d536432b182f578b5592998cc57c3586c7dbe6266f25386493fdef931048b9df62c14d6ce02f37fa478e442e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14KB
MD59d5a0ef18cc4bb492930582064c5330f
SHA12ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8
SHA2568f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3
SHA5121dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4
-
Filesize
12KB
MD5efe44d9f6e4426a05e39f99ad407d3e7
SHA1637c531222ee6a56780a7fdcd2b5078467b6e036
SHA2565ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366
SHA5128014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63
-
Filesize
7KB
MD5ecffd3e81c5f2e3c62bcdc122442b5f2
SHA1d41567acbbb0107361c6ee1715fe41b416663f40
SHA2569874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5
SHA5127f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76