hxxp://start-process PowerShell -verb runas

Analysis

max time kernel
1800s
max time network
1797s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
27-06-2024 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://start-process PowerShell -verb runas

Score

8^/10

microsoft defense_evasion discovery evasion execution persistence phishing privilege_escalation upx

Malware Config

Signatures

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 9 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

3252 netsh.exe
452 netsh.exe
3440 netsh.exe
4592 netsh.exe
4668 netsh.exe
1892 netsh.exe
1948 netsh.exe
3036 netsh.exe
3544 netsh.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\nsrCAB6.tmp\nsNiuniuSkin.dll acprotect
Executes dropped EXE 6 IoCs

Processes:

inst.exeDeskIn_Setup.exeDeskIn.exeDeskIn.exeDeskIn.exeDeskIn.exe

pid process

1884 inst.exe
3712 DeskIn_Setup.exe
3020 DeskIn.exe
768 DeskIn.exe
1540 DeskIn.exe
2848 DeskIn.exe

pid	process
3252	netsh.exe
452	netsh.exe
3440	netsh.exe
4592	netsh.exe
4668	netsh.exe
1892	netsh.exe
1948	netsh.exe
3036	netsh.exe
3544	netsh.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsrCAB6.tmp\nsNiuniuSkin.dll	acprotect

pid	process
1884	inst.exe
3712	DeskIn_Setup.exe
3020	DeskIn.exe
768	DeskIn.exe
1540	DeskIn.exe
2848	DeskIn.exe

Loads dropped DLL 45 IoCs

Processes:

DeskIn_Setup.exeDeskIn.exeDeskIn.exeDeskIn.exeDeskIn.exe

pid	process
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3020	DeskIn.exe
3020	DeskIn.exe
768	DeskIn.exe
1540	DeskIn.exe
2848	DeskIn.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\inst.i1R5AjIy.exe.part	upx
C:\Users\Admin\Downloads\inst.exe	upx
behavioral1/memory/1884-2607-0x0000000000AF0000-0x0000000000F34000-memory.dmp	upx
behavioral1/memory/1884-2616-0x0000000000AF0000-0x0000000000F34000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\nsrCAB6.tmp\nsNiuniuSkin.dll	upx
behavioral1/memory/3712-2638-0x00000000730D0000-0x00000000731DD000-memory.dmp	upx
behavioral1/memory/1884-2665-0x0000000000AF0000-0x0000000000F34000-memory.dmp	upx
behavioral1/memory/3712-2897-0x00000000730D0000-0x00000000731DD000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in System32 directory 11 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{1b01c57d-3809-484f-acfc-5f2669a3d0d5}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-952492217-3293592999-1071733403-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File created	C:\Windows\system32\NDF\{E917290A-74C6-4A46-8933-DB3BFDC08E2E}-temp-06272024-1035.etl	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{E917290A-74C6-4A46-8933-DB3BFDC08E2E}-temp-06272024-1035.etl	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{1b01c57d-3809-484f-acfc-5f2669a3d0d5}\snapshot.etl	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-952492217-3293592999-1071733403-1000_StartupInfo3.xml	svchost.exe

Drops file in Program Files directory 29 IoCs

Processes:

DeskIn.exeDeskIn_Setup.exe

description	ioc	process
File opened for modification	C:\Program Files\DeskIn\mmkv.default	DeskIn.exe
File created	C:\Program Files\DeskIn\drivers\cameramic\DeskInAudio.inf	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\cameramic\virtual_camera_x64.dll	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\screen\DeskInIdd.dll	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\vhid\deskinvhid.cat	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\vhid\DeskInVhid.inf	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\cameramic\deskinaudio.cat	DeskIn_Setup.exe
File opened for modification	C:\Program Files\DeskIn\config.ini	DeskIn.exe
File created	C:\Program Files\DeskIn\zrtc.dll	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\cameramic\virtual_camera_x86.dll	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\uninst.exe	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\cameramic\devcon.exe	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\gamepad\deskinvgbus.cat	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\gamepad\devcon.exe	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\vhid\devcon.exe	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\screen\DeskInIdd.inf	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\cameramic\DeskInAudio.sys	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\screen\deskinidd.cat	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\vhid\DeskInVhid.dll	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\DeskIn.exe	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\config.ini	DeskIn.exe
File created	C:\Program Files\DeskIn\Logs\sdkserviceaylnlfdx_2024_06_27.log	DeskIn.exe
File created	C:\Program Files\DeskIn\Logs\zrtcservicefircvscx_2024_06_27.log	DeskIn.exe
File opened for modification	C:\Program Files\DeskIn\mmkv.default.crc	DeskIn.exe
File created	C:\Program Files\DeskIn\CrashReport.exe	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\gamepad\DeskInVGBus.inf	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\gamepad\DeskInVGBus.sys	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\drivers\screen\devcon.exe	DeskIn_Setup.exe
File created	C:\Program Files\DeskIn\Logs\servicephqghume_2024_06_27.log	DeskIn.exe

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1516 sc.exe
4492 sc.exe
4852 sc.exe
2692 sc.exe
Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs
defense_evasion privilege_escalation

Create Process with Token
T1134.002

Processes:

firefox.exefirefox.exe

pid process

880 firefox.exe
3628 firefox.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1516	sc.exe
4492	sc.exe
4852	sc.exe
2692	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 33 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1900 ipconfig.exe

pid	process
1900	ipconfig.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

chrome.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639581143264659"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 13 IoCs

Processes:

DeskIn_Setup.exefirefox.exeMiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DeskIn	DeskIn_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DeskIn\shell\open	DeskIn_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DeskIn\ = "FPProtocol"	DeskIn_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DeskIn\shell\	DeskIn_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DeskIn\shell\open\	DeskIn_Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DeskIn\shell\open\command\ = "\"C:\\Program Files\\DeskIn\\DeskIn.exe\" \"%1\""	DeskIn_Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DeskIn\URL Protocol = "C:\\Program Files\\DeskIn\\DeskIn.exe"	DeskIn_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DeskIn\DefaultIcon	DeskIn_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DeskIn\DefaultIcon\ = "C:\\Program Files\\DeskIn\\DeskIn.exe,0"	DeskIn_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DeskIn\shell	DeskIn_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DeskIn\shell\open\command	DeskIn_Setup.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\inst.exe:Zone.Identifier firefox.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DeskIn.exe

pid process

2848 DeskIn.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\inst.exe:Zone.Identifier	firefox.exe

pid	process
2848	DeskIn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DeskIn_Setup.exeDeskIn.exe

pid	process
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
3712	DeskIn_Setup.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe
768	DeskIn.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exechrome.exe

pid	process
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exeDeskIn_Setup.exeDeskIn.exeDeskIn.exeDeskIn.exeDeskIn.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	880	firefox.exe
Token: SeDebugPrivilege	880	firefox.exe
Token: SeDebugPrivilege	880	firefox.exe
Token: SeDebugPrivilege	880	firefox.exe
Token: SeDebugPrivilege	880	firefox.exe
Token: SeDebugPrivilege	880	firefox.exe
Token: SeDebugPrivilege	880	firefox.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3712	DeskIn_Setup.exe
Token: SeDebugPrivilege	3020	DeskIn.exe
Token: SeDebugPrivilege	768	DeskIn.exe
Token: SeDebugPrivilege	1540	DeskIn.exe
Token: SeDebugPrivilege	2848	DeskIn.exe
Token: SeShutdownPrivilege	2848	DeskIn.exe
Token: SeCreatePagefilePrivilege	2848	DeskIn.exe
Token: SeShutdownPrivilege	2848	DeskIn.exe
Token: SeCreatePagefilePrivilege	2848	DeskIn.exe
Token: SeShutdownPrivilege	2848	DeskIn.exe
Token: SeCreatePagefilePrivilege	2848	DeskIn.exe
Token: SeShutdownPrivilege	2848	DeskIn.exe
Token: SeCreatePagefilePrivilege	2848	DeskIn.exe
Token: SeShutdownPrivilege	2848	DeskIn.exe
Token: SeCreatePagefilePrivilege	2848	DeskIn.exe
Token: SeShutdownPrivilege	2848	DeskIn.exe
Token: SeCreatePagefilePrivilege	2848	DeskIn.exe
Token: SeShutdownPrivilege	2848	DeskIn.exe
Token: SeCreatePagefilePrivilege	2848	DeskIn.exe
Token: SeShutdownPrivilege	2848	DeskIn.exe
Token: SeCreatePagefilePrivilege	2848	DeskIn.exe
Token: SeShutdownPrivilege	2848	DeskIn.exe
Token: SeCreatePagefilePrivilege	2848	DeskIn.exe
Token: SeShutdownPrivilege	2848	DeskIn.exe
Token: SeCreatePagefilePrivilege	2848	DeskIn.exe
Token: SeShutdownPrivilege	2848	DeskIn.exe
Token: SeCreatePagefilePrivilege	2848	DeskIn.exe
Token: SeDebugPrivilege	880	firefox.exe
Token: SeDebugPrivilege	880	firefox.exe
Token: SeDebugPrivilege	880	firefox.exe
Token: SeDebugPrivilege	880	firefox.exe
Token: SeShutdownPrivilege	5500	chrome.exe
Token: SeCreatePagefilePrivilege	5500	chrome.exe
Token: SeShutdownPrivilege	5500	chrome.exe
Token: SeCreatePagefilePrivilege	5500	chrome.exe
Token: SeShutdownPrivilege	5500	chrome.exe
Token: SeCreatePagefilePrivilege	5500	chrome.exe
Token: SeShutdownPrivilege	5500	chrome.exe
Token: SeCreatePagefilePrivilege	5500	chrome.exe
Token: SeShutdownPrivilege	5500	chrome.exe
Token: SeCreatePagefilePrivilege	5500	chrome.exe
Token: SeShutdownPrivilege	5500	chrome.exe
Token: SeCreatePagefilePrivilege	5500	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exeDeskIn.exemsedge.exechrome.exe

pid	process
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
2848	DeskIn.exe
2848	DeskIn.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe

Suspicious use of SendNotifyMessage 47 IoCs

Processes:

firefox.exeDeskIn.exemsedge.exechrome.exe

pid	process
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
880	firefox.exe
2848	DeskIn.exe
2848	DeskIn.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe
5500	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

firefox.exeDeskIn.exeDeskIn.exeDeskIn.exeDeskIn.exeMiniSearchHost.exeSystemSettingsAdminFlows.exe

pid process

880 firefox.exe
880 firefox.exe
880 firefox.exe
880 firefox.exe
3020 DeskIn.exe
768 DeskIn.exe
1540 DeskIn.exe
2848 DeskIn.exe
2848 DeskIn.exe
5240 MiniSearchHost.exe
6432 SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3628 wrote to memory of 880	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 880	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 880	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 880	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 880	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 880	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 880	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 880	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 880	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 880	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 880	3628	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 1064	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 4920	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 4920	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 4920	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 4920	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 4920	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 4920	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 4920	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 4920	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 4920	880	firefox.exe	firefox.exe
PID 880 wrote to memory of 4920	880	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://start-process PowerShell -verb runas"
1⤵
- Access Token Manipulation: Create Process with Token
- Suspicious use of WriteProcessMemory
PID:3628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://start-process PowerShell -verb runas"
2⤵
- Access Token Manipulation: Create Process with Token
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.0.1856255246\702693231" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22164 -prefMapSize 235091 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1dc15a7-d565-4e79-85f8-d0a5b7101cb2} 880 "\\.\pipe\gecko-crash-server-pipe.880" 1860 126d651f858 gpu
3⤵
PID:1064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.1.454433152\1207083985" -parentBuildID 20230214051806 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 22200 -prefMapSize 235091 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10b528c4-7462-4c81-af7c-ba88e4035255} 880 "\\.\pipe\gecko-crash-server-pipe.880" 2384 126c218a958 socket
3⤵
PID:4920

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.2.965269961\1410344987" -childID 1 -isForBrowser -prefsHandle 2928 -prefMapHandle 2976 -prefsLen 22238 -prefMapSize 235091 -jsInitHandle 1136 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d7655bc-9b2e-4ea0-ad9d-325b4adf4324} 880 "\\.\pipe\gecko-crash-server-pipe.880" 2896 126d8ce8258 tab
3⤵
PID:1568

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.3.1703235157\1084541428" -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 27612 -prefMapSize 235091 -jsInitHandle 1136 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52cc100f-0a2c-474e-b6cd-18fa5aaf5eab} 880 "\\.\pipe\gecko-crash-server-pipe.880" 3664 126c217be58 tab
3⤵
PID:740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.4.525826222\1795068424" -childID 3 -isForBrowser -prefsHandle 5028 -prefMapHandle 5148 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1136 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea432d8b-6c02-42ab-ae2d-3fc4326fd1f0} 880 "\\.\pipe\gecko-crash-server-pipe.880" 5176 126de4d2d58 tab
3⤵
PID:4312

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.5.1216141567\2039910151" -childID 4 -isForBrowser -prefsHandle 5340 -prefMapHandle 5348 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1136 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b5e7c8d-db60-404a-9b02-b07e109d0aa6} 880 "\\.\pipe\gecko-crash-server-pipe.880" 5312 126de4d3058 tab
3⤵
PID:5084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.6.71555748\1367891163" -childID 5 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1136 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b5fdcc6-d89e-4880-aba0-75e7ef47c4da} 880 "\\.\pipe\gecko-crash-server-pipe.880" 5412 126de4d3358 tab
3⤵
PID:5044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.7.316420047\6401215" -childID 6 -isForBrowser -prefsHandle 4940 -prefMapHandle 4936 -prefsLen 27615 -prefMapSize 235091 -jsInitHandle 1136 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {227c9033-4c6e-4c1a-b5b3-558385ae4b2b} 880 "\\.\pipe\gecko-crash-server-pipe.880" 3544 126dd087e58 tab
3⤵
PID:3232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.8.1473700938\2017668766" -childID 7 -isForBrowser -prefsHandle 4908 -prefMapHandle 4904 -prefsLen 31140 -prefMapSize 235091 -jsInitHandle 1136 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33473fee-5c4c-4346-bc8a-62023f3384d0} 880 "\\.\pipe\gecko-crash-server-pipe.880" 5876 126dd1ba158 tab
3⤵
PID:228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.9.604856815\277102748" -childID 8 -isForBrowser -prefsHandle 5476 -prefMapHandle 5492 -prefsLen 31158 -prefMapSize 235091 -jsInitHandle 1136 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2030f02-9739-4124-98a7-ded9c4da6ac6} 880 "\\.\pipe\gecko-crash-server-pipe.880" 5464 126dc1df558 tab
3⤵
PID:732

C:\Users\Admin\Downloads\inst.exe
"C:\Users\Admin\Downloads\inst.exe"
3⤵
- Executes dropped EXE
PID:1884

C:\Users\Admin\Downloads\DeskIn_Setup.exe
"C:\Users\Admin\Downloads\DeskIn_Setup.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc stop DeskIn_Service
5⤵
PID:3240

C:\Windows\SysWOW64\sc.exe
sc stop DeskIn_Service
6⤵
- Launches sc.exe
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc delete DeskIn_Service
5⤵
PID:4608

C:\Windows\SysWOW64\sc.exe
sc delete DeskIn_Service
6⤵
- Launches sc.exe
PID:4492

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc stop DeskIn_Service
5⤵
PID:4784

C:\Windows\SysWOW64\sc.exe
sc stop DeskIn_Service
6⤵
- Launches sc.exe
PID:4852

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc delete DeskIn_Service
5⤵
PID:2032

C:\Windows\SysWOW64\sc.exe
sc delete DeskIn_Service
6⤵
- Launches sc.exe
PID:2692

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="DeskIn"
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1948

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="DeskIn_Service"
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3036

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="DeskIn_Session"
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3252

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="DeskIn" dir=in program="C:\Program Files\DeskIn\DeskIn.exe" edge=yes action=allow
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3544

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="DeskIn" dir=out program="C:\Program Files\DeskIn\DeskIn.exe" action=allow
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4592

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="DeskIn_Service" dir=in program="C:\Program Files\DeskIn\DeskIn_Service.exe" edge=yes action=allow
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:452

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="DeskIn_Service" dir=out program="C:\Program Files\DeskIn\DeskIn_Service.exe" action=allow
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3440

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="DeskIn_Session" dir=in program="C:\Program Files\DeskIn\DeskIn_Session.exe" edge=yes action=allow
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4668

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="DeskIn_Session" dir=out program="C:\Program Files\DeskIn\DeskIn_Session.exe" action=allow
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1892

C:\Program Files\DeskIn\DeskIn.exe
"C:\Program Files\DeskIn\DeskIn.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Program Files\DeskIn\DeskIn.exe
"C:\Program Files\DeskIn\DeskIn.exe" --runservice
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:768

C:\Program Files\DeskIn\DeskIn.exe
"C:\Program Files\DeskIn\DeskIn.exe" --hide --localPort=45600
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Program Files\DeskIn\DeskIn.exe
"C:\Program Files\DeskIn\DeskIn.exe" --show --localPort=45600
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2856

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5976

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1440

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5084

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:556

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:2764

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:5456

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:804

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:4328

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:5124

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2149241
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9ff8f3cb8,0x7ff9ff8f3cc8,0x7ff9ff8f3cd8
2⤵
PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,13677637158470204225,295212082145951018,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
2⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,13677637158470204225,295212082145951018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
2⤵
PID:3420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,13677637158470204225,295212082145951018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
2⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13677637158470204225,295212082145951018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13677637158470204225,295212082145951018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
2⤵
PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13677637158470204225,295212082145951018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
2⤵
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,13677637158470204225,295212082145951018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13677637158470204225,295212082145951018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
2⤵
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13677637158470204225,295212082145951018,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
2⤵
PID:1604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2764

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" RemoteDesktopTurnOnRdp
1⤵
- Suspicious use of SetWindowsHookEx
PID:6432

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:6672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:6868

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:7024

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:6188

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:6268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa126aab58,0x7ffa126aab68,0x7ffa126aab78
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:2
2⤵
PID:6012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:8
2⤵
PID:6388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:8
2⤵
PID:6468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:1
2⤵
PID:6456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:1
2⤵
PID:6448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4240 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:1
2⤵
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4388 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:8
2⤵
PID:3292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4408 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:8
2⤵
PID:1460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:8
2⤵
PID:6676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:8
2⤵
PID:7036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:8
2⤵
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3876 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:1
2⤵
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5076 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:1
2⤵
PID:6984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3356 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:1
2⤵
PID:6928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:8
2⤵
PID:7140

C:\Windows\system32\msdt.exe
-modal "394014" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFFE17.tmp" -ep "NetworkDiagnosticsWeb"
2⤵
PID:3780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4244 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:1
2⤵
PID:5248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1452 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:1
2⤵
PID:6828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1724 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:1
2⤵
PID:644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3248 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:2
2⤵
PID:5688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4480 --field-trial-handle=1752,i,16088788403133716432,11310597306272626568,131072 /prefetch:1
2⤵
PID:3884

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:6040

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:3188

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3872

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4272

C:\Windows\system32\ipconfig.exe
"C:\Windows\system32\ipconfig.exe" /all
2⤵
- Gathers network information
PID:1900

C:\Windows\system32\ROUTE.EXE
"C:\Windows\system32\ROUTE.EXE" print
2⤵
PID:5536

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
2⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
PID:6172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:4100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2976

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
2⤵
PID:4776

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DeskIn\DeskIn.exe
Filesize
48.1MB

MD5
3860d9bff42db4b1f52704ae01833620

SHA1
cc9eb77bc82e0ab8e4fbaeef10e657ad5a83092d

SHA256
a4507976b46e9b2d494ffbcf058647a381e5999d183f20b946d099fc3c3b455f

SHA512
b7f72bb8559d135a92512a1f263fb6fe2afabc357b7ac535d4351ee79259531111d3959ebf52c7fc59b5fe6ab432f6814c4711b6d5f0f2e3623b5c625f3b5d5a

Download Submit
C:\Program Files\DeskIn\config.ini
Filesize
246B

MD5
1c24dcd6f807458ad5cdd2a184d9557b

SHA1
67a34b8c956b7ba3fd970a995abf44c692e1fe5a

SHA256
6257debe24a250483450bfa5d7ea5240ce13bc84e47067f9154be9763faced1c

SHA512
cd9f0219bf7efc484af611f80f573227788ab8fa55381e67ce331fb9deab65e1d5405a8bae5917f7de23b98e759a633b44e3f2eceab1a69863ee429610541f8f

Download Submit
C:\Program Files\DeskIn\config.ini
Filesize
550B

MD5
041d2b12e322f7e6a464ce771f36df61

SHA1
61aa03754aea66153a497331dc5390424cdd3c10

SHA256
7a4ad98c5ce030a9b63858f50ff9db391583cc3822a87dd9fb7c2d5f4fd027ab

SHA512
078081da2ccf012fc9bf235ac435becb46951c7d31f75cdd9391a442e3a6497e55a3e598e597563b042c2a0de3c492fc9369f8d66958393baa4fa11d143182fe

Download Submit
C:\Program Files\DeskIn\config.ini
Filesize
610B

MD5
dd788794dd5ed629eafc98d7e60a4966

SHA1
de1cf92ad397592e94db1c2cdb49f7734f0280c6

SHA256
70fc00ba91593bcdb1e40a7f283b4b227b1863d574977f118f346296ecc12855

SHA512
d48160e11395cfa42916dd9f08dd7400a0ede8b0a860100ad835bb9f9b18642ab0bbfa39c7af19e2dd08a2b1764c4a28be9f3725e0716f4483de989aa7dbe80a

Download Submit
C:\Program Files\DeskIn\drivers\cameramic\devcon.exe
Filesize
81KB

MD5
816c4e245b286b4e4903131f75a94948

SHA1
eda70c1fc8a461efb0e376d42e35a72b96175e4d

SHA256
aca1bda08690dcca930254f96f9185c776671a85a58ffa1b59cf16017546f218

SHA512
d0dc74956c57403c0638e6595aaf1c2eb75233997a15170b064261a5d3f1f525a3e35e13fef04c36cc20fd1d5d1cf000a5fb7a646bf2cf1cea73817e5d3335b3

Download Submit
C:\Program Files\DeskIn\uninst.exe
Filesize
1.4MB

MD5
cce31c5665375b2300b29737ed4637ad

SHA1
810dfe7b01328280f5de09ff38fbd69e9623d3ef

SHA256
e02b6acc57fbe70429b8e4db30502e1d3766f0df6e9bb1babbc535db59cfebc8

SHA512
6da64eb5c81323c2fe98e39326468d2a1c38ab3872acd79cf94be8edb2491b4c596f1515a2cbee0522edd51a6b93bcb735118269721666b92775547052bb8db0

Download Submit
C:\Program Files\DeskIn\zrtc.dll
Filesize
47.7MB

MD5
149268dcf3df3fe67e150aa0d407a10f

SHA1
0eef97274887716733efa194f094802aaf8f42c2

SHA256
d1e01343943f92bd51bbf8d9a5f354a1b8380fbdb9853ea309a2bf0855bd5377

SHA512
b28cd0d9eb4e383e5b715aaf8947ea77f6334ca5a9b6ac3d725b0490a7a189a82e87e275c612dd6235a3a6643eb58d33203fff86eeeaeb04e19c063815bd9bf9

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062710.000\NetworkDiagnostics.debugreport.xml
Filesize
210KB

MD5
4f1cc1f49b374edb6a92c66b4b5df969

SHA1
503988c0b3c5b9642f666a38bb08e49bb3ad3cba

SHA256
1aa1ca8638783d0a37be0ec6af0670fc4a69b0b256725a26020172959c9bdf62

SHA512
2a759ee2e1e775cd9610e22f8b544658e09543d3d0041141e57a4eed7d15904610035d63ec66b02cc551ad61c9a91107379fb0d1dc82d644bae7a2d92c50b075

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062710.000\ResultReport.xml
Filesize
37KB

MD5
82c1d6c6a84dad14450e7e20ab2cbfb8

SHA1
68706a9e85ea48102482ff990324b6edd2d0419a

SHA256
94c154e52ba310cc4b0e77757d8acf30b77de1901b5ea41b5eff449215acd7f8

SHA512
b106b993657c8d8701b86d56b976fbaa5a8867df54833af93a848dbec83423aa79a2786c61e1df81cc2b120465d6c7d8f8856af3fb82ddce0159194b480368c5

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062710.000\results.xsl
Filesize
47KB

MD5
90df783c6d95859f3a420cb6af1bafe1

SHA1
3fe1e63ca5efc0822fc3a4ae862557238aa22f78

SHA256
06db605b5969c93747313e6409ea84bdd8b7e1731b7e6e3656329d77bcf51093

SHA512
e5dcbb7d8f42eabf42966fccee11c3d3e3f965ecc7a4d9e4ecd0382a31c4e8afea931564b1c6931f6d7e6b3650dc01a4a1971e317dab6c1f03932c6b6b7d399f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
bdcb29a3c29540b1247758b2a86ce6c0

SHA1
fa859e83429fc87a22a063ed82ae917adb627591

SHA256
119e00fb8ba83ac57dab45eb0666155013f44d5c7b498ec0c9c9e58cee6a99c9

SHA512
1a69343cd23e93c1260d8ebbefab5be186df9bae952fa806967de59cb5662b783d24d3e70e325f1199027a3df924b896c220fc374a76c70ed7b4e73a61dbdbb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
192c197cfede9a169210249667f3ac89

SHA1
27bdcaea54b1d7ed10dcd34338e699eb0ce23696

SHA256
45268e9d03947ab15bff3946c9c5124717fc96ec675d02180d18f825af4c140e

SHA512
10d0a279d605620e848e38d226ea993116e54e9617ab8b51b2805e22b5840016b326fd499677d2e43c88e96cd01766f92dd8a2001d7c2854fb69a544418055de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
bbec8e64261b8eb586f231aca9cee351

SHA1
3f819c7144d91635e51943089a9edc4f6c0c3052

SHA256
6e90763e4a23d3411f9876df9aba2beb488eccd5ef2acb440196107d43fd8567

SHA512
17a52ecaf235216d74f61c72bcfa165101775d4348ce080f2f53c42f8e7d35bacdc0a3b133b70e0167064f86f386dcd8aac352cc27699d0edd346dd89a8ff022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c2e545a0115a4b60863588de62e7b9d4

SHA1
273b16e1eab1ceca2abfcb7543afc2f1618811bd

SHA256
2d36a0cef1752a3fbb880525458422ffb478753e38af28fcd7af2da02df6dff5

SHA512
afdc60c4a9ab0d429c4d020851456b26ab6be0a42a58a5a7076183ab8f03531024f85a19256033c5bf7de664df623e5f16661e53690e6e3e3f40f349373f21b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
edf2570d2830d74a07f9256670b81a5f

SHA1
d5038476c53eaeb79aa8948bf3dcc4b2d09541e9

SHA256
67fb2789e55f30b09451e6b59373493f1249b79f4c9e4efcb55e9c2c78bb6445

SHA512
0f733c943140d007c5325b42a47d174d09479c48331a5798e1f4d719d36f45416ac5d995729c43e95a491cd5a43b546ab40cdcede41d57a38b28405feab9942d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
05b19c20f4d74fc79f3414e20900846e

SHA1
fa705d9ba67366dab46c78cbf4150285169fd9eb

SHA256
045e80cebfc8c8327f13c9cf86cea419346d29c841f177474634df9ef322af37

SHA512
ffc7c3dce558ff42d02990cd8c14925a7406200bc967fc9901c3d7e329251b127d41b2ad2c24ecf2ef7f3422a2590781a8f655d301af73a92a3036d81a04eed6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
84KB

MD5
db5a19ffc10ceb4fab8935d360678c95

SHA1
bcc2de0d66664ed92735c7c0833bb15834a53328

SHA256
e5575d20f471538450266a883f56e70c4af9705dc20fa988f21d1203da23f3ef

SHA512
69679a07de303048f32ca9b8b2d379e6f3f11313d8d6bd93e483880ebbc25f503c2317a9f4d685cc176602d65381a1d6fd15e8e8b0d5574873037f9892ca3881

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe652537.TMP
Filesize
83KB

MD5
ac0eb621891f9356375330b13713aec9

SHA1
7f7721a416e3910e8cdba737e1bce9a9b623deb3

SHA256
0ab6f90bc2432c62a930db1d1dcec5484664659ff24107375f4b4b4bdac4d574

SHA512
bc1e707f88b15568c6f9fdaece964df7ba34835a8d9e73e79cac498fca8f32b33b7734527a6e9119137567f2da81b50509a1eb593f3552dc0984d7f8b9172d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
46bfadfc09e91238fe82de0fe30d91d2

SHA1
5da9d92d08803a52c63c1b96c6027e603e5fc3ef

SHA256
99733b0f1fec41252c1cf23c4a77b60aa371815f1c4c6fca5b0f81e81edf0f1d

SHA512
594994c4261e410c895b7f9b83562cd35eff449acb8fe1c124939a9e6c6fb8153516aff2445719fb73e8ba9df98c425ab30f247aa30571fc4d9cf2979f7582ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6c9e5afa53a396c5663f22632a417d09

SHA1
d0ab4eae378aafc7dfbf87e22a3113a642f0633a

SHA256
50ded1ff4676a285d97aca12244287f807e5c9dc5d258a63fb22a248557fb9b1

SHA512
543d694c98ef09020792e911313b31da77233a39d7de4d7ebe320bbd82b6c830f86983bbd5642b6c546b50de90e1644b80e2fb8400dd95800ec7c44bc17947e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
120B

MD5
6f42a25bef5be621fbf48435904b2546

SHA1
183c6010569323325bf52960042964e1c6d02c72

SHA256
773ab41815173252826424b9b3ce5110cf640d91782b82467f0878ee5da517e1

SHA512
524ce956c65f33588d2907ed85efb8d493ddad97a21e170a13ed2794b44f4226d952883824e8473e4cbea91d6fd44b6539ac4814db9fcaa731271cdbd19be414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
280B

MD5
119b9326a3d87cf92a8e890d5bb2fa90

SHA1
c7456c480c5473a233b8e8e818ab98f4e30e1fa2

SHA256
75e2b144900db60104e0384f21393c1d99e211d8cbaedaba1a4e87c7b8540084

SHA512
4ca6654aa998491ef90420581291b8121c3c8b84653cd5806464dbddaba6ebe04ff970dc85be7428fb9879f03a02c8bc43488b278edf0b089862a0b9628b0a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4b8b1f1856a3a623091f043ab2d61ae8

SHA1
b71619fe26a4a73373bc3612fac3638c6255fd53

SHA256
7b48b9402588a28e46dd595d144fbd3d9ee58a2a76f23d5b3aa3136032ce369d

SHA512
0a4a3bcf483d2235ff82581bce48b9a859ec881842fa1d26cc28bd467f5d75e162607e4df0240444f35196de0e8b12605c92f563ede0086fdd76a557e2f34112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cece4042140749f32f0307820e976ae1

SHA1
33adce5e709799bf798dd210db776acd56ece87b

SHA256
06922713bb72c1778af3aa564bb94423fe8a6adee8344b03d662339278dde907

SHA512
efc4a37a010c31c64f4f030115c7e06cb35e2b9e3cf8f24fa799828f2a60fb898a303031b18e154df3779259a2ef117e355b5d2294c33acec585f30d22b702b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
25KB

MD5
cd6050d3a6e28fcc0a9df3e9f978f892

SHA1
7895b95d23de6bd2576f4a429ab578ce73f5cf6d

SHA256
89c9102fa54294c738a0a4ea65cb93f59033074669fcda7e59d09cdb552f9b0c

SHA512
02f866882c952386719a340be79817e79d22e1c040d8b7e13d52e511b4c1ac721731e0e039623027c0938d28dad36ecf6d6a7f969667bfd29884d24204a014cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
edf9f5559ceeb2a5831e76f32207f7e4

SHA1
f1df2a0b8b3b6cb8e7aa034658c43b6e4bb80fe4

SHA256
71cdcaff9d382bcbb248844c218e9e3678e74e634b154998486c361e7e629140

SHA512
48ec841422158aa3d18736fc80090ace855b384f6825de0fec5b2e5dc1b6aa213e91947872e8ed8480a3c0c88df2d4907c28b1a811189b44735f2a190210beee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
47e6db218318dcde4cdb3f471ee0d7f8

SHA1
db8113f866b886fd0e050e45e496ae60b85b7e76

SHA256
2405940561cdb0412799247646bf7c581e4396ea8231452cea8cc1489cc831bd

SHA512
e807c8ebb595dff9b54f96d0395bb7904bf9500b78eaea6ff3c7c435add82d5f604c766f428c14fb68fb72e8c4a33530ee7b7b5e6d4afcc930b26e600b296a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-6-27.1029.5944.1.odl
Filesize
706B

MD5
3b8645a494af39f58216e3a2e5162e9e

SHA1
0b4da65f3d359e18099baa91a6420827cd55155c

SHA256
380328ecf766403b29c1994eec3eb3e2d2e9b3fbeac302864ca0580ba5d654b3

SHA512
3537b7e67ebd24233b8ff9e032cf43e96d8b943f91b335807fe26c269184a5b0b29f18a8f68ed6ef3415640615887609d5fcdd55ed273d252164cdec63a75963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-6-27.1030.5084.1.odl
Filesize
706B

MD5
b20ea17543cc30ae3c6b74c95f41cdc3

SHA1
44a6a39656b67cf6a7b71ea12daa274e7363295f

SHA256
18df1eda32fa4c1e53050267d0644ed761cba5a8ac8dd64f7ac7789a471083fb

SHA512
9132e6cf2ed2789f4ce6f4e99b5d6a39b5ce103fa07b162613e766485ddb05f017b4c0db4194256de6a7386297ca7195af13eacc341080951306ee55bde08281

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\activity-stream.discovery_stream.json.tmp
Filesize
24KB

MD5
68905b47dc9be3f474079e087f0d0a20

SHA1
06d2d0a3f3c7e9d79f2d3c1f35be62692be5f94a

SHA256
38d31d7dd632424a9d34a6c5cf9bbfdf19a810bc8b188a235095ed75b30c41b5

SHA512
27733a852a5ece261be162f9119dcad1ea21c3749f655506233454358061b1bb37fc2c3eb501d8086e9fd24513a99cfb7ade0588e3f3c3970aebbfa5fc8c4d2f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\cache2\doomed\14230
Filesize
11KB

MD5
5a1d8df0a037c3c02a369eed6e5795ff

SHA1
aad3a0d03e5362b2bad303dd3d3cbb3b8a12e087

SHA256
b7b5aa9c7498ed74e5d158ae7ac3ae6f3503197add297fa30220b58175e94901

SHA512
612dda9c7c858992a204e58fa43f88c7a359954b99424bf036350bd89a1ad623b3594679359e8ff063fa704900f9d581a3e2359b7a6db84a7c810be42acd3cc2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize
13KB

MD5
c9edf392435f749c76962692287465ef

SHA1
471f988180953e9d04aded3e29a3e5799b6ba075

SHA256
652b6161e909a892482b4b8a7606b75ca5a6f7a3196a129b3760759c3f9a2575

SHA512
d7c8480f5ecb088734c49f49bae770b1ac157cd5def5d798afaa8443f9b9e61e032cd8bb655b09ea652f0f5f6f63a8049c692b76c8de1363f809a19a24a0f225

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\cache2\entries\97E21079D4338ED644D10F3CF8B6CCFD6F24DA5D
Filesize
60KB

MD5
a85d10b1a61fc0ec92b4b8bec11551fa

SHA1
d27a9bf2c3ce2d8645814eeae6aa54aa2be30caa

SHA256
0c90b68fadbe9096a0476ce6bf2b25fa10b1b00aa735b6c169d58e18ef7b5361

SHA512
0bdafa1a0786aabf36f888e8a44ad865c6f5b7d01711eb307a6febea63054b2b55abca2da06959b39c49a8e5997dfd3cd590ce87b74fc584a4a1fbea7903b21c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
Filesize
9KB

MD5
7fc43767fe52d515a9ae11e808fe9a98

SHA1
659d323534845635abc3cb4fbbafdb706832be6a

SHA256
91c62e020aeff059de8691795f134939e0b13023b8b9c5ed26cf79cdee053dc2

SHA512
7a7cf96619fe29136889da6e466426a39d06b12a2a66caf458bb9a95e0c86276c188c8713b117564c6b05c94b294ac4785a394d4dc2f6f30912ec933a3e64ebc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json
Filesize
67KB

MD5
6c651609d367b10d1b25ef4c5f2b3318

SHA1
0abcc756ea415abda969cd1e854e7e8ebeb6f2d4

SHA256
960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9

SHA512
3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json
Filesize
44KB

MD5
39b73a66581c5a481a64f4dedf5b4f5c

SHA1
90e4a0883bb3f050dba2fee218450390d46f35e2

SHA256
022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17

SHA512
cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json
Filesize
33KB

MD5
0ed0473b23b5a9e7d1116e8d4d5ca567

SHA1
4eb5e948ac28453c4b90607e223f9e7d901301c4

SHA256
eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b

SHA512
464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json
Filesize
33KB

MD5
c82700fcfcd9b5117176362d25f3e6f6

SHA1
a7ad40b40c7e8e5e11878f4702952a4014c5d22a

SHA256
c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780

SHA512
d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json
Filesize
67KB

MD5
df96946198f092c029fd6880e5e6c6ec

SHA1
9aee90b66b8f9656063f9476ff7b87d2d267dcda

SHA256
df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996

SHA512
43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json
Filesize
45KB

MD5
a92a0fffc831e6c20431b070a7d16d5a

SHA1
da5bbe65f10e5385cbe09db3630ae636413b4e39

SHA256
8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c

SHA512
31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json
Filesize
45KB

MD5
6ccd943214682ac8c4ec08b7ec6dbcbd

SHA1
18417647f7c76581d79b537a70bf64f614f60fa2

SHA256
ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b

SHA512
e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_finance.json
Filesize
33KB

MD5
e95c2d2fc654b87e77b0a8a37aaa7fcf

SHA1
b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc

SHA256
384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e

SHA512
9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json
Filesize
67KB

MD5
70ba02dedd216430894d29940fc627c2

SHA1
f0c9aa816c6b0e171525a984fd844d3a8cabd505

SHA256
905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34

SHA512
3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_games.json
Filesize
44KB

MD5
4182a69a05463f9c388527a7db4201de

SHA1
5a0044aed787086c0b79ff0f51368d78c36f76bc

SHA256
35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85

SHA512
40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_health.json
Filesize
33KB

MD5
11711337d2acc6c6a10e2fb79ac90187

SHA1
5583047c473c8045324519a4a432d06643de055d

SHA256
150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565

SHA512
c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json
Filesize
67KB

MD5
bb45971231bd3501aba1cd07715e4c95

SHA1
ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a

SHA256
47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d

SHA512
74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json
Filesize
33KB

MD5
250acc54f92176775d6bdd8412432d9f

SHA1
a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65

SHA256
19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54

SHA512
a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json
Filesize
67KB

MD5
36689de6804ca5af92224681ee9ea137

SHA1
729d590068e9c891939fc17921930630cd4938dd

SHA256
e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52

SHA512
1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json
Filesize
33KB

MD5
2d69892acde24ad6383082243efa3d37

SHA1
d8edc1c15739e34232012bb255872991edb72bc7

SHA256
29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a

SHA512
da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_law_and_government.json
Filesize
68KB

MD5
80c49b0f2d195f702e5707ba632ae188

SHA1
e65161da245318d1f6fdc001e8b97b4fd0bc50e7

SHA256
257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63

SHA512
972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_online_communities.json
Filesize
67KB

MD5
37a74ab20e8447abd6ca918b6b39bb04

SHA1
b50986e6bb542f5eca8b805328be51eaa77e6c39

SHA256
11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f

SHA512
49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_people_and_society.json
Filesize
45KB

MD5
b1bd26cf5575ebb7ca511a05ea13fbd2

SHA1
e83d7f64b2884ea73357b4a15d25902517e51da8

SHA256
4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0

SHA512
edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json
Filesize
44KB

MD5
5b26aca80818dd92509f6a9013c4c662

SHA1
31e322209ba7cc1abd55bbb72a3c15bc2e4a895f

SHA256
dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671

SHA512
29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_real_estate.json
Filesize
67KB

MD5
9899942e9cd28bcb9bf5074800eae2d0

SHA1
15e5071e5ed58001011652befc224aed06ee068f

SHA256
efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a

SHA512
9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_reference.json
Filesize
56KB

MD5
567eaa19be0963b28b000826e8dd6c77

SHA1
7e4524c36113bbbafee34e38367b919964649583

SHA256
3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49

SHA512
6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_science.json
Filesize
56KB

MD5
7a8fd079bb1aeb4710a285ec909c62b9

SHA1
8429335e5866c7c21d752a11f57f76399e5634b6

SHA256
9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32

SHA512
8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_shopping.json
Filesize
67KB

MD5
97d4a0fd003e123df601b5fd205e97f8

SHA1
a802a515d04442b6bde60614e3d515d2983d4c00

SHA256
bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6

SHA512
111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_sports.json
Filesize
56KB

MD5
ce4e75385300f9c03fdd52420e0f822f

SHA1
85c34648c253e4c88161d09dd1e25439b763628c

SHA256
44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14

SHA512
d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\nb_model_build_attachment_travel.json
Filesize
67KB

MD5
48139e5ba1c595568f59fe880d6e4e83

SHA1
5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78

SHA256
4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa

SHA512
57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\personality-provider\recipe_attachment.json
Filesize
1KB

MD5
be3d0f91b7957bbbf8a20859fd32d417

SHA1
fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10

SHA256
fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7

SHA512
8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
802b0cb7e954b6927376511e29145ef8

SHA1
bb367361afa37efe6e258091472598edc97a7705

SHA256
2a7595d28199f2a7418ab38647d831822d5d0e1983f829fa60b3d617cd81fd15

SHA512
a8e0f48af2f645bf5d14b8e38e43e7daf08dacb050378a48a1b5831bceeb216cab3873c0891f30c7e951e4508151e7b1cba7c1eed6e17625d7dac41c6f40a59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yxm00zyx.3g5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrCAB6.tmp\AccessControl.dll
Filesize
30KB

MD5
2a323f788445af41795406ed9bac313f

SHA1
86b2bbfd2795c19bddf1d6b92710e6f1a9d044c7

SHA256
9b1bc2eb5e0af2fbe2d0f6380f7fe61666dd87c32613ea54fa03a4af3be98401

SHA512
f69bf3207bc37f4a8ecea560ca5f82e1e57eb87a45aab25d87af57f94a5cbb907e45f5d99e1bb6a0eb14aecfc7290957f61597e0b7500b41d70c1d1b96939336

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrCAB6.tmp\BgWorker.dll
Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrCAB6.tmp\SimpleSC.dll
Filesize
1.1MB

MD5
c487d2c2b0f893d6cd2f5ac4589a3480

SHA1
ad5d8f74dc98b13cb965045beea03f55ec75a557

SHA256
0ae19f11aac80c578784d345dccbe8288d5b39dcc53532498e4829e92bf3f848

SHA512
afae8ce314f92a928343247824701a1734e7c03dcb2942fd8616105185763699e0cd1e00bf57c72c80841149dd2205679941dec7b4ff660ad2dcc27447321e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrCAB6.tmp\System.dll
Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrCAB6.tmp\killer.dll
Filesize
21KB

MD5
7d432f79d4e0ac02d41ca3a04fea8767

SHA1
0ef90e92bb447ad8670385b8147695a98fdc031f

SHA256
2b4e543b07a9e74f571d50eacf6b33e44c36e428816b39e955db10d315606585

SHA512
8b86a2dd2348c59f52e3d7f3994a093d812b3137ed518ccc3c7867c1a057b383a71615113f018544d15c68a40c6226d51f210ebd924b6f67ed6dd523af95a078

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrCAB6.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrCAB6.tmp\nsNiuniuSkin.dll
Filesize
351KB

MD5
57bd662862690992ac801df2f1108145

SHA1
148734b667d17afebaef2a156b7dd30adf7ba0ad

SHA256
3c97251c6ae11ea6c0bd216322d36d3c915da8f9cad25d089b0a8475132f9035

SHA512
29a18ca78387f6e25314c0bc1b9db2846afc0f72d4275359a0e0e1f9ca35e7ef0405ee4bfb27b891d68f9a01ca525c8970520d4bb2060b9de999cc7439c4785e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrCAB6.tmp\nsSCM.dll
Filesize
21KB

MD5
c68aca71e85b9615c16c45a3437b5558

SHA1
df730ff499aa20d2c74e2273dd13ee79e07ebf16

SHA256
00e701893af9204d3e9669539bd47fd00e954c5583492b97647eff7811d55181

SHA512
83420b444d35b7becc11cd3efcb02eb98bcc358f7649e745110e0c2ed03893414bddd1f92f600d2e00b21695d4d4388360287e92d50db2726cbd79546f61fca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrCAB6.tmp\skin.zip
Filesize
990KB

MD5
8bf3d3b283fa086f9be540ea902533f9

SHA1
8d2da8d47d9043362f23f7d6dca05c48e9a69af1

SHA256
bd7c662670615370173f323aac05bcdd1158839f8d8fdc0ad6f75c2e4043b253

SHA512
1920677b126f9313c86376d78ea45770bfe24c88d29f3d0c1c15faf904a9aca9e4665acaa41dce12ec8b2b8f05d1ad21ae347c3bea984294794cc639a526c065

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
9KB

MD5
58618db70663f7b220f2ce60ebc71e17

SHA1
5118202d9aab353730ed5e7f9e8d833756043587

SHA256
d20b8b0adedbb257b4fbf1b56200b7579bb039b23fd2bf29559062d86ffe0645

SHA512
0ce26e2caf8dc0dca3f23b3f67b9e52aa1e5c6a1ff82c9478016ed5acba4e2ca985345cb2c3ab832817d6b474528c9a1a469d4712b41ed3b046390d1fd5d552f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
15KB

MD5
e902066a15654ed6f50263035a2999d5

SHA1
d39ef8c323ad305b96f52c1fa5508ca7a5081285

SHA256
1a6b00a8874debbac55772a482543f5995f8fb50c4cfe3b7e96d90f116b8cc6e

SHA512
abcc7b3a63eaf37366f4ba07b957c22fca7de34ba3031a81135f9367784b65c406a6d48a1349dcbba636f2edb3438d79a6568db9dcf67d5ba28c0e55b1b793fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\AlternateServices.txt
Filesize
2KB

MD5
299b45e95a84e974a3852085c8831072

SHA1
9b99bd9c97aae3421337955b961761ac3be986d9

SHA256
a355cf7dc6eaedb90eba1a489ec5f54ea4f14e2db87675428f2522f260910f61

SHA512
ba1c8a6a5682c228b0e971482b3bc38e7daf02106be4d719c84f0da17b610c6951850c0e89f23d534ae24cc2778b2227ceea215b181474e9dae500afd9159e80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\bookmarkbackups\bookmarks-2024-06-27_11_eteHAQl36i0fRaSkFH4CHg==.jsonlz4
Filesize
997B

MD5
62dd7e81b490e6695258525cf3dbe305

SHA1
65e6e5c5c281129cb513c0b485e86aeab30b0c3a

SHA256
debf1d72a005ab2a31846be0405821e24448b27225f153f4ce6450402aead699

SHA512
4533d8c373dc8e60cd0f57926c4ffa1e8ca25f1f36b8052513941eb9a5ab6d7289ccf7d99ffdbf3e03407d6ef2b8ac987c96dfaba6d2f203578a1e7f2b8afa18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\broadcast-listeners.json
Filesize
216B

MD5
06708843dbebdfc1a9d5d344480184f5

SHA1
e2c5a3f6b5ae377fb0c11c85b8e7c8a0d732d4cd

SHA256
4666cb29a4476e349bea0260a6c4bac1592626480346402ffb90ae3002fd6b35

SHA512
c4f920cd5637cf13318bb71ac242d6c05e439f2784b27364965c00694fcd7ca9a57ac8777860ffc0b9f3b22772b2af11be2b36514d38abf5de14227f56d02f47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\datareporting\glean\db\data.safe.bin
Filesize
182B

MD5
c58234a092f9d899f0a623e28a4ab9db

SHA1
7398261b70453661c8b84df12e2bde7cbc07474b

SHA256
eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

SHA512
ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\extensions.json
Filesize
40KB

MD5
35b8b09a20f677b11212607280a9635b

SHA1
884048129e99a6ef39d2ad8004481066c32ce9dc

SHA256
f11cc3ad7127d2295ec167ca848dd1d425256f55edf83f1f098f9d7336645847

SHA512
901d79d6b8a5cadeae816275480781db6baf24b5dd8c751cac9449257bd6ca4e7c9e97c3880d4ef21f64e60bdfa1fd58cff3bf1a114827619d0097a971fac0d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\prefs-1.js
Filesize
8KB

MD5
e3f49688c5f722e7456e9019a8491767

SHA1
4ba207c5233943f177ca378b803a8d3da8f8cb5f

SHA256
37dba219bdfb246126680257f28b2da73b89598256411cd31d73145db56a3b07

SHA512
852b08288025694596ba72ae49dae5a7f2f876bd4c3e52be597fd9e0b15b18bc39ac4ac0c8c5be6c589b2988460815f29de1351e5e49c9a00d154e737fd1a674

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\prefs-1.js
Filesize
10KB

MD5
b25db56e60a969bd11c448dd1d584478

SHA1
190c1f00b26e3806dd3cd49994088c4ba91421a6

SHA256
15b48219b5c986dfa8939c3fe17623dca0e24e6fb81b75e9338a95d66ca81715

SHA512
d99a799342cd78e101b739dca2680b8c67d8641302526c22b8ca41504e9ec0ed24efec8acef379258725a99c46f16afdca5b251e52ce1091d11cd3c0a86adc1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\prefs-1.js
Filesize
6KB

MD5
239ca1b5d5062137ca3746ead476610b

SHA1
d5dbfd00c16b427d706d844fb067fceaaf86143a

SHA256
f60dece8f184951b0f5ee4fef4bd099c59fbab1ddc7bfa29d82e8fd5776af9df

SHA512
28adbcaa40fe7a4ab3a3ec1107747a88ed96f5feba4405b97c7888641d1429b9a6b2a5bc6ebd9a7f6d30092d6980c965fc2c049703e0d986fc962aa926a91f5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\prefs-1.js
Filesize
7KB

MD5
d9c4f9d33b1b862bce20c17d018e4e68

SHA1
8cb030de38e5b8b37b74ac6c4a4e38dd40aa79be

SHA256
8b2ddeb2cbe5def530b72a53f166ec7c28d28f943bb1c81a2baf22883ec5ea9f

SHA512
e2d771008b690732e2d0a8ea170ed27342f39d6f846edc0959c69ee5145b987e567f86e0eaafaa2e50b8c6f115819e75b7c52722913303ddc5e038ab66a80a7c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionCheckpoints.json
Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
b7ce0b526551dcf620870014b98cc8a8

SHA1
833f95e667fb9c857631dea23555a2458bedf17d

SHA256
80c2844eed49aa920102da40b5c1a2c3c76b464a1cc397f7db2103990e6fe6ef

SHA512
a449784d49a8641c7d71a27bb1400dd17c2820483fd23084b0adfb0da9e2780de93b897722c828fa89cfc7567dfb1d7a95fc7c69fbafa847e32c54f375eff403

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
007ce11b3583e1745b9a660bcdeb08bf

SHA1
f26ab9fca288ca2efaaa25641e976309267fa07d

SHA256
0951c4f43d41d72452dd97453f3f9ed17fd35e87fd50d7d9678cb355a2e96307

SHA512
59327badc1fabbd642fe1146fbc990fc2fdda51efa59d7fb87c4673bfbe4b9c96d241e539b80a7852aa08376e2f58b74d859993b232c7f030ed96f2fb6f33b07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
8313a19dab8c2ce74a086082b0997d56

SHA1
d6d62c6b02cfe30444c211d5c6638d9ae929f3d7

SHA256
7dd06731680bcbaca992c3e0776cc510d23b97bb566281fb37bd6a21ca9ac510

SHA512
57a8ed7a2aa9de5ddad7e927d3a185ad59a848c843a4add9763855919f69184ac895c3bc7eb07f09ed6cf78e484a5350c06784433f465cfd0117fee4f028e37e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
18eb23b29a442cb412f4ac56ca266bda

SHA1
17f92ee26d002e553248784e1795eea2dd500038

SHA256
74fd0d83fed2d91df8decf11fcea41da1e2d327301f72799e0873ea129d205d3

SHA512
9fc8ffd9ad2b98215974924158bc528566329cf95ffd0aae715b62b635f4baa0b384df65a097957c418b76a5e0deb98b884bf96d5ef0b3168b3680eb1cd11d77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
e1268ebb62104f016a931d965b615964

SHA1
ef5066b140a6b021b3461dfc5ec9ec0e2beb0d56

SHA256
8c0d505ea43205b82b83ec8d478d13dbb79d498a256d9d533ac77506f2e128f8

SHA512
0822ef67581000eec105c92da2d6f830019bea5766e1cddaadca910d49df936851cdf65011f9ae37ade13c804bc58b1dc2c4afb37c6803a7551a9cd2d86a093b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
ad3c53f1ec765a18246835142e60daa1

SHA1
4257d9b6df39c1b6c2154a1569a5462f18a1cadc

SHA256
dcad44e6cba7be6adc6eec630ba969506a568aa43615ea63d3b581c70cedae9b

SHA512
8c2db0a64257d66eac56e0c99f170df2686626cb53af0f097a8f13db7655a6efaf0cea914613ce94cf1ecc37c1ad4482ab1f51ff9a235137a5f727ef1b10a28d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
1f8cc8386b1a2cf7c0364f252f095dfa

SHA1
fa9161244e9fdec98fd38ed022d99df97c377861

SHA256
5c851261b1337a5181adfd29ce48e97f104c010c823f1c827990610d5bb63c04

SHA512
42eca7095572e1369963816d25ffadc4bbad05138a228b5e490e974ed85e31ec507c06685513a76885993bee34f5b847dd477692f804a79320be6ff8df2e021d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
10.0MB

MD5
d7a4a56db8788c243a13170bec0f2c9f

SHA1
955d2a0426496a56d12a959563928f53f2cc9b94

SHA256
137484d27a5f368a4d53ef71755a40aebd0388f3673d71641179040a2a7cb604

SHA512
e6b4ecd408bcbfde60a4154d57840c4754ff23f075a7d9e9dc7c182b0d80d3d587774c733b5b8ec93b4b294bc706c337721c25c466826508c2fdf5361fa45d29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\targeting.snapshot.json
Filesize
4KB

MD5
dd8d6ec5924d10b447e2a6ff432a2808

SHA1
0db8caceea4b92b860503ebe68ea771aab9d4316

SHA256
4ee88d3670f431da74341aacfceb50b098ef9c57ecba723029bbb9ba015eeb36

SHA512
26e1dbbb8ee0c9a66ea0c151b2b81ddf6705f70d53ea9f2bba044365cee3566a125dd77d2efc68a07d11a2f1e2f65a1f7de4c90c35ce4812e8f8f5453aa44763

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\xulstore.json
Filesize
141B

MD5
b847f28acdec63348ea376efd4278d02

SHA1
da4ae0ce914885ad7fe1f89aef3aa4f324747091

SHA256
7e63f727108182d4afdf0ae5131c9e0692d857b934fe8d93a7d4a8cea58fb834

SHA512
07b89826d35c5b9f056c8556ed5dd0a961f779d1aa7639321b90c56ef65bf6706a653a22f7790543b1482414069d5587c1f1c28215e92a7ffdf0fa4a55537c08

Download Submit
C:\Users\Admin\Downloads\inst.exe
Filesize
1.7MB

MD5
aad8605baccca43dbc3eb9338944d546

SHA1
c5b1be208a19154b8bf8d1d4d0d9e4ab66a09486

SHA256
7953e2ba8611e6323b96df91a87cc162b3d1933e83d745b862c8c6704bb947c9

SHA512
1e59582f095a93e2738e3149b6b2a98cbfb94f68c2c351943aac0db6d0853fa19f3e230c2f66cda13afd247c108a25c1b519e9ebd20e3403a86f94976cc05918

Download Submit
C:\Users\Admin\Downloads\inst.exe:Zone.Identifier
Filesize
261B

MD5
e64a43d06e8cc6a8fc977c87f5700d45

SHA1
32e5db35f4d090a45365933d67b9909b60d1bdc8

SHA256
3a92c89378bd5b35ae0a97f728d2efe488c7c4c9e6467c408a66312ff258d36d

SHA512
08d127066cdc86d0dd7c9e954fd75888f79162a200f52399d61fa5ac1765151082ffa566787694a06892956cdea5581f42527ac8914d424792903ba6c76c197e

Download Submit
C:\Users\Admin\Downloads\inst.i1R5AjIy.exe.part
Filesize
24KB

MD5
5574290bd35e2c7ee551485c320bf864

SHA1
e9a4a6be5826ab0faaf6ae03adbf5acc6f37c056

SHA256
837b20f10c0605868689d4b7de146746794a9c144cee2fbda4c988cb766c8a73

SHA512
c583324b66db679fb8ff618ed81c48c55ac5b154d50e3b0032e0d31cc010a16230f3b7794d6ecb4d93f19f057ac2ccc27636bb8be7444b2c098a44144db8f898

Download Submit
C:\Windows\Temp\SDIAG_b313bab6-c25a-4d4d-9e15-61b6c2cb0852\DiagPackage.dll
Filesize
488KB

MD5
ec287e627bf07521b8b443e5d7836c92

SHA1
02595dde2bd98326d8608ee3ddabc481ddc39c3d

SHA256
35fa9f66ed386ee70cb28ec6e03a3b4848e3ae11c8375ba3b17b26d35bd5f694

SHA512
8465ae3ca6a4355888eecedda59d83806faf2682431f571185c31fb8a745f2ef4b26479f07aaf2693cd83f2d0526a1897a11c90a1f484a72f1e5965b72de9903

Download Submit
C:\Windows\Temp\SDIAG_b313bab6-c25a-4d4d-9e15-61b6c2cb0852\en-US\DiagPackage.dll.mui
Filesize
17KB

MD5
44b3399345bc836153df1024fa0a81e1

SHA1
ce979bfdc914c284a9a15c4d0f9f18db4d984cdd

SHA256
502abf2efedb7f76147a95dc0755723a070cdc3b2381f1860313fd5f01c4fb4d

SHA512
a49ba1a579eedca2356f8a4df94b1c273e483ceace93c617cddee77f66e90682836c77cea58047320b2c2f1d0e23ee7efa3d8af71e8ee864faef7e68f233bec4

Download Submit
C:\Windows\Temp\SDIAG_b313bab6-c25a-4d4d-9e15-61b6c2cb0852\result\E917290A-74C6-4A46-8933-DB3BFDC08E2E.Diagnose.Admin.0.etl
Filesize
192KB

MD5
19b12e913230169a2e6e663c44d63ec0

SHA1
aac1897f8fc4581827d569cbf2535816b1042cdf

SHA256
788e8fb04e47cd8d313b95d59a36f077f06141ce1577e06e98ce3c48e39b9697

SHA512
352e6d124df63efbdfab205953dc993329b54d1c4d80bedd740ee4bc1a5cb96cae30140f3f9957dfadae789a8cecc4d6662bf57f46b9efcfe6560a3614dc98d9

Download Submit
C:\Windows\Temp\SDIAG_b313bab6-c25a-4d4d-9e15-61b6c2cb0852\result\NetworkConfiguration.cab
Filesize
1KB

MD5
912972da9f93eae5be6ce68a96bc22f4

SHA1
c994ccbe80386aae3a016bba7fdc5ce18499d54a

SHA256
09fea984fc6ac2e158e16aaff9f93681bc0e24ebdf36e60e8392b714add5d396

SHA512
37f5239f19103f53d1dab7869f0c255ed1c784c1adb41e8653933b623d539a7085ca218106b502acda5b918f177bb9003bc91dbe98f31e50f64da2c09a076b83

Download Submit
\??\pipe\LOCAL\crashpad_5772_NHNIUNQVHYPNOSSY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1884-2616-0x0000000000AF0000-0x0000000000F34000-memory.dmp

Filesize
4.3MB

Download
memory/1884-2665-0x0000000000AF0000-0x0000000000F34000-memory.dmp

Filesize
4.3MB

Download
memory/1884-2607-0x0000000000AF0000-0x0000000000F34000-memory.dmp

Filesize
4.3MB

Download
memory/3188-4021-0x000001DE1E550000-0x000001DE1E572000-memory.dmp

Filesize
136KB

Download
memory/3712-2681-0x0000000004870000-0x000000000498C000-memory.dmp

Filesize
1.1MB

Download
memory/3712-2638-0x00000000730D0000-0x00000000731DD000-memory.dmp

Filesize
1.1MB

Download
memory/3712-2897-0x00000000730D0000-0x00000000731DD000-memory.dmp

Filesize
1.1MB

Download
memory/3712-2704-0x0000000002F50000-0x000000000306C000-memory.dmp

Filesize
1.1MB

Download
memory/3712-2724-0x0000000002F60000-0x000000000307C000-memory.dmp

Filesize
1.1MB

Download
memory/6172-4201-0x0000013664F70000-0x0000013664F71000-memory.dmp

Filesize
4KB

Download
memory/6172-4192-0x000001366A140000-0x000001366A141000-memory.dmp

Filesize
4KB

Download
memory/6172-4193-0x000001366A130000-0x000001366A131000-memory.dmp

Filesize
4KB

Download
memory/6172-4195-0x000001366A030000-0x000001366A031000-memory.dmp

Filesize
4KB

Download
memory/6172-4196-0x000001366A020000-0x000001366A021000-memory.dmp

Filesize
4KB

Download
memory/6172-4034-0x000001366A020000-0x000001366A021000-memory.dmp

Filesize
4KB

Download
memory/6172-4026-0x0000013664B20000-0x0000013664B30000-memory.dmp

Filesize
64KB

Download
memory/6172-4030-0x0000013664B60000-0x0000013664B70000-memory.dmp

Filesize
64KB

Download
memory/6172-4198-0x000001366A020000-0x000001366A021000-memory.dmp

Filesize
4KB

Download